High Performance Network Security

Transcription

1 White PAPER High Performance Network Security Following the inexorable rise in the demand for bandwidth, the adoption of 10 Gigabit Ethernet is accelerating. An estimated 60,000 Ten GbE ports were sold in 2005 and 3 million ports are expected to be sold annually by GbE builds on the success of previous generations of Ethernet extending Ethernet simplicity and scalability across the LAN, MAN, and WAN. Whether in a massive data center, in the core of a large campus, or as a transport technology in a service provider or high speed research network, 10 Gigabit Ethernet represents a breakthrough technology that will give users a high performance, low-cost alternative to today s backbone technologies and a considerable competitive advantage. The speed and growth of high performance networks has always presented a challenge to the security IT staff. Today, that challenge is compounded by the very fluid, dynamic nature of security requirements. Network attacks are sophisticated; they are deployed against millions of machines in seconds; they avoid defenses by mutating, and like medical viruses infect the population at exponential rates (true viral contagion). Worse, the attackers themselves are increasingly driven by criminal intent whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit and targeting key assets. The network itself is also becoming a prime target. By moving traffic faster, in larger pipes and in more scalable platforms, the network is an important asset that can be a target for attack. This rise in attacks at the network layer is reflected in the security statistics. According to the 2006 Internet Threat Index published by Symantec: "Over the last six months of 2005, Symantec detected an average of 1,402 Denial of Service (DoS) attacks per day. This is an increase of 51 percent from the first half of 2005, when Symantec detected an average of 927 DoS attacks per day." 2 Figure 1. Symantec Internet Security Threat Report, Volume IX 1 Dell Oro Group, Ethernet Switch Report, Five Year Forecast, Jan, Source: Innovating 10 Gigabit Security 10 GbE Security Appliances Security appliances are now a mainstay in the corporate security arsenal. Intrusion Prevention Systems (IPS) are one of the leading categories of security appliances. Unlike traditional devices like firewalls which examine packet headers alone, an IPS examines the entire packet called deep packet inspection and is capable of detecting and blocking application level attacks such as the Blaster worm that exploited specific DCOM RPC vulnerabilities that firewalls let pass. An IPS can effectively bring both deep packet inspection and stateful pattern matching together with security enforcement and blocking to recognize and stop malicious traffic. The single biggest challenge for any security appliance, firewall or IPS is delivering security at the performance levels required by today s networks. Put simply, the speeds of networking technologies have far surpassed the capabilities of today s security appliances to monitor, analyze, filter, and defend the network. The result is a Hobbesean dilemma for corporations slow the network and ensure security or provide a high speed network with reduced security protection. Resolving this tradeoff creates a parallel and daunting challenge for security vendors. Delivering inspection and firewalling services at 10 Gigabit speed is enormously challenging but adding the requirement for flexibility so that the security appliance can adapt to and defend against new attacks has never been accomplished until now. The 2006 FORCE10 NETWORKS, INC. [ P AGE 1 OF 5 ]

2 heart of the problem lies in the traditional divide between software and hardware. Software provides flexibility but is slow because it runs on general purpose microprocessors. Hardware, on the other hand, has traditionally been blazing fast, but has not been flexible and therefore not ideal for environments in which the requirements are constantly changing. First generation security devices attempted to resolve this challenge by running security software on faster and faster microprocessors. While this improved speed somewhat, the maximum performance remained well below Gigabit speeds. The second generation of devices used hardware to assist the software in an effort to offload some of the "security work". This did improve performance but again topped out near 1 Gigabit per second. The second generation also suffered from being exceptionally expensive which limited its adoption in the market. In sum, security appliance systems have existed on a hard divide deliver the software flexibility necessary to deliver adaptable security rules or provide high performance by utilizing dedicated, permanent silicon-based computing systems such as those delivered from ASICs but give up flexibility in trade. DPI: Solving the Software-Hardware Conundrum The Force10 P-Series is the first of a new generation of security appliances. It is based on a fundamentally different technology called DPI (Dynamic Parallel Inspection), which provides the performance of custom hardware but the flexibility of software. DPI overcomes the software-hardware conundrum through the patented use of a massively parallel inspection process deployed entirely in field programmable gate array technology (FPGA). Dynamic Parallel Inspection uses an innovative extension of a well known super computing taxonomy, known as multiple instruction, single data, and takes advantage of the flexibility and dynamic characteristics of FPGA hardware processing. In multiple instruction single data designs, a single compute resource is broken up into "blocks" which all simultaneously perform tasks on the same unit of data. As a line-rate system, for 10 Gigabit deep packet inspection, each "block" is a continuous stream of 128 bit data blocks from the million packets per second in a 10 Gigabit stream. The FPGA is allocated into hundreds or thousands of "blocks" and in each block the desired security rules are embedded in the gates of the FPGA. Then, as a packet moves through the system, each block applies all of its rules simultaneously. By splitting security rules into many discrete engines that can run on the same data in parallel, and by embedding these rules in the gates of an FPGA, DPI can achieve both record-breaking inspection throughputs of million packets per second, while doing so in under 16 microseconds. Finally, each of the security rules which are embedded in the blocks can be changed dynamically. As new threats emerge, new rules can be written and pushed into the blocks. This can be done online, on the fly, or offline. In fact, these rules can be changed in a production system and are applied in less than 1/10th of a second. During the application of new rules, the system will maintain all state and continue to apply all existing rules without interruption. In sum, DPI achieves both the dynamic, real-time flexibility required for today s fast-changing IPS requirements, while introducing the industry s first line-rate 1 Gigabit and 10 Gigabit inspection and prevention system. How It Works Pre-Processing: To begin inspecting traffic, the DPI engine converts the entire traffic stream, including all payload and header information into "words" of 128 bits or less. Similarly, each security rule is also represented as a "word". The stream then compares the rules to create a Boolean value indicating a match or not a match on the current cycle. This stream can also be run against multiple signature words providing a very large number of concurrent comparisons to be executed in parallel. Figure 2. DPI Parallel Block Inspection Inspection/Detection: Each of the packet inspection blocks in the FPGA operates as a comparison unit. Each comparison unit includes matching logic to match a specific rule and at any time can assert a true or false signal indicating whether a match occurred. Based on user preference, a matched signal can be configured to trigger an alarm, a network block or the traffic can be 2006 FORCE10 NETWORKS, INC. [ P AGE 2 OF 5 ]

