Distributed architecture of distributed firewall

With the upgrading and expansion of the network, the traditional box firewall has been difficult to meet the needs and challenges of large capacity, high performance and scalability. This paper introduces the design and development of rack firewall products. The distributed crossbar architecture can meet the challenges of high performance and flexible scalability. The distributed Crossbar architecture adopts Crossbar architecture in addition to the switching network board, and the business boards also adopt Crossbar+ switching chip architecture. Adding a switch chip to the service board can solve the problem of local switching, while the Crossbar chip between the switch chip and the switching network board solves the problem of making the service data of the service board into cells, which improves the switching efficiency. The data types of the cells of the service board and the switching network board are made into two planes, that is to say, there can be very rich service boards, such as integrating services such as firewall, IPS system, router, content exchange and IPv6 into the core switching platform. At the same time, this kind of crossbar switch has corresponding high-speed interfaces connected to two main control boards or switching network boards respectively, thus greatly improving the switching speed of dual main control and main standby.

In the design of distributed crossbar, CPU also adopts distributed design. The main CPU on the equipment main control board is responsible for the whole machine control scheduling, routing table learning and distribution; The service board is mainly responsible for local table lookup, service board status maintenance and security service function processing from CPU. This realizes distributed routing calculation and distributed routing table query, greatly relieves the pressure of the main control board and improves the overall performance of the equipment, which is also an important reason why the local forwarding of the service board can improve the efficiency. This design concept of distributed crossbar and distributed business processing is the development direction of core network equipment design, which ensures that security equipment such as firewall can be deployed to the core position of the network and will not become the bottleneck of the network.

The distributed Crossbar technology above solves the requirements of high performance and scalability, and the backup redundancy design of the main components below solves the requirements of high reliability. As shown in figure 1, not only the switching network board and control module are designed with double redundancy, but also the firewall board, power supply and interface board are designed with double redundancy.

In order to cooperate with the distributed hardware architecture, the software also adopts distributed design. The main operating system runs on the main control board and is responsible for the management configuration, routing learning and configuration distribution of the whole equipment. Business board operating system is responsible for receiving and distributing configuration, business processing and other functions. Due to the distributed architecture design, the firewall system not only realizes the separation of control plane and forwarding plane in hardware, but also realizes the separation of control plane and forwarding plane in software. This can effectively improve the high performance and reliability of the system.

In order to improve the performance of network security products by using distributed processing technology, we must first solve the problem of data flow forwarding between internal networks. In the rack architecture, the main control board is generally used to operate the whole equipment, manage and configure the equipment, and then distribute the configuration to each subsystem to make them work together. The interface board is used to provide users with an interface for equipment to access the network and submit the data stream to the security service board. The security service board completes the functions of access policy control, NAT address translation, IPS defense, antivirus, IPSEC VPN and so on.