When I joined Juniper, my interview was very funny because I knew nothing about networking or security. Well okay, I could draw clouds that had arrows pointing to each other and I knew the basics of sockets, but nothing like anyone who actually knows networking…
That’s what has made the job so much fun. Applying 15 years worth of experience to learning a new problem domain…
A specific challenge, I had was how to think about a firewall, in particular what exactly are the functional elements of a firewall that transcend any specific implementation.
A diagram I came up with that has had surprising predictive power is what I am sharing today.
Basically a firewall has three layers.
Starting from the top, we have a physical layer that has packets come in as a rain drops. I’ve already talked about rain drops and streams, and this lowest layer is what handles the packets. This is a physical network layer where cables are plugged into a firewall device. Just above the packet flood is a load-balancer that ensures that packets from similar flows end up on the next layer at the correct processing unit.
Cheap Computational Security
Cheap computational security is what I have been calling security that can be done very efficiently, has to look at a relatively bounded number of packets and can be assisted with hardware. This is typically what we have historically called “L4 Firewall Security”. Things like ALGs etc are implemented in this layer. This layer is able to take the packet flood and turn it into a stream before the security processing begins.
Because cheap computational security is implemented in terms of flows, a series of packets turns into a flow and then we start doing security on it, abstractly we can think of thousands of individual threads each handling a single flow. Obviously this is not how we would implement things, but is a useful mental model.
This mental model is particularly useful because it explains why the prior layer must load-balance the packets. Essentially using packet only information the physical layer must direct packets to the right thread processing the right flow.
Because the physical layer can make a mistake in load-balancing, this layer is able to detect the mistake and forward the packet to the right cheap security element.
Once the cheap computational security is done, then packet is forwarded to more expensive computational security if that is appropriate. That forwarding goes through yet another load-balancer whose purpose is to find either a lightly loaded computational element or send more packets to one that is still processing.
Expensive Computational Security
The final layer in firewalls is expensive computational security. This is stuff we have historically called “L4-L7 security services” such as UTM or SSL forward proxy etc.
This layer expects to receive a stream of packets and typically takes a lot of CPU and Memory resources to perform the operations that need to be done to detect security breaches.
Again this layer can conceptually be thought of a series of distinct computations on independent flows.
What I described isn’t a firewall per-se, it’s just a useful mental model for how to think about firewalls. And in particular, to understand the hardware trade-offs in designing firewalls.