Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

Transcription

1 Feature Brief Quality of Service April 2007 Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication Protecting Values

2 Introduction Clavister Security Service Platform (SSP ) is our proven, feature-rich and service-oriented framework for providing best-inclass security solutions. Clavister SSP comprises of Clavister Network Security Elements, Clavister Lifecycle Systems, and Clavister Lifecycle Services. Its combination of precise control, fine-granular administration, and seamless scalability makes it easy to provision the perfect solution for any customer; be it a small organization, a large Internet Service Provider, a Managed Security Service Provider, or a multimedia-ready telecom operator. Clavister Network Security Elements The physical building blocks installed in the network. The major network security element products are the Clavister Security Gateway; pre-packaged solutions in either turn-key appliance format for easy deployment or software-only format for your preferred hardware platform. Clavister Lifecycle Systems A set of software components enabling true network security management throughout the entire lifecycle, including deployment, configuration, integration, monitoring, reporting, and analysis/optimization/troubleshooting. Clavister Lifecycle Services Empowers you and your products with tools, services, and resources that help maximize benefits and eliminate problems, including planning, deployment, optimization, operations and maintenance. Clavister SSP provides a secure environment for your business; as a service provided to you by a Managed Security Service Provider (MSSP) or as systems and services integrated in your own network. For more information about Clavister products and services, please visit us at:. Quality of Service Overview To supplement the perimeter security modern organizations also need a platform that provide them with value adding functionality such as secure Virtual Private Network (VPN), Quality Of Service (QoS), Voice over IP (VoIP) capabilities, User Authentication, Content Filtering, and Centralized Management. One of the major drawbacks of TCP/IP, the protocols used for communication over networks like Internet, Local Area Networks (LAN) and Wide Area Networks (WAN), is the lack of true QoS functionality. QoS in networks is the ability to guarantee and limit bandwidth for certain services and users. Although Clavister support the Differentiated Services (DiffServ) protocol, the protocol is not an optimal solution to offer QoS in large networks. Several other solutions have be proposed but none have reached a high enough standard for large-scale usage. Another fact is that most of the current QoS solutions are application-based, that is, they work by having applications supplying the network with QoS information. From a security standpoint, it is of course unacceptable that the applications, i.e. the users, decide the priority of their own traffic within a network. In security-sensitive scenarios, where the users cannot be trusted, the network equipment such as the Clavister Security Gateway should be the sole arbiter of priorities and bandwidth allocations. Clavister provides QoS functionality by applying limits and guarantees to the network traffic itself, rather than trusting applications and users to make these choices for themselves. It is hence well suited to managing bandwidth for a LAN as well as in one or more chokepoints in large Metropolitan Area Networks (MAN) or WANs.

3 Protecting Values Traffic Shaping Basics The simplest way to obtain QoS in a network, from a security perspective as well as a functionality perspective, is to have the components in the network, not the applications, be responsible for network traffic control in well-defined chokepoints such as the point between the Internet and the internal network. Traffic shaping in Clavister Security Gateway works by measuring and queuing IP packets, in transit, with respect to a number of configurable parameters. Differentiated rate limits and traffic guarantees based on source, destination and protocol parameters can be created; much the same way gateway policies are implemented. Traffic shaping works by: Applying bandwidth limits by queuing packets that would exceed configured limits, and sending them later when the momentary demand for bandwidth is lower. Dropping packets if the packet buffers are full. The packet to be dropped should be chosen from those that are responsible for the congestion. Prioritizing traffic according to the administrator s choice; if the traffic in a higher priority increases while a communications line is full, traffic in lower priorities should be temporarily limited to make room for the high-priority traffic. Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as a higher priority, and traffic exceeding the guarantee as the same priority as any other traffic, which then gets to compete with the rest of the non-prioritized traffic. Well-built traffic shapers do not normally work by queuing up immense amounts of data and then sorting out prioritized traffic to send before sending non-prioritized traffic. Rather, they attempt to measure the amount of prioritized traffic and then limit the non-prioritized traffic dynamically so that it will not interfere with the throughput of prioritized traffic. Clavister Security Gateway has an extensible traffic shaper integrated in its core, which supports the following key features: Pipe-Based Traffic Shaping Close Integration with the Clavister Security Gateway Rule Set Traffic Prioritizing and Bandwidth Limiting Grouping Dynamic Bandwidth Balancing Pipe Chaining Traffic Guarantees IPsec Integration The following sections will explain the details of these key features and give examples on how to best use these features to achieve an optimal QoS configuration. Pipe-Based Traffic Shaping Traffic shaping in Clavister Security Gateway is handled by a concept based on pipes, where each pipe has several prioritizing, limiting and grouping possibilities. Individual pipes may be chained in different ways to construct bandwidth management units that far exceed the capabilities of one single pipe. Pipes are fairly simplistic, in that they do not know much about the types of traffic that pass through them, and they know nothing about direction. A pipe simply measures the traffic that passes through it and applies the configured limits in each precedence and/or user group. Figure 1 below shows the concept of pipes.

