Lightspeed reinvents the firewall, by replacing the usual monolithic design with a modular design that is faster, safer and mathematically more rigourous than even so called NextGen (NG) firewalls that have been popular in the last decade or so. We call this Nodus, and will be replacing all existing customer subscriptions for picoNet for free in the field over the course of 2023 as part of our 25th year anniversary.
Theory of Operation
A firewall is a packet filter placed at an entry point of a network in the Internet. Each packet that goes through this entry point is checked by the firewall to determine whether to accept or discard the packet. The firewall makes this determination based on a specified sequence of overlapping rules. The firewall uses the first-match criterion to determine which rule in the sequence should be applied to which packet. Whilst this is easy enough for a small set of rules, it rapidly gets complicated (exponentially so, for those of you mathematically inclined) – conflicting rules end up designing in vulnerabilities that are almost impossible to remove.
Nodus upends this by taking a modular approach to firewalls – besides being far simpler to describe (safer), it also has the advantage of allowing for parallel processing. This allows for effective use of multi-core general purpose CPUs instead of slow single threaded CPUs (faster). In addition, the modular firewalls can be shown to be mathematically equivalent to the older monolithic design.
Smarter Protection
There are usually two points at which you can decide whether something coming your way is harmful to your network. One is where the Internet connects to your local network (LAN) – which is your firewall. The other is on your computer, when it receives an entire file (anti-virus). To that, we add a third layer that sits in the cloud – which we call CloudProtect – so that even before a file starts being downloaded and packets of data containing that file’s data begins to pass through your firewall, we have inspected, classified and hashed the results in the cloud to predetermine if a URL is harmful or safe.
By preventing connections to malicious sites, Nodus CloudProtect eliminate exposure to risks before they are even downloaded to computers or before a victim can see the fraudulent website. The inability to reach a malicious host means that second-layer defenses such as virus protection or user-based detection such as certificate examination are never called into action. The threat data is compiled and cross-referenced across at least twenty (and growing) Threat-Intelligence providers including IBM X-Force, Proofpoint, F-Secure as well as national resources from various countries like Poland (CERT.PL) and Switzerland (ABUSE.CH). DNS queries are run and cached locally within the firewall and routed via the Quad9 network (163 POPs including 3 in Singapore alone) to be faster than other competing recursive resolvers – so that being secure is at least as fast as having no protection.
Full Speed Hardware for a faster network
Most firewall families start off at 100Mbps – and a tiny no-name CPU slower than a mobile telephone from 1990. Nodus starts with modern Intel processor families – the most popular being the Core i3. All options come with AES-NI support for full speed packet filtering and VPN encryption. We also use Intel i225/226 network chipset for a fast and reliable network. By comparison, nearly all other entry-level firewalls have multi-core scores below 100 which means they struggle to sustain even 100Mbps over a single VPN connection.
Smarter and Stronger VPN protocols
Combine that with smarter (and simpler) firewall protocols that leverage Elliptic Curve cryptography (as opposed to your grandfather’s RSA), it’s no wonder that we outperform all other hardware firewalls on VPN by a large margin. We offer up to a full Gigabit per Second (1000 Mbps) using WireGuard protocol. This outperforms all other corporate VPNs in the market by a significant margin.
Dual ISP done right
Most firewalls claim to support dual WAN interfaces – but if your ISP (as it often is in Singapore) starts off at 1Gbps, two ISPs means 2Gbps of Internet accces – however, your firewall only has 1Gbps ports – so effectively, you halve your potential network speed. Novus network ports start at 2.5Gbps to allow a full dual ISP speed of 2Gbps (with some to spare). Of course, we also optionally have 10Gbps ports for those customers who have 10Gbps backbones, but for now 2.5Gbps is the sweet spot for network routers and firewalls at the edge.
Made for Asia
You design for the environment you live in – being headquartered in Singapore means that for the last 25 years, we’ve designed around the network speed doubling every five years or so.
As such, the designs we’re working on today are geared towards supporting 100Gbps at the edge in the not so distant future.
Nodus in 2023 represents our forecasted top Internet speed of 10Gbps in Singapore (only a very few customers here, but we can support them at full speed), with an “average” speed of 1Gbps.
Affordable Annual Fees
A firewall is only as safe as it’s last update. There are new zero-day threats announced almost weekly in 2022/2023, so a regular OS and package update – encompassing both security and feature patches is the key to keeping your users (and your data) safe from harm. To this end, we have designed Nodus for affordable manageability.
For the annual fee, we feature the following
- fully managed firewall (you define the policy, we do the downloads, apply the patches and if anything goes wrong, recover the system)
- realtime updates CloudProtect (all systems)
- weekly security patches (in response to CERT Advisories), monthly package upgrades and semi-annual OS upgrades.
- daily updates for AntiVirus scanning (if option is purchased).