Enabling the High-Performance Next Generation Firewall

Transcription

1 Virtualization. Consolidation. Simplification. Choice. WHITE PAPER Enabling the High-Performance Next Generation Firewall

2 The Business Challenge Large enterprises are increasingly engaging in network consolidation to eliminate redundant IT resources and minimize infrastructure complexity. Within these initiatives, enterprises are targeting their network security infrastructure as a natural focus for achieving both consolidation and governance goals. In order to improve network security and support strategic business objectives, IT organizations are struggling to find solutions that can offer the strongest protection against emerging threats and anticipate future threats, while guaranteeing application availability across the enterprise. This can most effectively be accomplished with best-of-breed security applications, state-of-the art vulnerability research, and a high-performance Next Generation Security Platform. In an ideal world, IT administrators would like to dynamically add applications, provide seamless high-availability, and scale performance without having to add new boxes, virtually eliminating both planned and unplanned downtime. Until now, it has been impossible to find a solution that incorporates all of these capabilities, supporting the required operational efficiency and both short- and long-term cost reduction. IT Security Challenges Enterprise IT infrastructures are constantly under assault by cybercriminals and hackers attempting to break into computer systems to steal classified data and confidential records, disrupt service, sabotage data and systems, and launch computer viruses and worms. Many of these attacks are actually blended attacks. A blended attack seeks to maximize the severity of damage and speed of contagion by combining methods, for example using characteristics of both viruses and worms, while also taking advantage of vulnerabilities in computers, networks, or other physical systems (see Figure 1: Multi-layer Threats That Target Enterprise IT Infrastructure). An attack using a blended approach might send a virus via an attachment, along with a Trojan horse embedded in an HTML file that will cause damage to the recipient computer. The Nimda, CodeRed, and Bugbear exploits were all examples of blended threats. IT organizations no longer have a well-defined perimeter characterized by a handful of Internet connections and private Wide Area Network (WAN) links to their satellite offices and a few key partners. Instead, opportunities for increased revenue and operational efficiency have driven much higher degrees of interconnectivity and in-depth access to their networked systems. Indeed, over the past few years, virtually all businesses have increased their support for online customer services, 2

3 business-to-business relationships, local access by guest users, telecommuting and employee mobility, and remote office/branch office computing services. Consequently, they now need comprehensive protection (from a functional perspective) not only at multiple perimeter demarcation points, but also on their internal networks, at user endpoints, within their data centers, and at their branch offices. Perimeter Attacks Malicious Intruders Exposed via Partner Business Partners Exposure of Financial Data Business Services Inside Attacks Internal Users INTERNET Remote Users Two-Way Protection Data Theft File Servers Figure 1: Multi-layer Threats That Target Enterprise IT Infrastructure In order to address these threats and continuously improve infrastructure security, IT managers require high-performance multi-layered security solutions. Historically, there have been three common approaches: Security appliances: This has often been the initial solution to meet specific security requirements and to address emerging threats. However, many organizations have been unable to control appliance sprawl. This in turn has prompted consolidation initiatives to address highly-distributed and often stacked security software solutions that lack performance, but provide strong protection. Devices re-purposed from a hardware firewall: This approach provides high-performance and application availability, but may sacrifice multi-layered security. Often performance claims are solely based on Layer 4 Firewall inspection and not application-level inspected throughput performance. Single-source solutions: This approach provides simplicity, by purchasing network and security solutions from a single vendor, yet often lacks inspected throughput performance and required levels of security. 3

4 Often IT organizations have had no choice but to combine the first two classes of solution for full enterprise coverage, which has led to increased cost and complexity in scaling, management, maintenance, fault-isolation, and training. Each of these solutions is costly to purchase, maintain, and scale, yet still does not provide an effective solution. (See Figure 2: Current Deployments are Complex, Costly, and Difficult to Manage and Maintain.) For the typical large enterprise, administrators are faced with hundreds, if not thousands, of devices and policies to manage, and hundreds of applications to manage, patch, update, and support. Internet Routers L2 Switches Load Balancers Load Balancers Load Balancers Firewalls IPS Anti-virus Figure 2: Current Deployments are Complex, Costly, and Difficult to Manage and Maintain Requirements To achieve required levels of security, availability, regulatory compliance, and employee efficiency, all while containing cost, security strategies and solutions must be able to evolve. Common requirements include: The ability to stack or layer security solutions logically. Network and application security approaches differ, in part because the attack vectors differ. Yet the most effective and efficient solutions require them to work in conjunction to prevent downtime, data loss, and/or leakage. The minimization of disruption. IT organizations need a better way to scale performance and introduce new security applications, while minimizing planned downtime for upgrades, general management, and maintenance. Reduced OpEx. Despite the challenge of managing an increasingly complex infrastructure, most IT managers are facing the reduction of operating expense budgets and hiring freezes. Those that are lucky are asked to simply hold their budgets steady year over year. They are forced to do more with less, while improving levels of security. 4