4 Incoming Packets Pipe Pipe Pipe Rule Set Figure 1: Pipes Inbound network traffic is first filtered within the rule set, and is then passed to the pipe or pipes specified in the matching rule. In the pipe, traffic is limited with respect to the configuration of the pipe and is then forwarded to its destination, or to the next pipe in a chain. As usual, the traffic is recognized by source interface, source address, destination interface, destination address and service. These parameters are used in the pipe rules section for mapping traffic into a certain pipe, or chain of pipes, on a certain precedence level. Close Integration with the Clavister Security Gateway Rule Set Each rule set may be assigned to one or more pipes, on an individual basis. Traffic Prioritizing and Bandwidth Limiting Each pipe contains a number of priority levels, each with its own bandwidth limit, specified in kilobits per second (kbps) and/or packets per second. Limits may also be specified for the total of the pipe. Grouping Traffic through a pipe can be automatically grouped into pipe users, where each pipe user can be configured to the same extent as the main pipe. Traffic may also be grouped with respect to a number of parameters, such as source IP network or destination IP network, IP address, or port number. The benefit of using grouping is that additional bandwidth controls may be applied to each group. This means that if grouping is performed on, for example, on IP address, the Clavister Security Gateway can limit and guarantee bandwidth per IP address communicating through the pipe. There are also precedences in user groups. Bandwidth may be limited per precedence, as well as for each group as a whole.

5 Protecting Values Pipe Total Figure 2: Grouped Pipes Grouping is used for fairness between the different users/applications that use the pipes at any given moment. It avoids the problem of one user taking all traffic in a precedence level, leaving nothing guaranteed for the other users, with the result that their traffic will be forced down to P0 even though they should be qualified for a higher precedence level. You configure the Clavister Security Gateway to perform this fairness calculation by using the Grouping drop down box. It supports values such as Per DestNet, Per DestIP, Per DestPort, and so on. Normally the in-pipe is grouped Per DestNet and the out-pipe is grouped Per SrcNet. Bandwidth control first occurs per user and then continues with the pipe as a whole. Dynamic Bandwidth Balancing The traffic shaper in the Clavister Security Gateway can be used to dynamically balance the bandwidth allocation of different pipe users if the pipe as a whole has exceeded its limits. This means that available bandwidth is evenly balanced with respect to the chosen grouping for the pipe. This allows you to get the maximum performance out of your network without sacrificing the benefits from guaranteed bandwidth to critical resources. Pipe Chaining When pipes are assigned to rules, up to eight pipes may be connected to form a chain. This permits filtering and limiting to be handled in a very sophisticated manner. Pipe chaining means that two pipes are connected together at one end, so traffic first flows through one pipe, and then it flows through to the next pipe. This can be used to shape the traffic in many ways, for example to move traffic to another precedence level, or to limit the total amount of a certain traffic type. Traffic Guarantees With the proper pipe configuration, the traffic shaping in Clavister Security Gateway may be used to guarantee bandwidth and thereby quality, for traffic through the Clavister Security Gateway. IPsec Integration If the optional IPsec VPN support is used in the Clavister Security Gateway, bandwidth and priorities may be configured for VPN tunnels as well as for ordinary rules.