3 mirrored or captured to the host operation system. Traffic streams can also be matched against existing known flows through a stateful packet inspection table that tracks and keeps state information on all established flows of traffic. Key Benefits Industry Leading Line-rate Performance The fundamental building block of the P-Series security appliance, the DPI engine, is the only architecture that can support line-rate 10 Gigabit Ethernet performance today. Just as the speeds of networks have outpaced the ability of traditional security system designs, the signature scale and complexity of signatures in IPS systems are also rapidly growing. One of the key advantages of the P-Series and the DPI design stems from the matching of payload traffic against multiple subsystems which allows virtually unlimited signature scaling. The data stream can be presented to each functional "rule" cocurrently so as to maintain wire-speed packet processing. If one needs more signatures or more complexity in signature operations, these can be incrementally added through the use of additional parallel FPGAs. Figure 3. DPI Packet Inspection Flow One key design element of the DPI process is that serializing the input stream to large words (to achieve higher speeds) does not add cost to the solution since it only involves widening the input bus without requiring additional hardware. In fact, to deliver 10 Gigabit linerate inspection, traffic which was originally serialized into 16 bit words was scaled to 128 bit words. Widening does affect the amount of logic required to perform the matching functions but does not incur any additional synchronization overhead. This well-known property of data-parallel systems, therefore, allows cost-effective scaling to occur with the addition of multiple processors interconnected with simple combinatorial circuits. Each signature word can also be pre-programmed to match network traffic by: an initial word of a signature a middle word of a signature a unique word of a signature the last word of a signature a word to occur at a specific offset from the start of the packet This processing technology can scale in both speed by employing larger de-serialized words to balance faster serial links and in the number of signatures by adding more matching logic to store the additional signatures. The additional matching logic may be gained through adding FPGAs. Another scalability advantage stems from the fact that an increase of more rules or signatures only results in minimal synchronization overhead by virtue of the use of a single data stream. In other words, as you scale more gates for packet processing, a smaller percentage of the hardware is required for traffic management and overhead. Figure 4. DPI Parallel Block Inspection Open Flexibility In addition, the DPI s programmable features (built entirely in FPGAs), can be totally customized to various capabilities in pattern matching, anomaly detection, blocking and firewall filtering, monitoring or network capture. The entire system can be reprogrammed at the level of the silicon "assignments" of each gate on the FPGA. This flexibility is also driven by the openended nature of the DPI inspection logic. There are no protocol, packet, framing requirements, and as such, customizing new inspection capabilities (IPv6 traffic inspection for example) can be quickly facilitated FORCE10 NETWORKS, INC. [ P AGE 3 OF 5 ]