5 Reduced CapEx. Most security budgets are strained to the point that any significant purchases receive extensive scrutiny. Increased M&A activity increases the challenge by having to protect a growing number of local and remote physical locations with little additional budget. Ideally, a multi-function security appliance would not require a trade-off between the quality of the individual security application and the performance of the overall system. Crossbeam is the leader in high-performance virtualized Next Generation Security Platforms. The Crossbeam X-Series Next Generation Firewall solution delivers multi-layered protection from best-of-breed software vendors like Check Point, Sourcefire, and Imperva, with class-defining performance and reliability to provide enterprises defense-in-depth security and robust network and application availability. The X-Series is the perfect consolidation solution, allowing virtualization of multiple instances of security applications. The Role of Virtualization in Securing Enterprise Networks Virtual services enable large distributed organizations to centralize security enforcement and equipment maintenance while retaining the option of either centralized IT or distributed management by division or other sub-entity. As security services are centralized, the organization can deliver firewall and IPS services to thousands of end-users with a single device and still offer each location or department independent policy management. Next Generation Firewall Defining the Next Generation Firewall The Next Generation Firewall is a new class of solution that provides the foundation of enterprise security -- tightly coupled firewall and intrusion prevention (IPS) capabilities. Firewall and IPS provide complimentary protection and multi-layered defense, maintaining low latency while performing complex inspection and blocking. Simply having an IPS in the same appliance as the firewall does not constitute a Next Generation Firewall; both components need to leverage each others inspection capabilities, have intelligent traffic handling, and work together to block attacks. Crossbeam provides the optimal solution by tightly coupling and certifying the leading firewall and IPS solutions. Crossbeam s unique architecture and operating system, XOS, allows serialized processing between Check Point VPN-1 Power and Sourcefire s IPS with Real-time Network Awareness technology (RNA), creating the most powerful Next Generation Firewall. 5

6 Crossbeam s Next Generation Firewall offers a high-speed, multi-policy security solution designed for large enterprises that require the strongest and fastest layered Firewall and IPS solution. By consolidating multiple security domains on a single platform, Crossbeam can reduce licensing, maintenance, complexity, and cost while offering the industry s most intelligent, adaptive network, and application inspection technology. The Next Generation Firewall running on Crossbeam s platform replaces complex network topologies consisting of routers, switches, load balancers, firewall/vpn gateways, and network intrusion prevention systems. It allows multiple networks to be protected, while connected to shared resources such as the Internet and DMZs, but also to interact with each other safely. It does all this while providing simplified and unified management through Crossbeam s SecureShore Network Management System (NMS). SecureShore NMS can also leverage Check Point s SMART management solutions SmartCenter and Provider-1 and Sourcefire s Management. Crossbeam solutions provide the highest hardware scaling and high availability solutions for Check Point VPN-1 POWER and Sourcefire IPS deployments. Large enterprises can finally discover the same benefits for their security infrastructure that are being currently accomplished with virtualized server deployments. Instead of having to upgrade and patch a myriad of distributed firewall and IPS systems, a single Crossbeam Next Generation Firewall deployment can mean patching and upgrading a single system. This is especially useful in large campus or skyscraper deployments where firewall and IPS services can easily be aggregated in the data center. Many Crossbeam customers are able to consolidate tens or even hundreds of firewalls, IDS sensors, and IPS devices onto a handful Crossbeam chassis, drastically improving operational aspects of the network with a high-performance, high-availability, and best-ofbreed multi-layer virtualized solution. With less hardware, software, and accompanying licenses to procure and manage, Crossbeam customers are able to achieve significant capital and operational cost savings. Check Point s Best-of-Breed Firewall/VPN Features Crossbeam System s X-Series has incorporated the world s best firewall/ VPN software Check Point Technologies VPN-1 Power onto its Crossbeam security services switches. Along with Sourcefire, these solutions integrated on Crossbeam s platforms eliminate the need for tens of load balancers, switches, and separate high availability licenses required to make current firewall/vpn appliances scale. The integrated Crossbeam and Check Point VPN-1 Power functionality is state-of-the-art, providing the industry s most complete and highperformance stateful inspection engine, full VPN capability, multiple NAT options, proxying, and support for the latest technologies such as VoIP, SIP, fixed wireless, and x wireless networks. 6

