What I Do to Pay the Bills
I’ve been working at CloudShield for a few years now. It’s the first time I’ve worked for a company that actually produces something on which you can actually lay your hands. (At this point Sean would say, “What are you talking about? At GALT we added VALUE!”) The novelty of that has mostly worn off, but it’s still amusing to me at times.
We make very high-speed network hardware. As of this writing, we have a 2.5Gb/s (in (Cisco) marketing-speak that’s 5Gb/s because it can do a full, synchronus (in both directions) 2.5Gb/s, but we’re amongst friends here), and have recently released our 10Gb/s platform.
There are three things that make this box unique, at least when talking about doing these things at line rate.
- The box is completely programmable. We’ve developed a language that abstracts the uninteresting bits of dealing with packets, and let the programmer focus on solving their problem.
- Our box can inspect, match patterns on, log, analyze, and change any potion of the packet. It’s that last one that’ll get you.
- Most network appliances either look at only a portion of the information in a packet, like a router, firewall, or proxy server. Or, they can look at the whole packet, but do so very slowly. Most of these solutions keep up with faster data rates by statistical sampling. We act upon the entire data-stream, at very close to line-rate.
The easiest way to think about how it works is that we’ve basically built a generalized computer for network and pattern matching operations.
This is both interesting and scary. It’s interesting because it allows you to move control decisions into the network itself, which allows for some applications that simply aren’t possible with traditional network hardware. It’s scary because some of those applications have some troubling implications.
When Sean and I first talked about the job, he made it very clear that some of the applications we make possible are a bit troubling, and we need to come to terms with that. I think we both rationalize it with the understanding that anything you really care about either a) shouldn’t be accessible via a network at all, or failing that, b) should be encrypted to a point where brute-force decryption would take more effort than the information could be worth to someone else.
Of course, that rationalization falls down with one simple fact: People are dumb. (Ok, let’s be kind: people don’t understand computers, and tend to be complacent about letting others make sure the[ir information is]y are safe.) I know that we absolutely shouldn’t coddle people, and we certainly can’t protect them from themselves, but in this age where civil liberties are being bulldozed in the name of “national security” (that somehow only leads to a less safe nation) it’s a problem with which I’m still wrestling.
Few of the other places I’ve paid my bills have been as much fun.