Securing the Intelligent Network



Similar documents
Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Virtualized Security: The Next Generation of Consolidation

新 一 代 軟 體 定 義 的 網 路 架 構 Software Defined Networking (SDN) and Network Function Virtualization (NFV)

Next-Generation Firewalls: Critical to SMB Network Security

The Role of Virtual Routers In Carrier Networks

PRODUCTS & TECHNOLOGY

Securing Virtual Applications and Servers

Database Security in Virtualization and Cloud Computing Environments

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Meeting the Challenges of Virtualization Security

Different NFV/SDN Solutions for Telecoms and Enterprise Cloud

Saisei and Intel Maximizing WAN Bandwidth

Developing High-Performance, Flexible SDN & NFV Solutions with Intel Open Network Platform Server Reference Architecture

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

Deploying Firewalls Throughout Your Organization

Control your corner of the cloud.

Overcoming Security Challenges to Virtualize Internet-facing Applications

Getting More Performance and Efficiency in the Application Delivery Network

SDN and NFV in the WAN

On-Premises DDoS Mitigation for the Enterprise

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

SOFTWARE DEFINED NETWORKING

How To Protect Your Cloud From Attack

A Superior Hardware Platform for Server Virtualization

Leveraging SDN and NFV in the WAN

BlackRidge Technology Transport Access Control: Overview

Vyatta Network OS for Network Virtualization

The first agentless Security, Virtual Firewall, Anti- Malware and Compliance Solution built for Windows Server 2012 Hyper-V

White Paper. Innovate Telecom Services with NFV and SDN

5 Best Practices to Protect Your Virtual Environment

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Advantages of Managed Security Services

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

White. Paper. The Rise of Network Functions Virtualization. Implications for I/O Strategies in Service Provider Environments.

Best Practices for Managing Virtualized Environments

How To Protect A Virtual Desktop From Attack

Cloud and Data Center Security

VNF & Performance: A practical approach

Database Security, Virtualization and Cloud Computing

The Evolution of the Enterprise And Enterprise Security

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Secure Cloud-Ready Data Centers Juniper Networks

Cisco Application Networking for IBM WebSphere

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Achieve Deeper Network Security and Application Control

Achieve Deeper Network Security

Using Palo Alto Networks to Protect the Datacenter

The Virtual Ascent of Software Network Intelligence

10 easy steps to secure your retail network

Network Access Control in Virtual Environments. Technical Note

Requirements When Considering a Next- Generation Firewall

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Alteon Switched Firewall

Virtualization, SDN and NFV

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Intel DPDK Boosts Server Appliance Performance White Paper

Delivering 160Gbps DPI Performance on the Intel Xeon Processor E Series using HyperScan

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

The Cisco ASA 5500 as a Superior Firewall Solution

Top 10 Reasons Enterprises are Moving Security to the Cloud

IBM Security Intrusion Prevention Solutions

Going Beyond Deep Packet Inspection (DPI) Software on Intel Architecture

Windows Embedded Security and Surveillance Solutions

Cisco Application Networking for BEA WebLogic

Going Beyond Deep Packet Inspection (DPI) Software on Intel Architecture

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Content Security: Protect Your Network with Five Must-Haves

Use Case Brief CLOUD MANAGEMENT SOFTWARE AUTOMATION

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

A Look at the New Converged Data Center

Does your Citrix or Terminal Server environment have an Achilles heel?

Network Function Virtualization Using Data Plane Developer s Kit

Bio-inspired cyber security for your enterprise

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Intel Service Assurance Administrator. Product Overview

Readiness Assessments: Vital to Secure Mobility

How to Build a Massively Scalable Next-Generation Firewall

Use Case Brief NETWORK SECURITY

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Lecture 02b Cloud Computing II

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

First Line of Defense to Protect Critical Infrastructure

Transcription:

WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers. For years, IT professionals have built barriers to prevent any unauthorized entry that could compromise the organization s network. Figure 1 shows a typical security implementation designed to protect and connect multiple parts of a corporate network. What constitutes network security is constantly evolving, due to traffic growth, usage trends and the ever changing threat landscape. For example, the widespread adoption of cloud computing, social networking and bring-your-own-device (BYOD) programs are introducing new challenges and threats to an already complex network. Despite this tumultuous environment, IT departments are tasked with architecting a network capable of securing against known threats, quickly deploying new services and scaling with changes in demand. WAN Optimization IDS / IPS Firewall VPN WAN Optimization IDS / IPS Firewall VPN BRANCH OFFICES WAN Content Security CORPORATE NETWORK HOME OFFICE ADC Firewall DATA CENTER Figure 1. Security in the network

