Firewall For the Next Generation. Technical White Paper 1.0 OD0700WPE01-1.0



Similar documents
Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features

Product Overview. customers in the business of service provider, enterprise, financial services, and public sectors.

Gigabit Multi-Homing VPN Security Router

Security Technology: Firewalls and VPNs

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewall Architecture

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Huawei Eudemon1000E-X series Firewall. Eudemon 1000E-X Series Firewall. Huawei Technologies Co., Ltd.

Cisco PIX vs. Checkpoint Firewall

Cisco Integrated Services Routers Performance Overview

SafeEnterprise SSL igate Managing Central Access to Resources with VPX Technology

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Gigabit Content Security Router

Gigabit Multi-Homing VPN Security Router

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Development of the FITELnet-G20 Metro Edge Router

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Cisco SR 520-T1 Secure Router

Secured Voice over VPN Tunnel and QoS. Feature Paper

CMPT 471 Networking II

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Recommended IP Telephony Architecture

Achieving Low-Latency Security

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

BRC-W14VG-BT Wireless BitTorrent Download Router

Section 12 MUST BE COMPLETED BY: 4/22

Firewalls for the Home & Small Business. Gordon Giles DTEC Professor: Dr. Tijjani Mohammed

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Networking for Caribbean Development

Next Generation Firewall

Definition of a White Box. Benefits of White Boxes

Gigabit SSL VPN Security Router

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

(MPLS) MultiProtocol Labling Switching. Software Engineering 4C03 Computer Network & Computer Security Dr. Kartik Krishnan Winter 2004.

A brief on Two-Factor Authentication

Internet Content Provider Safeguards Customer Networks and Services

SSL VPN Technology White Paper

Load Balancing Security Gateways WHITE PAPER

QLogic 16Gb Gen 5 Fibre Channel in IBM System x Deployments

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

WHITE PAPER. Extending Network Monitoring Tool Performance

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

Introducing IBM s Advanced Threat Protection Platform

Firewall and UTM Solutions Guide

Next-Generation Firewalls: Critical to SMB Network Security

NETASQ MIGRATING FROM V8 TO V9

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

The Load Balancing System Design of Service Based on IXP2400 Yi Shijun 1, a, Jing Xiaoping 1,b

SCADA SYSTEMS AND SECURITY WHITEPAPER

Stateful vs. stateless traffic analysis

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Protecting and controlling Virtual LANs by Linux router-firewall

TECHNICAL NOTE. FortiGate Traffic Shaping Version

Network Access Security. Lesson 10

Remote Access Security

Logical & Physical Security

Guidance Regarding Skype and Other P2P VoIP Solutions

Layer 3 Network + Dedicated Internet Connectivity

VMware vcloud Networking and Security Overview

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Perspective on secure network for control systems in SPring-8

TechGuard Firewall Products Specs/Parts/Competitive Analysis

PCI DSS and the A10 Solution

A Study of Network Security Systems

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Implementing Cisco IOS Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ZyXEL offer more than just a product, we offer a solution. The Prestige DSL router family benefits providers and resellers enabling them to offer:

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

IINS Implementing Cisco Network Security 3.0 (IINS)

Huawei Network Edge Security Solution

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Bivio 7000 Series Network Appliance Platforms

Database Security in Virtualization and Cloud Computing Environments

Common Remote Service Platform (crsp) Security Concept

The Cisco ASA 5500 as a Superior Firewall Solution

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

GR2000: a Gigabit Router for a Guaranteed Network

Network Management and Monitoring Software

PART D NETWORK SERVICES

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

P2P Traffic Manager. L7 Internet Security. IP Appliance Products

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Denial of Service (DOS) Testing IxChariot

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Top-Down Network Design

Lab Configuring Access Policies and DMZ Settings

Global Partner Management Notice

CISCO IOS NETWORK SECURITY (IINS)

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Transcription:

Firewall For the Next Generation Technical White Paper 1.0 OD0700WPE01-1.0

Threats in today s network environment With network and internet connections becoming more common, network security has also become an important issue and garnered significant public awareness. This is especially when more and more websites and servers are attacked by hackers armed with new and varied hacking techniques. Online banks are also at the receiving end of threats such as Trojan horses where passwords and account IDs are repeatedly stolen, resulting in financial lost for account holders. The flooding of spam mails not only crippled the whole network economy, programs like malware, ad ware and illegal popup advertisements are also posing endless challenges to network users. Why are network threats on the rise? Firstly, more and more broadband services are offering giga-speed lines to end-users, a significant contrast to the past where broadband speed of 2M was considered a premium. Nowadays network backbones are already operating is several G. Unfortunately the significant growth in broadband also brought with it unprecedented growth in network threats, and the resultant damages. Secondly, network applications that operate above the TCP/UDP layer, such as various IM (chat programs) or P2P software (e.g. EDonkey), are on the rise, and are casually used within the network. These applications could be gateways for network threats such as illegal entry, network invasion, phishing, DOS/DDOS attacks, various malware, spam, etc. SifoWorks Technical White Paper 1.0 Page 1

