The hardware performance of network appliances is complex topic. Typical questions that I am asked:
- Why are the hardware versions of stateful and next generation firewalls faster than virtual firewalls ?
- Why is VPN Performance better in a dedicated firewall ?
- Why does a proxy server have a maxim throughput or number of users ?
- What determine the performance of the virus scanning appliance ?
There are four broad aspects of the dedicated hardware to provide the higher performance.
- The operating system can be optimised for the platform. It’s possible to build a customised operating system for the hardware architecture that can out-perform normal operating system like Linux and Windows. There is a lot of software (both code & architecture) in general purpose operating systems. For an example of an open source, high performance OS look at Snabb Switch – https://github.com/SnabbCo/snabbswitch/wiki & which is able to forward in excess of 40Gbps with deep packet inspection using Lua for inspection policy.
- Many appliances use intelligent network adapters These network adapters have advanced silicon with specialist network processors to handle the packet forwarding process in hardware. The software drivers are optimised to offload CPU intensive function to these processors. An example is Netronome FlowNICs who can deliver extraordinary performance gains to many appliances – http://www.netronome.com
- Appliances may use Crypto co-processors Many security appliances include crypto processor that is design optimised for handling asymmetric encryption key exchange. These processor are reasonably cheap today, well known across the appliance industry and widely available. Example – Cavium Nitrox – http://www.cavium.com/Adapters_Crypto_Offload.html
- CPU/Memory/Storage Architecture – Most appliances today use an Intel x86 motherboard. These are cheap, well known and often the custom silicon can be installed on standard PCI boards. There are few, if any, devices using other CPU architectures such MIPS, ARM, RISC and PowerPC today. It’s also possible to improve performance with fancy DRAM such as RL-DRAM but these are not usually cost effective anymore. For appliances, it’s cheaper to use bigger CPUs. Finally, appliances may use Disk Drives for storage of large volumes of data. Flash drives are dramatically changing the performance of appliances that perform web proxy functions, for example because SSD have enough IOPS to match processing and throughput.
I am repeatedly asked this questions.
Of course, the next question is why vendors like selling appliances.
- Because appliance sized is hidden licensing – a bigger box with more memory, CPUs and co-processors can be used to increase throughput or consumption. Many customers don’t see the software licensing fee built into the purchase price.
- Creates product lock-in. Once you start using an appliance, you will tend to buy more of them to reduce complexity.
- Creates maintenance revenue – yearly hardware & software maintenance is an excellent method of wealth transfer from your company to the vendor while delivering little value to you.
Hope this helps.