It was about this time of the year, back in the last century, that I was hard at work inventing what would be known as the PIX firewall. The problem I was working on was how to make firewalls simpler and faster. In 1994, Internet usage was about to explode. It was clear to me that it was about to be used everywhere. TCP/IP had escaped from my domain of the geeks. Even my Father was using it.
For most companies, connecting to the Internet created lots of problems. First, most companies and their computer people could barely spell TCP much less understand how to protect themselves. Without protection they were sitting ducks, even then. There was an ever growing number of hackers breaking into the ever growing number of defenseless machines being put on the Internet.
Second, most companies used the IP addresses that were configured in their machines when they were delivered. I don't remember the actual IP address shipped on Sun machines but I know they didn't even belong to Sun. Businesses had a very cavalier about those addresses. We even saw companies who had compiled department numbers as subnets into their applications.
Also I saw that the then current firewall technologies were not sufficient for future business Internet use. There was only two technologies in those days: packet filtering and proxies. Packet filters were implemented in routers and had to make a filtering choice based solely on a single packet. That is not enough information to make a good choice. And these filters were tricky to setup. The second type of protection was connection proxies. In this technique a proxy machine acted as a gatekeeper between the internal network and the Internet. Users connected to the proxy machine and then connected to the Internet. This didn't scale well. The performance degraded rapidly as the number of connections grew. Most people called these systems 'gate sleepers' instead of gate keepers.
The solution was stateful packet inspection. The PIX ran a very simple OS I designed and kept state on all TCP connections flowing through the unit. If a packet arrived from the inside wanting to connect to something on the outside network, a new connection descriptor was created and the packet was allowed to continue on its way. If a packet arrived from the outside trying to connect to a system on the inside network, and there was not connection descriptor already, the packet was dropped. It was a fast, simple connection diode. The PIX was cheaper, faster, simpler.
Today I'm doing something like that all over again. I'm building storage area networking appliances. There was really only one SAN technology, Fibre Channel (FC). You could get FC on glass or you could get FC on TCP in the form of the iSCSI protocol. Both are part of the Fibre Channel culture that grew out of the mainframe world in the mid 1980's. That's quite okay for data centers that are the descendants of the old IBM shops. Fibre Channel works quite well with FC experts around who can focus on the storage configuration and operation. But it seemed to me that we needed a new kind of SAN technology like we needed a new kind of SAN. One that is easier to deploy, more affordable than iSCSI and faster than Fibre Channel. One that people who don't have dedicated storage people can use. That's when we invented ATA-over-Ethernet, or AoE.