Limitations of the traditional firewall The traditional firewalls are unable to keep up with the growth of the network and market demands. These firewalls generally pose two shortcomings: low performance and single-function security feature. Low performance Traditional firewall generally has low performance because all its security functions are accomplished through a single CPU. While today most backbone and enterprise network s broadband are already running in giga-speed, traditional firewalls are at most capable of transacting in mega-speed. Single-function Traditional firewall equipments are generally single functional, and requires purchase of other network security devices in order to achieve network security: traditional firewall for access control; VPN devices for data encrypt-decryption; IPS products for network invasion and scanning, etc. Although there are security products in the market that integrates multiple functions, they are software systems that often compromised performance and are unable to deliver a truly integrated solution. There are three types of firewalls available in the current market: X86-based software firewall, NP-based firewall and the ASIC-based firewall. These firewalls have their individual strength and advantages, as well as obvious shortcomings. Built to cater to specific types of network environments, these three types of firewalls each shares a foothold in the network security market. SifoWorks Technical White Paper 1.0 Page 2

The software firewall As the name suggest, this firewall is a software product based on a single core CPU to accomplish various security functions. To enhance stability, the hardware used is usually a general-purposed CPU on an industrial-strength motherboard, with a standard PCI network card as the external network interface. In the software firewall, data are transmitted to the CPU via the PCI network card for processing, including performing various security services and related protocols. When the CPU is done, the data are then sent back to the network card via the PCI bus. When network security products were just on the horizon, software-based firewalls had certain obvious advantages. At that time, users were more concerned with applications and services than performance; to the manufacturer, software firewall s hardware requirements were simple, low-cost, low fault-rate and the hardware technology involved were less sophisticated. Moreover adding new functions and applications often only involves enhancing or rewriting the original software design while maintaining the same hardware platform, hence development time is short and upgrades are simple affairs. Disadvantages But with the explosive growth of the broadband, the shortcomings of the software firewall became more obvious, and the biggest weakness is its processing capability. In some situations the data-processing capability can go up to line-speed, for example, when processing a large packet of 1500bytes. However when processing small packets of 64 bytes, the performance starts to deteriorate swiftly. Moreover with the increase in the number of security policies to verify against and SifoWorks Technical White Paper 1.0 Page 3

the number of hyperlinks to deal with, the software firewall s performance will take a serious hit. In other words, its performance goes down as the processing load goes up, especially when all these security functions are carried out by a single CPU. Hence manufacturers begin to use various methods to enhance the software firewall s processing capability. The simplest and most straightforward method is to use a high performance CPU, e.g. the Xeron chip with server level mainboard, coupled with huge high-speed DDR memory. At the same time, new software techniques can be employed, such as zero-copy data transfer. To enhance key routes, the system could categorize security applications to two levels: Kernel and User Space, where applications in the Kernel level will be given higher priority during operations. However, these methods may ease the situation somewhat, but would not eliminate the problems completely. SifoWorks Technical White Paper 1.0 Page 4

The NP-based firewall Network processors (NP) Since single-cpu cannot solve the performance bottleneck, security product manufacturers begin to look into network processors (NP). Originally, network processors such as Intel s IXP1200 were developed to solve performance issues between routers and L3 switches during transmission of data. Generally, there are two types of NP. The first type of NP is constructed by integrating multiple CPU in single chip, connected by high-speed bus. When the system is transmitting data, each task is assigned to different CPU as much as possible, achieving a certain degree of load-sharing in order to enhance efficiency. The second type of NP is constructed by integrating multiple microengines and a main CPU core into a single chip. It then utilizes microcodes to control the microengines for data processing and transmission, while the CPU core is purely used for loading the micro-codes and setting registers. To enhance the NP s applicability, chip manufacturers often include dedicated accelerating modules to the NP, a dedicated encryption core, etc. NP-based firewall products can effectively solve the single-cpu performance bottleneck. Performance tests have shown current NP-based firewalls are known to operate in giga speed. However, the introduction of NP into the firewall technology has also introduced new problems. Problems with using NP for firewall Firstly, NP was developed primarily to solve issues between the routers and L3 switches. When chip designers first developed the NP architecture, the focus was on the router and switch functions. However routers and switches operate on the MAC and IP layer but not the TCP layer. This can be a problem as the SifoWorks Technical White Paper 1.0 Page 5