According to published McAfee* reports, the overall number of malware signatures topped a staggering 100 million in the fall of 2012. 1 Figure 2 visually depicts the number of new malware signatures identified by McAfee from 2010 through 2012. This report also highlights three additional trends currently transforming security. The type and sophistication level of modern malware is becoming increasingly diverse. The objectives of modern malware attacks are also changing, with goals ranging from industrial espionage, to ransom demands, to damaging infrastructure. Finally, the growth and accessibility of social networks facilitates easier exchange of this malware by would-be-attackers. 10,000,000 9,000,000 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 Q1 10 Q2 10 Q3 10 Q4 10 Q1 11 Q2 11 Q3 11 Q4 11 Q1 12 Q2 12 Q3 12 Figure 2. New malware reported by McAfee The combination of malware trends with the aforementioned IT challenges has triggered significant changes in the way network infrastructures are architected and secured. Networks have expanded in such a way that a hard network perimeter no longer exists. Unable to rely on a defense-only strategy, IT departments must architect their network security infrastructure under the assumption that an attack will penetrate the network. The resulting proactive security solution will facilitate near real-time intrusion detection. Enabling Line-Rate Inspection The first step in preventing an attack is to inspect incoming traffic before it enters the corporate network. This is accomplished by looking beyond the packet header into the contents of the packet. Once the layer 7 application data is reached, it can be matched against a defined pattern set, inspected for malicious signatures or used to extract pertinent metadata. This process is known as deep packet inspection, or DPI. In many cases, outbound traffic must also be analyzed to enable the detection of internal-based attacks as well as securing sensitive data and intellectual property. Therefore, it may be necessary to deploy DPI capabilities at both internal and external entry points to the network. Implementing DPI-enabled protection can be challenging due to the extensive computational resources it requires. If the packets within a flow are not inspected quickly, application latency may increase resulting in significant network delays. DPI can be processed through the use of software running on existing platforms, or by offloading packets onto DPI-specific hardware. Intel believes software-based DPI to be the optimal choice for several reasons. Intel executes to a proven roadmap, and the tick-tock development strategy ensures delivery of processors with consistent performance increases at a predictable cadence. Coupled with recent advances in IA packet processing performance, an optimized softwarebased approach provides a cost-effective and scalable DPI solution that has the flexibility to evolve with any change in security requirements. High Speed Content Inspection Software from Wind River* Wind River now offers a comprehensive, optimized software platform that addresses the needs of network security infrastructures, with an increased focus on DPI workloads. Wind River Intelligent Network Platform (INP) contains a Content Inspection Engine and Flow Analysis Engine, optimized specifically for Intel architecture 2

Platforms. Wind River* Content Inspection Engine provides a software pattern-matching solution scaling from 1Gbps to 160Gbps, depending on the number of processor cores used. Complementing this technology, Wind River* Flow Analysis Engine provides a decoding engine, protocol libraries and advanced metadata extraction to deliver realtime visibility of network traffic. Through the combination of exceptional packet processing, optimized DPI and enhanced metadata extraction, Wind River INP paired with Intel architecture platforms enables an optimized security solution that can perform content-aware flow classification and intrusion detection at line-rate speeds. 40G Packet Processing and Beyond The last five years have seen staggering growth in network traffic. Looking forward, Intel expects that increased adoption of network attached mobile devices will further accelerate this growth. Increased traffic puts tremendous stress on the underlying network infrastructure. Figure3 shows how Intel micro-architecture performance has outpaced business, mobile, internet and total traffic growth in the past four years. While today s networks may consist of multiple architectures within a single infrastructure, it is becoming increasingly apparent that mixed architecture infrastructures are prohibitively expensive to optimize and maintain due to the expertise required for the various platform, operating system and unique vendor technologies. Intel s 4:1 workload consolidation strategy enables the move from multiple hardware architectures onto a single architecture platform, like the Intel Communications Infrastructure Platform. The Intel Data Plane Development Kit (Intel DPDK) has been a key ingredient to unlocking the packet processing performance required to make workload consolidation on IA a reality. Intel DPDK provides a comprehensive set of 14.0X 13.0X 12.0X 11.0X 10.0X 9.0X 8.0X 7.0X 6.0X 5.0X 4.0X 3.0X 2.0X 1.0X 0.0X 2009 2010 2011 2012 Internet Traffic / Month Business Traffic / Month Mobile Traffic / Month Total Traffic / Month Intel Architecture (L3 Fwd) Figure 3. Intel architecture performance tracked against traffic growth 3

