| Peeking under the hood of SnapGear's uClinux-powered VPN appliances |
Jerry Epplin (Jan. 29, 2003)
LinuxDevices.com technical editor Jerry Epplin takes a look at SnapGear's award-winning uClinux-based VPN appliances from the perspective of a developer's ability to customize them -- and in the process, becomes a uClinux convert . . .
With the impressive improvements made in uClinux in the last couple of years, it has become increasingly practical to implement the networking capabilities of Linux in a small-footprint device. Perhaps the most obvious network-oriented devices for which uClinux is appropriate are firewall/routers, which need all the latest protocols and capabilities, but are in a highly competitive environment in which cost is paramount.
SnapGear's line of VPN router products makes extensive use of this growing uClinux phenomenon -- to which SnapGear has been a major contributor.
This review takes a quick look at SnapGear's product and uClinux in general, with an emphasis on the developer perspective. The end user perspective on the SnapGear products has been covered sufficiently elsewhere.
First impressions
I looked at the LITE+ model, a VPN router based on the Motorola MCF5272 Coldfire processor, and having a four-port switch on its LAN side; and at the SME550, SnapGear's latest model, having a SuperH processor and a dedicated chip for hardware acceleration of VPN functions.
The SnapGear LITE+
SnapGear LITE+ I/O panel
The SnapGear SME550
SnapGear SME550 I/O panel
From the end-user perspective, my own experience was similar to that of the earlier reviewers: some aspects of the setup were less than intuitive (such as the unit's insistence on being configured through a DHCP client running on its LAN port), but the SnapGear units have an impressive array of features, and are unencumbered by the obnoxious per-client licensing fees some other VPN routers have. I'd also like to see SnapGear make some improvements in the documentation and web-based setup interface -- this would make it likelier that an average SOHO administrator, who cannot be expected to be a networking expert, would be able to get going quickly.
To an engineer these issues may seem minor; but to an unsophisticated SOHO user they add unnecessary complexity to an already inherently difficult network configuration job.
Getting friendly with uClinux
But enough of that -- of greater interest to many LinuxDevices.com readers is one's ability to change any aspect of the unit that you don't like. The router code is based on the uClinux project code, so you can add or subtract features at will.
I found the uClinux project to be well organized and easy to work with. The developers have taken the time to think through the organization of the source code, write usable documentation, and organize the build process in a way that makes the project a pleasure to work with.
The project has ported an impressive array of well-known open source applications to uClinux, with an understandable tilt toward networking apps like FreeS/WAN. Porting typical applications to uClinux is reportedly usually straightforward -- this might be expected, in light of the effort made by the project to integrate uClinux with Linux itself (an effort that has succeeded, as Linus has begun to merge the uClinux patch into the development kernel).
uClinux is probably the most exciting development in embedded Linux today, and perhaps in the larger Linux world as well. If, like me, you were skeptical of uClinux because the idea of redesigning a desktop operating system to work in the most deeply embedded devices just seems wrong, you really need to take a look at the project now.
uClinux is real Linux, with the modifications necessary to run it on processors without memory management units. The project participants have uClinux running productively on a variety of ten-dollar processors like those from the Coldfire and ARM7TDMI families. These chips often come integrated with many of the peripheral capabilities of microcontrollers such as UARTs, SPIs, timers, and digital I/O, as well as with higher level capabilities like SDRAM and Ethernet controllers. So a practical uClinux-based system today consists of little more than a processor and one or two megabytes of flash and DRAM. This puts Linux within sight of all but the most extreme cost-sensitive designs requiring highly integrated eight and sixteen bit microcontrollers. Frankly, I did not believe it would happen -- I thought specialized open source embedded operating systems such as eCos would fill the need for mid-level embedded systems. But the uClinux project has done it, and in an impressively short period of time.
The contributions of SnapGear engineers to the success of the uClinux project have been pivotal, and not only with code contributions, but with invariably friendly and patient help to others and with general advocacy. The uClinux participants, including those from SnapGear, have been consistently patient with -- and helpful to -- the stream of newcomers to the very active uClinux mailing list.
And uClinux is surprisingly well-documented, with well-written documents and background papers at . . . Although it is fair to say that uClinux is still not a short-learning-curve technology, the community is remarkably welcoming and helpful to those wishing to learn.
In short, uClinux has acquired the flexibility that mid-level embedded operating systems must have. It runs on many architectures, boots from and operates from a variety of root filesystem media, and now has the ability to execute in place (XIP) from ROM or Flash. So depending on your system's needs, you might choose to compress your kernel or root filesystem and uncompress them into RAM on bootup, or simply hold either or both of them in flash and use XIP for the kernel and applications.
Configuration and build process
The uClinux configuration and build process is a straightforward extension of the standard Linux "make xconfig" process. You first select one of the supported platforms, configure the kernel in the usual way, then select those applications you wish to include on the target. The process is nearly seamless, and experienced Linux users should have no trouble with it. So a sophisticated user wishing to customize his or her VPN router box can do so, all with tools easily available for free. Try that with your SonicWall unit.
There are, however, some limitations on an independent user's ability to hack the SnapGear routers. The firmware build shipped with the unit contains some differences from the software available from the uClinux project, as follows . . . - The web-based configuration software is not found in uClinux.
