Those two terms refer specifically to two mechanisms for performing the encryption function in a network device. Essentially, the lookaside architecture has the primary processor performing all functions, including IPsec, with certain compute-intensive tasks (such as the actual encryption) offloaded to security co-processors. In the flow-through model, all aspects of the IPsec VPN are handled in a pre-processor so that the primary processor does not have to concern itself with whether the packets were native or encrypted from a VPN. The flow-through architecture can allow higher performance, since the network processor performing the firewall, IDS, virus scanning, and other functions is now insulated from the IPsec processing.
An alternative approach, if high performance is not required, or if the general processor is fast enough, is to simply perform all functions in software. Your PC uses this model when you use a VPN client -- the primary processor is running your software firewall, quality of service, anti-virus, and IPsec functions without a separate security processor.
Dig Deeper on Network Security Best Practices and Products
Related Q&A from Sampath Ramaswami
Learn about the difference between functions in a consumer and pro-sumer cable modem and how to set up your VPN on your wireless router, in this Q&A. Continue Reading
To set up a VPN server, do you need two NIC cards? Find out the answer to this and how to fix disconnects in this Q&A with Sampath Ramaswami. Continue Reading
Learn what slows connectivity for a VPN overseas during particular times of day, in this Q&A with VPN expert Sampath Ramaswami. Continue Reading