7 With support for more than 200 predefined applications and protocols out-of-the-box, VPN-1 Power provides the broadest application support in the industry. VPN-1 Power provides NAT to conceal internal network addresses and support different networking scenarios integrated with stateful inspection technology. VPN-1 Power automatically generates static and dynamic NAT rules based on network topology information. Because organizations are dealing with increasingly complex virtual private networks, VPN-1 Power contains a comprehensive set of technologies to build remote access and site-to-site VPNs that simplify configuration while still maintaining flexibility for different deployment scenarios. With Check Point VPN-1/FireWall-1, security rules are applied to VPN traffic to guarantee complete integrity of network security. Crossbeam offers the perfect platform for easily migrating older FireWall-1 installations to the latest VPN-1 Power version, which includes Firewall-1. Sourcefire s Best-of-Breed IPS Features Built on the legacy of the open source Snort rules-based detection engine, Sourcefire uses a powerful combination of signature-, protocol-, and anomaly-based inspection methods to achieve the maximum attack detection and prevention capability. Flexibility in the rules language and numerous configuration options allow users to easily define new ways to identify and address threats and enforce policies specific to their environment. Sourcefire RNA technology provides the most comprehensive view of security events and the ideal basis for the most effective network defense using a revolutionary combination of passive network discovery, behavioral profiling, and integrated vulnerability management technologies. RNA continuously monitors all network assets (servers, routers, PCs, firewalls, and wireless access points), presenting a realtime view and highly-detailed profiles of all network assets including their configuration, behavior, potential vulnerabilities, and associated changes. The degree of insight and intelligence that RNA provides not only allows organizations to protect their networks with more confidence, it greatly reduces the ongoing cost associated with responding to network threats. The Sourcefire Defense Center tightly integrates and correlates the threat information provided by Sourcefire IPS with the network intelligence provided by Sourcefire RNA, easily prioritizing millions of security events to determine the most critical events to the business and takes the appropriate actions according to Sourcefire s ABCs of Defense Alert, Block, and Correct. 7

8 The Crossbeam X-Series Next Generation Security Platform Product Family The Crossbeam X-Series products provide the foundation for the Next Generation Firewall solution. The X-Series product family includes the X40, the X45, and the X80 chassis. All of the products share the same basic architecture, but each has unique characteristics to suit specific deployments. The X45 is a 7-slot 8 RU chassis. The X40 and the X80 are 14-slot 14 RU chassis. All three are high performance, high availability, easy-to-manage security switches designed to secure medium and large enterprise data centers. Figure 3: Crossbeam X-Series Platforms The X-Series system decouples network and security service processing to allow customers to effectively take advantage of price/performance improvements and innovation curves within each technology independently. The system offers massive consolidation of security equipment while preserving security policies, resulting in a safer and simpler network. Chassis Architecture The X-Series is a modular chassis architecture consisting of 7 14 slots in an 8 or 14 RU carrier-class enclosure (See Figure 3: Crossbeam X-Series Platforms). There are three major types of modules used in the system: Network Processor Modules (NPMs), Application Processor Modules (APMs), and Control Processor Modules (CPMs). The different chassis allow differing combinations of modules. The backplane supports 40+ Gbps of data traffic, allowing the chassis to scale as the power of the APMs or NPMs are increased in line with technology improvements. Each NPM has a 10 Gbps full duplex point to point connection to all APMs and CPMs, and the second NPM. Each 8

9 APM can receive up to 12 Gbps of traffic. The signaling information (heart beat, health poll, flow states, etc.) goes through a dedicated 1Gbps control path. The X-Series architecture also delivers the industry s first system capable of either single-box or dual-box High Availability (HA). Every component and blade within the Crossbeam X-Series is fully redundant and is designed to meet stringent carrier-class requirements. In addition, in single-box HA, Crossbeam has the unique capability of supporting a dynamic standby application module. If any application module becomes unavailable, the standby module can dynamically take on the capabilities of any application. Therefore, a standby blade does not have to be configured for a specific application and allows for seamless failover for multiple applications using a single blade. The X-Series carrier-class architecture was designed and built by the same team that built the frame relay switches at the core of MCI s HyperStream global data network (see Figure 4: X-Series Carrier Class Architecture). Unlike expensive telecommunications products, however, the X-Series achieves its high capacity capabilities at prices equivalent to existing enterprise firewall solutions. Control Plane Firewall IPS WAF Dynamic Standby 40 Gbps Network/Data Path 160 Gbps Switch Fabric Backplane Figure 4: X-Series Carrier Class Architecture Crossbeam s Virtualized Network Operating System XOS Software X-Series is powered by a custom-hardened version of Linux, the X operating system (XOS Software), a software architecture which has been optimized for the secure processing of network flows. Highly adaptive, XOS software can quickly add support for new applications, thereby integrating existing security technologies while remaining future proofed against constantly changing security requirements (see Figure 5: XOS Software and the System Architecture). More specifically, this software architecture is founded on a Symmetrical Multi-Processor (SMP) Linux kernel operating system. This assures the inclusion of the complete suite of functionality available for the 9