- The IPSec startup program contains some differences from the one provided by freeswan.
- The SnapGear firmware has the ability, not present in uClinux, to failover from the WAN Ethernet interface to the serial port.
- The SnapGear firewall setup program is not present in uClinux .
- The driver for the SME550's cryptographic accelerator chip is proprietary.
So an independent developer attempting to hack a SnapGear router would have to ask for them as binaries from SnapGear, replace them with open source substitutes, or rewrite them. But keep in mind that SnapGear is targeting two distinct markets for their routers: SOHO end users, who are simply looking for routing and VPN capabilities (they won't be hacking their network appliances); and OEMs, who will develop customized applications with the active cooperation of SnapGear, and can therefore obtain the missing components in source or binary form as needed.
General observations and comments
What strikes one most immediately when working simultaneously with the low-end LITE+ and the higher-end SME550 is the consistency of the experience, on both the user and the developer level. Both units are configured and operated in the same way -- they come with the same manual. The only discernible user-level difference is in the throughput. For the developer, both are built from the some source code base, with only device drivers and cross-development toolchains distinguishing them. Porting old code and developing new code for one unit essentially gets you code that works on the others as well, unless you're working with some very specific resource such as the SME550's encryption acceleration chip.
SnapGear has an opportunity to do well with their line of VPN routers. They have the hardware in place to provide VPN service to a wide range of organizations; the LITE+ should handle the needs of home and the smallest offices (claiming 0.5 Mbps throughput when using Triple-DES based IPSec), and other models ranging up to the SME550 have sufficient power (the SME550 claims 10 Mbps VPN throughput) for medium-sized networks.
The LITE+ has a 66 Mhz MCF5272 Coldfire processor with 2 MB of flash and 4 MB of RAM. It retails for $299.
The LITE+'s embedded computer
The SME550, at $499, is powered by a SH-4 processor with 8 MB of flash and 16 MB of RAM, and has a SafeNet SafeXcel 1141 encryption accelerator chip. The 1141 accelerates an impressive variety of cryptographic algorithms and protocols, including: DES, Triple-DES, and AES encryption; MD5 and SHA-1 one-way hashes; Diffie-Hellman, RSA, and DSA public-key operations; and hardware random number generation. With the 1141 and the SH-4 processor, the SME550 should meet the firewall and VPN requirements of the majority of midsize organizations.
The SME550's embedded computer
Besides the LITE+ and SME550, SnapGear has other models based on Coldfire and SuperH processors, as well as some based on AMD's x86-compatible SC520.
That SnapGear succeeded in providing consistent user- and developer-level experiences for such a disparate range of hardware is a testament not only to their hard work but to the flexibility of the operating system they used. Moreover, through careful hardware and software design, and thanks to uClinux, SnapGear has managed to embed the power of Linux in a small, flexible, low-cost intelligent appliance -- resulting in a great example of where Embedded Linux is increasingly being used.
 About the author: Jerry Epplin is Technical Editor of LinuxDevices.com and an independent developer of embedded systems, with an emphasis on medical device software. He's been playing with and working with Linux since . . . uh, well, . . . he's not sure when, but they didn't have loadable modules back then.
Related stories:
(Click here for further information)
|
|
|
FUEL Database on MontaVista Linux
Whether building a mobile handset, a car navigation system, a package tracking device, or a home entertainment console, developers need capable software systems, including an operating system, development tools, and supporting libraries, to gain maximum benefit from their hardware platform and to meet aggressive time-to-market goals.
Breaking New Ground: The Evolution of Linux Clustering
With a platform comprising a complete Linux distribution, enhanced for clustering, and tailored for HPC, Penguin Computing¿s Scyld Software provides the building blocks for organizations from enterprises to workgroups to deploy, manage, and maintain Linux clusters, regardless of their size.
Data Monitoring with NightStar LX
Unlike ordinary debuggers, NightStar LX doesn¿t leave you stranded in the dark. It¿s more than just a debugger, it¿s a whole suite of integrated diagnostic tools designed for time-critical Linux applications to reduce test time, increase productivity and lower costs. You can debug, monitor, analyze and tune with minimal intrusion, so you see real execution behavior. And that¿s positively illuminating.
Virtualizing Service Provider Networks with Vyatta
This paper highlights Vyatta's unique ability to virtualize networking functions using Vyatta's secure routing software in service provider environments.
High Availability Messaging Solution Using AXIGEN, Heartbeat and DRBD
This white paper discusses a high-availability messaging solution relying on the AXIGEN Mail Server, Heartbeat and DRBD. Solution architecture and implementation, as well as benefits of using AXIGEN for this setup are all presented in detail.
Understanding the Financial Benefits of Open Source
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss.
Embedded Hardware and OS Technology Empower PC-Based Platforms
The modern embedded computer is the jack of all trades appearing in many forms.
Data Management for Real-Time Distributed Systems
This paper provides an overview of the network-centric computing model, data distribution services, and distributed data management. It then describes how the SkyBoard integration and synchronization service, coupled with an implementation of the OMG¿s Data Distribution Service (DDS) standard, can be used to create an efficient data distribution, storage, and retrieval system.
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
|
|
|
|
|
news feed