jen wrote:
>
> Now that routing is moving to the switch level (layer 3 switching),
I think you may be a bit confused on the technology. Switch routers are
not quite as revolutionary as you might think. In fact, these devices
are more of an evolution of existing router technology. The association
with the word "switch" is more marketing spin to emphasize the increase
in raw throughput these devices can provide. If they called it "a fast
router", people may not be willing to shell out the $$$ to buy them. ;)
Switch routers typically (but not always) perform all the same functions
as a standard router. When a frame of data is received, it is buffered
into memory and a CRC check is performed. Then, the topology frame is
stripped off of the data packet. Just like a regular router, a switch
router will reference it's routing table to determine the best route of
delivery, repackage the data packet into a frame, and send it on it's
merry way.
So how is a switch router different from a standard router? The answer
lies under the hood of the device. Processing is provided by Application
Specific Integrated Circuit (ASIC) hardware. With a standard router, all
processing was typically performed by a single RISC (Reduced Instruction
Set Computer) processor. In a switch router, harware is dedicated to
performing specific tasks within the routing process. The result is a
dramatic increase in throughput.
A good analogy is the modern day video card. "In the old days", the
computer's CPU provided all of the video processing power. This limited
the speed at which images could be rendered on the screen because CPU
cycles where shared with other computer functions. One of the reasons
that modern video cards are so much faster is that screen draws are off
loaded to a processor located on the video card which is dedicated to
imaging.
Keep in mind that the real goal of a switch router is to pass
information along faster than a standard router. In order to accomplish
this end, a vendor may choose to do things slightly differently than the
average router implementation in order to increase throughput (after
all, raw throughput is everything, right? ;). For example, a specific
vendor implementation may choose not to perform a CRC check on the
frame. This speeds up the process of pushing out the frame of data but
at the cost of potentially passing bad frames.
>From a security perspective, focusing so much on throughput may not
always be a good thing. Certainly performance is a concern, but not at
the cost of accidentally passing traffic that should have been blocked.
Since the real goal of a switch router is performance, it may not be as
nit picky about what it passes along as the typical router or firewall
may be.
> are
> there also attempts at putting firewall features into switches?
To the best of my knowledge, what has been implemented is little more
than static or dynamic packet filtering (check out offerings from 3COM,
Xylan and Fore). You do not get all the features you would normally
associate with a firewall such as VPN ability. These devices make a
great replacement when you need to increase security over what can be
provided in a typical switched environment, but they have a long way to
go before they can match the feature set of a typical firewall. Remember
the focus is on throughput, not necessarily security. This is why you
get static or dynamic packet filtering on these devices. To the best of
my knowledge (I'm sure someone will correct me if I'm wrong ;), none
have implemented application specific proxies. Without wanting to bait a
flame war, application proxies are still considered by many to be the
most secure method of regulating traffic flow.
> I'm
> thinking of firewalls to separate internal networks from each other, in
> addition to protecting from outside intruders. Sometimes it's not even
> a security issue in research labs ... we often just want to try weird
> things.
This type of decision needs to be driven by your security policy. For
example if basic packet filtering would be deemed acceptable, you could
go with a 3COM Corebuilder. If dynamic packet filtering is acceptable,
the Fore switch may be a good choice. For strict security applications
(let's say between departments in a trading company, casino, etc.), I
would stick with a full featured firewall.
Hope this helps,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