10 Linux systems and guarantees the benefits of the evolution of these capabilities in step with the progress of the Linux community. Existing or future best-of-breed applications written for Linux can run on the X-Series architecture and rely on the complete set of available and evolving Linux features and utilities. Crossbeam Systems provides specific support for applications developed by best-of-breed security application vendors working with Crossbeam as strategic partners. Crossbeam Next Generation Security Platform Firewall VPN Intrusion Protection Dynamic Capacity Web/DB Firewall Content Gateway SSL Remote Access XOS Secure Flow Processing Unsecured Traffic Secured Traffic Figure 5: XOS Software and the System Architecture Crossbeam s Virtual Application Processing A significant software construct within XOS is the Virtual Application Processor (VAP) group (see Figure 5: XOS Software and the System Architecture). Applications running on the APMs can exchange user traffic with external ports and with other applications running on either the same module or any other module in the chassis. One APM can run on one application, or alternatively, one application or a set of applications can run on multiple APMs, allowing effective multiplication of computing capacity to the application processing needs, while still being seen as one virtual application by the traffic coming into the chassis. This type of variability and flexibility is enabled by the VAP group s capabilities. An APM is mapped to a VAP because there is no association of an APM with the physical slot in the chassis and no association of a physical module with the applications. A group of APMs is called a VAP group. The security administrator just needs to define the number of VAPs in a VAP group and the exact number of APMs needed for this VAP group. That means that a configuration can be done for five firewall modules where at the beginning only two APMs might be loaded in the chassis, for cost efficiency reasons. When traffic grows new APMs can be added with just one command line interface (CLI) command to adjust the max-load-count. 10

11 Benefits of the X-Series Platform The X-Series was designed to create order of magnitude improvements in the operational efficiency of running data center security infrastructures. Significant benefits include: Strategic Reduces the risk of technology investments. The rate of security threats and new security software development is accelerating, so enterprises want to preserve the ability to switch to new vendors quickly as needs change Allows for core installation in lights out environments, scaling multiple, complementary applications, and multiple software instances all in a % uptime platform Operational Requires significantly fewer personnel to manage existing firewalls Uses significantly less power and rack space than traditional server-based solutions At 8 Gbps of stateful firewalling capacity per APM-8600, the platform offers significant price/performance improvements over competitive products Modular Options for Additional Functionality and Growth Provides a modular network and application blade-based approach, so that users can always take advantage of the latest technology without disrupting existing configurations and run-time operations Offers APM hard drive options for applications that require local disk space (IDS and anti-virus) Offers APM memory upgrades up to 4 GB to keep pace with application requirements Other Operational Features and Benefits Consumes less than 600W (during normal operation) with a fully loaded chassis compared to 610 watts consumed by a single SUN 220R enterprise server Only 14 RUs for the equivalent of two load balancers, 10 servers, and the associated switches, cables, and management consoles All modules in the system are fully hot-swappable, reducing down-time for upgrades and replacement of failed components 11

12 Fully Secure and Available Completely isolated management plane ensures that system management can not be reached from the data plane SSL-based Graphical User Interface (GUI) access and SSH-based CLI access No single point of failure in the entire box dual fan trays, four power supplies, multiple redundant interfaces, 18-layer backplane with data network traces on separate layers, control network traces on separate layers and redundant traces to each card Consolidating Security Infrastructure Case Study: CheckFree Corporation Company Background Founded in 1981, CheckFree Corporation (Nasdaq: CKFR) provides financial electronic commerce services and products to organizations around the world. With three divisions CheckFree Electronic Commerce, CheckFree Investment Services and CheckFree Software CheckFree employs more than 3,500 people worldwide, in 18 locations with an annual revenue of $879.4 million in fiscal year The Challenge CheckFree s worldwide network handles more than one billion sensitive financial transactions per year each needing to be transported, stored and retrieved in a timely, secure fashion at any time, for any authorized user. With the increasing popularity of electronic billing and payment, CheckFree s security architecture had become more complex as additional security layers were strategically added. Perimeter security throughout CheckFree s expansive global network consisted of load balancers, redundant firewalls, and multiple IDS devices. Added to this complexity was an expansive switching architecture for data flow, application sequencing, and failover, making troubleshooting and log auditing more challenging. With an increasing number of appliances in the network, overlaying security was growing more complex with each transaction. Each system required patching, upgrading, and log file review, and some devices required management and administrative tools, which in turn required additional training. Staff and maintenance costs were increasing. To plan the next level of quality for this complex network, CheckFree set out to re-engineer the firewall and IDS infrastructure to improve availability and meet future growth projections. They sought to deploy a consolidated firewall and IDS platform that was highly 12