6 Applied Quality of Services in a Corporate Network Figure 3 illustrates an implementation of QoS with guaranteed bandwidth in a hypothetical corporate network with three different departments and a DMZ with business critical servers. Internet Min 100% SG4200 Min 20% Min 35% Research & Development Min 25% Min 20% Administration Sales & Marketing Application Servers and Databases Figure 3: Example Corporate Network with QoS Each segment of the network has a guaranteed minimum level and is also able to utilize up to 100% of the available network capacity. By enabling a dynamic bandwidth allocation up to 100% it is possible to get the maximum value out of the network connection whilst having a guaranteed minimum capacity level. Conclusion The Feature Brief describes Quality of Services and how to use it with your Clavister SSP installation. Below are some key customer benefits: Clavister SSP Key Benefits Robust Security The purpose-built security offering from Clavister provides a complete set of security features, including SPI Firewalling with DoS and DDoS protection, VPN with strong encryption, and User Authentication. Rapid Deployment The Clavister Security Gateway provides effortless and rapid deployment. A trained technician can easily deploy and configure new network security elements within minutes, even across continents. Flexible Traffic Control

7 The highly sophisticated bandwidth management capabilities in the Clavister Security Gateway makes it possible to not only guarantee bandwidth for business critical applications or server, but also to optimize the entire traffic flow in your network and avoid inefficient bandwidth usage. Lowered Costs for Administration The powerful administration system that comes with Clavister Security Gateway enables organizations to lower the costs for administration through centralized management. The administration system makes it possible to deploy and configure all devices across the network, no matter if they are located next door or across the globe. High Performance Scalable performance with unsurpassed maximum bandwidth, concurrent connections and simultaneous VPN tunnels makes the Clavister Security Gateway the ideal choice even in the most demanding environments like Internet Service Provider Networks, Data Centers, and telecom operators. Low Total Cost of Ownership (TCO) Clavister s goal is to provide complete security solutions more cost efficiently than any competitor. Clavister SSP with its unique combination of integrated features, world-class service and support, and powerful administration system provide the lowest TCO and the best price/performance ratio possible. Quality of Service Unique Features Pipe-Based Traffic Shaping Close Integration with the Clavister Security Gateway Rule Set Traffic Prioritizing and Bandwidth Limiting Grouping Dynamic Bandwidth Balancing Pipe Chaining Traffic Guarantees IPsec Integration Feedback Clavister Product Marketing is always interested in feedback from our readers. Please direct suggestions, comments or questions regarding this document to product-marketing@clavister.com. Please include the title of the document in your . About Clavister Clavister - a Swedish privately owned company developing IT security products, including its award-winning Clavister Security Service Platform (SSP ). This serviceoriented framework enables organizations to monitor network traffic, protecting critical business assets and blocking undesirable surfing. It will also protect you against intrusion, viruses, worms, Trojans, and overload attacks. It requires minimal servicing, with central administration, and has exceptionally flexible configuration possibilities. Its seamless scalability makes it easy to provision the perfect solution for any customer; be it small organizations, large Internet Service Providers, Managed Security Service Providers, or multimedia-ready telecom operators. Clavister was founded 1997 in Sweden, with R&D and headquarters based in Örnsköldsvik and Sales and Marketing based in Stockholm. Its solutions are marketed and sold through International sales offices, distributors, and resellers throughout EMEA and Asia. Clavister also offers its technology to OEM manufacturers. For more information, please visit us at. Limitation of Responsibilities The information in this document represents the current view of Clavister AB on the issues discussed as of the date of publication. Because Clavister must respond to changing conditions, it should not be considered to be a commitment for Clavister, and Clavister cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. CLAVISTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the written permission of Clavister. Clavister may have trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Clavister, the furnishing of this document does not give you any license to these trademarks, copyrights, or other intellectual property.