software libraries and example code that optimize packet processing on Intel architecture. The Intel DPDK libraries provide direct, optimized access to data plane functionality, by-passing costly context switches, and significantly improving performance. In fact, the performance enabled by these libraries has transformed the perception of what workloads general purpose processors are capable of processing. Where they were once relegated to only application and control workloads, Intel processors now have the ability to process packets at line rate performance. Driving Security to the Hardware Level To further optimize performance and increase security, Intel platforms also include several complementary security technologies built into multiple platform components, including the processor, chipset, and network interface controllers (NICs). These technologies provide low-level building blocks upon which a secure and high performing network infrastructure can be sustained. These technologies include Intel Virtualization Technology, Intel Trusted Execution Technology and Intel QuickAssist Technology. Virtual Appliances With a focus on energy conservation and cost control, enterprises continue to virtualize an increasing number of servers as well as their data center infrastructure. This trend has a ripple effect on security appliances. An appliance that previously secured multiple physical servers must now secure one server running increasing numbers of virtual machines (VMs). Simply put, physical appliances were not designed with the ability to inspect traffic streaming through a hypervisor running multiple virtualized servers. Additionally, whereas server workloads can handle a certain amount of latency, security appliances can never be a bottle-neck in the network infrastructure. A key premise for virtualized environments is that each virtual machine behaves as though it were a physical machine, with control over its physical and logical resources. Each VM acts as though it is protected from other VMs. In reality multiple VMs reside on one physical appliance, accessing shared resources with only a layer of software protecting the content of one VM from another. Intel Virtualization Technology (Intel VT) increases the security of virtual appliances through hardware hooks that enable the separation of VMs/workloads on shared platforms. This moves the security burden off the software layer and into the hardware. Intel VT also has the ability to provide applications direct access to hardware resources, without incurring the latency penalties associated with moving through a hypervisor layer. By separating VM access in hardware, Intel VT allows the hypervisor to be bypassed without increasing the risk of rogue software manipulating any VMs. The ability to by-pass the hypervisor, in certain cases, provides increased throughput without sacrificing the value-added hypervisor features. Making Secure Clouds a Reality Analysts project that IT spending will increase slightly in 2013. This increase in investment is largely attributed to cloud computing. Over half of IT organizations plan to increase their spending on cloud computing to improve flexible and efficient use of their IT resources. 2 Intel Trusted Execution Technology (Intel TXT) is specifically designed to harden platforms against hypervisor, firmware, BIOS, and system level attacks in virtual and cloud environments. It does so by providing a mechanism that enforces integrity checks on these pieces of software at launch time. This ensures the software has not been altered from its known state. Intel TXT also provides the platform level trust information that higher level security applications require to enforce role-based security policies. Intel TXT enforces control through measurement, memory locking and sealing secrets, 4

resulting in an isolated launch time environment. It works cooperatively with Intel Virtualization Technology (Intel VT). VM1 VM2 To further optimize performance and increase security, Intel platforms also integrate several complementary security technologies like Intel Virtualization Technology and Intel Trusted Execution Technology. These technologies are designed to harden platforms against hypervisor, firmware, BIOS, and system level attacks in virtual and cloud environments. These technologies will continue to evolve, ensuring Intel platforms continue to provide unique value that enhances the user experience. Additional Resources Intel TXT Hypervisor Layer Intel VT Figure 4. Intel TXT with Intel VT enables secure virtualization Meeting the Security Needs of the Intelligent Network In today s networks, security threats are constantly evolving, often resulting in loss of data, time and money. While new technologies and applications can provide significant business benefits, they also increase the ways in which malicious code can enter the network. IT departments are tasked with outpacing these threats by architecting a secure network capable of quickly deploying new services that can easily scale with changes in demand. A new generation of security appliances is emerging. These devices perform cryptography, inspect packet content, extract metadata, and analyze traffic flows. These appliances are transitioning away from purpose built architectures onto general purpose processors. Today s security appliances are built on Intel architecture. Wind River INP http://www.windriver.com/whitepapers/deep-packetinspection/content_inspection_engine_wp.pdf Intel Data Plane Development Kit www.intel.com/go/dpdk Intel Virtualization Technology www.intel.com/go/virtualization Intel Trusted Execution Technology www.intel.com/txt Intel Platform for Communications Infrastructure www.intel.com/go/commsinfrastructure For more information on Enterprise security solutions please visit www.intel.com/go/commsinfrastructure 5

1 McAfee Threats Report: Third Quarter 2012. http://www.mcafee.com/ 2 ComputerWeekly.com: 2012-2013 IT Budget Benchmark. http://www.computerweekly.com Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations: www.intel.com/performance/resources/ benchmark_limitations.htm. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. * Other names and brands may be claimed as the property of others. Copyright 2013, Intel Corporation. All rights reserved. Printed in USA MS/VC/0213 Order No. 328647-001US 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information