4 Stateful Matching Stateful matching enforces a time dependency between the matching events. With stateful pattern matching, it is possible to specify which matching event needs to occur at which time with respect to other matching events. In order to achieve this, it is necessary to store information (state) on which events occurred and use such information each time a new event occurs. Stateful matching improves the accuracy of detection because it adds ordering when specifying behaviors across multiple matching events. As in many designs, one of the great challenges of stateful matching is to efficiently manage the matching information as it unfolds. It is often the case that there are limited resources to record the information and thus techniques are needed to reclaim stale resources for new matching events. Because wire-speed, hardware-based matching systems work synchronously without the aid of operating systems, they need to manage state in a simple and deterministic way. The DPI incorporates a lossless state management algorithm that allows a deterministic use of memory resources by matching state to follow a non-cyclic pattern (with the exception of a transition to garbagecollect stale states). This restriction on the state transition greatly simplifies the memory management system at the expense of expressiveness of the stateful matching design. However, the number of stateful signatures requiring cyclic patterns are estimated to be very low. Predictable Performance As a pure hardware-based inspection system, the P-Series is inherently predictable across all traffic loads, with any number of security rules enabled. The DPI technology literally assigns individual inspections and packet analysis directly into silicon hardware "gates" on the chip. By using true hardware separation of the blocking, mirroring and capturing sub-systems, DPI ensures there is no impact to signature inspection logic or its wire-speed operation under load, under full traffic capture, or under any traffic mirroring or blocking scenarios. This leads to identical performance, identical throughput, and identical latency with any traffic load, and under full use of the system s security policies. Cost Effective Force10 has created a compilation and synthesis process to optimize the DPI s use of the gates in the FPGA allowing the lowest cost per inspected Gigabit of bandwidth in the industry. This patented process is able to find processing "overlaps" by identified similarities in the security rules. At a high level, this means that security rules share a logic, and can utilize the same silicon gates on the hardware to perform that same function. In sum, the P-Series delivers the lowest cost of inspected bandwidth in the industry. Key Applications for the P-Series The combination of high performance line-rate 10 GbE density, ultra low latency, total open flexibility, and reliable and resilient operation are driving five P-Series solution architectures: Dedicated IDS/IPS: For intrusion detection and protection, the P-Series models P1 and P10 support existing, open source network security and monitoring applications by specifying capture and filtering policies using public domain IDS signatures such as Snort and Bro or standard network packet capture (Libpcap) monitoring libraries. Firewall and IDS/IPS Pre-Processing: Because of its performance characteristics, the P-Series is also being deployed in front of other IDS/IPS and firewall systems as a security accelerator. P-Series technology also provides developers an API for creating custom network security and monitoring applications such as stateful firewalling, DoS and DDoS, and packet and flow analysis applications. Lawful Intercept: In surveillance, lawful intercept and Communications Assistance for Law Enforcement Act (CALEA) compliance applications, new aggregate network speeds and recently increased illegal activity on the Internet have challenged law enforcement's ability to conduct authorized electronic surveillance online. The P-Series, in its ability to stay fully deterministic under full traffic conditions and the full customization to search any where in the data stream, including IPv6 header information, provides the ideal solution to this challenge. The P-Series dynamic packet and traffic capture capabilities are a strong compliment to Force10 switching solutions already gaining traction in this application FORCE10 NETWORKS, INC. [ P AGE 4 OF 5 ]

5 Regulatory Compliance Applications: The ability to continuously guard, monitor, and capture key data are also key elements of both the Sarbanes-Oxley Act (SOX) of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) of Both were driven by the need to improve how we report, govern, and disclose public information and manage confidential record keeping. For organizations, compliance with these acts is a problem of network visibility providing information to key officers so they can attest to the integrity of their financial controls for Sarbanes-Oxley, or the integrity and security of health information for HIPPA. Because the P-Series can identity traffic by any nature machine, address, traffic type and provide line-rate monitoring and packet capture of potentially thousands of search strings, customers have been able to insert the P-Series at key network intersections and provide compliance visibility to these regulations. Custom Open-Ended Wire-Speed Applications: Due to the unique properties of the DPI technology wire speed, predictable, programmable packet analysis customers are also pursuing new and unique applications for the P-Series using the application programming interface (API). Examples of customer-driven P-Series applications include a network monitoring and diagnostic application at an Internet exchange, and a U.S. financial services customer writing a latency validation application for Tibco message data. Summary The Force10 P-Series, and its DPI technology, represent the next generation security appliance. Based on DPI integrated hardware packet processing technology, the P-Series is capable of deep packet inspection at line-rate 10 Gigabit speeds, enabling the P-Series to monitor, capture and block malicious traffic without impacting performance. The P-Series is adaptable and extensible to provide open flexibility especially important in network security and packet monitoring applications. Force10 is the performance and resiliency leader in Gigabit and 10 Gigabit Ethernet switching and routing. With the launch of the P-Series, we extend our technology leadership into the security market, while introducing industry-leading innovations in high speed security designs. The P-Series, based on advanced DPI technology, brings new performance scaling, reliability, flexibility and predictable performance to stateful packet inspection, filtering and capture and blocking applications. Force10 Networks, Inc McCarthy Boulevard Milpitas, CA USA PHONE FACSIMILE 2006 Force10 Networks, Inc. All rights reserved. Force10 and the Force10 logo are registered trademarks, and EtherScale, FTOS and TeraScale are trademarks of Force10 Networks, Inc. All other brand and product names are trademarks or registered trademarks of their respective holders. Information in this document is subject to change without notice. Certain features may not yet be generally available. Force10 Networks, Inc. assumes no responsibility for any errors that may appear in this document. WP v FORCE10 NETWORKS, INC. [ P AGE 5 OF 5 ]