13 available, cost effective, and easy to manage all with the goal of increasing network capacity and scalability while decreasing operational cost and complexity. The Solution CheckFree embarked on an extensive search for a multi-layered security platform that could consolidate and tightly couple intrusion detection (IDS) and firewall functions. The company conducted extensive testing of hardware platforms from leading vendors, and found that the Crossbeam X-Series security switch outperformed the closest competitor by 87%. According to Isenberg, Crossbeam was the only vendor that offered a security-focused blade server that aggregated security applications in a scalable, highly available perimeter device with multi-gigabit scalability. To add horsepower or additional security applications, all we have to do is add another blade to the chassis, said Isenberg. Crossbeam X-Series is delivered in three blade-based chassis that offer various rack space and port density options. The models can be deployed either in single-box high availability mode (SBHA) or multi-box high availability mode (MBHA) depending on security policies. SBHA is made possible by a system architecture that includes full redundancy across all elements from power and fan to interface, blade, and application layers. The system enables transparent insertion into and protection of networks from vendors such as Cisco, Juniper, Foundry, and Extreme. CheckFree was able to consolidate 20 IDS devices, 20 switches, and 26 firewalls onto seven Crossbeam chassis, drastically simplifying its network with a high-performance, high-availability, and best-of-breed multi-layer virtualized architecture. Despite traffic doubling every year since 2003, CheckFree has not had to add any new staff to manage the environment, and achieved double the ROI after three years. Summary As the number of transactions that CheckFree handles continues to grow, our security architecture as well as our transaction operations must be able to scale efficiently. Our priorities are protecting customer data and ensuring that our security solutions integrate to create an exemplary security architecture. Rich Isenberg Director of Security CheckFree The traditional practice of deploying an ever-increasing number of appliances and applications to combat increasing security risks creates an infrastructure that is too complex, costly, and slow to react to new threats. Today, enterprises managers want to move to a new kind of virtualized security architecture that supports the requirements of a Next Generation Firewall, but also consolidates deployments, reduces cost, and delivers much faster threat response. Crossbeam Systems, working closely with Check Point and Sourcefire, has developed a tightly coupled, high-performance, scalable, and reliable Next Generation Firewall solution that has been designed from the 13

14 ground up to offer the best protection and performance for detecting and eliminating multiple levels of threats that target mission critical IT infrastructure and data. The Crossbeam Next Generation Firewall running on the X-Series platforms replaces complex network topologies consisting of routers, switches, load-balancers, Firewall/VPN gateways, and Intrusion Detection/Prevention System sensors and appliances. It allows multiple networks to be protected and connected to enable shared resources within various departments, corporate sites, the Internet, and DMZs, while enabling them interact with each other safely. It does all this while providing simplified and unified management using wellknown applications. The end result is a high performance, scalable virtual security service delivery platform that provides both capital and operational cost reduction at deployment and over time. Crossbeam Systems protects many of the largest enterprises in the world in industries such as finance, high tech manufacturing, and telecommunications, where the deployment of Crossbeam Systems security switches is at the core of the network and in mission-critical ingress and egress points. About Crossbeam Systems Crossbeam Systems, Inc. transforms the way enterprises, service providers and government agencies architect and deliver security services. The basis of Crossbeam s solution is its Next Generation Security Platform, a highly scalable hardware platform that facilitates the consolidation, virtualization and simplification of security services delivery, while preserving the customers choice of best-of-breed security applications. Crossbeam offers the only security platform that delivers unparalleled network performance, scalability, adaptability and resiliency. Customers choose Crossbeam to intelligently manage risk, accelerate and maintain compliance, and protect their businesses from evolving threats. Crossbeam is headquartered in Boxborough, Mass., and has offices in Europe and Asia Pacific. More information is available at: Corporate Headquarters Crossbeam Systems, Inc. 80 Central Street Boxborough, MA Tel: +1 (978) Fax: +1 (978) Crossbeam, Crossbeam Systems, any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc., in the U.S. Patent and Trademark Office, and several international jurisdictions. All other company, product or service names not owned by Crossbeam mentioned in this document are the property of their respective owners. Copyright 2008, Crossbeam Systems Inc. All Rights Reserved WP_NGFW_040108