basic function of a network security product is access control on the TCP/UDP layer. Moreover, security products frequently need to process application layer protocols, and conduct content filtering at the application layer. These were not part of the consideration when designing the NP architecture. However this has not stop security products manufacturers from developing firewalls on NP, as they saw the programmability, commonality and high performance offered by the NP. Still, the first problem faced by firewall developers using NP is in the area of the micro-codes, which are used to control multiple CPU or microengines. The codes are normally written in C programming language, and then compiled into binary codes using the NP compiler. NP developers usually develop their system micro codes based on the basic standard micro-code supplied by the NP chip manufacturers. These basic codes are usually of very high quality and fully optimized for NP hardware architecture for performance and data transmission. However, as firewall developers are not supplied with such standard codes, they have to develop their own micro codes from scratch, resulting in longer product development cycle. Also, due to the firewall developers unfamiliarity with the NP s hardware capabilities, the micro codes developed are usually inferior and are unable to be fully capitalized on the NP s potentials. As such, the final security products developed are often inferior, and at times worse off than the firewall utilizing a single CPU. Furthermore, with multiple CPU or microengines integrated into one chip, the chip s surface area is significantly larger, which translate to higher cost and higher difficulty in PCB wiring. These, coupled with the fact that traditional security product manufacturers are software-oriented and thus lack the necessary expertise in hardware development, makes NP-based firewall solutions undesirable. SifoWorks Technical White Paper 1.0 Page 6

The ASIC-based firewall One way to solve the bottleneck issue in the security field is to use ASIC. ASIC are dedicated custom-made chip developed for custom-made security functions. Typically, this security chip takes care of the transmission of data and execution of various security functions, while the CPU takes care of various configuration tasks, exception handling, collection of statistical data, and user interface, etc. With this, ASIC is able to eliminate bottlenecks to achieve full giga speed performance. Data transmission latency is also very short, mostly in microseconds. Moreover, dedicated security chips are easy to stack, thus enabling performance to double to triple easily. With most functions executed on the chip, PCB wiring are relatively simpler, and the eventual product more stable. However, as ASIC are custom-made chip, altering it would be extremely difficult. With higher cost and longer development time, ASIC products are unable to adapt to the network security market quickly. Development of ASIC also requires expensive NRE expenses a trained chip design team, which a typical security product manufacturer would not be able to afford. SifoWorks Technical White Paper 1.0 Page 7

The next generation firewall The main issue faced by most current firewall products is: how to provide a wide range of security features while maintaining high performance. NP-based and single- CPU traditional firewall can provide rich security feature, but are seriously lacking in the performance department. On the other hand, ASIC can provide the performance desired, but at the expense of the number of security functions it can provide. With the limitations of current software, NP-based and ASIC-based firewalls, what the security industry need is a next generation firewall that addresses the issues faced by the current firewall products. The next generation firewall should be capable of high performance yet provides a wide range of security functions. These functions are generally executed the higher layer, such as the application layer. Data channels and control protocols Firewall functions can be largely divided into two categories: data channels and control protocols. Data channels refer to the various data stream that requires services, such as FTP data stream, IPSec encryption, etc. Data channels demands high processing capability and thus requires hardware acceleration. This can be fulfilled with two types of technology, the first being the existing technology in commercial chips that chip manufacturers can provide, such as routers, ARP and MAC. The second type is core security technology such as Session module, IPSec VPN module, etc. In the absence of commercial chips, core security technology can fulfill high performance demand by developing ASIC. SifoWorks Technical White Paper 1.0 Page 8

Control protocols refer to the additional protocols required to accomplish data transmission, e.g. IPSec s IKE protocol, logs, dynamic routing, etc. As control protocols controls the transmission of data but not the actual data itself, they do not demand high processing power even though the functions involved may be relatively more complicated. As such control protocols can run on a general-purposed CPU. Best of both worlds Next generation firewall combines both the hardware and software aspect in its design. Data channels demand for processing power can be fulfilled by placing it in dedicated hardware while control protocols flexibility can be accomplished by programming the general-purposed CPU. Take for example the IPSec VPN. In the standard Freeswan design, the IPSec VPN is divided into two modules: PLUTO and IKE. PLUTO is responsible for the encryption of data while IKE negotiates IPSec VPN channel s properties. Hence PLUTO s encryption tasks requires high performance, and should be accomplished using hardware; while IKE is only negotiating properties, thus not requiring high processing power, and so can be achieved using software. SifoWorks Technical White Paper 1.0 Page 9

The next generation firewall uses a proprietary security chip as its core, while utilizes commercial chip and general-purposed high performance CPU. This way, the firewall possess ASIC s high processing capability and the software s flexibility, along with some NP-based microengines design. The firewall architecture may look something like this: UI IRP Dynamic Port TCP Reassembly Content Filter IDS NAT Session IKE IPSEC VPN CLI Route VLAN Bridge log QoS GE GE GE GE Next generation firewall architectural structure The firewall can be divided into two main portions: the system software and the hardware platform. The hardware portion is a combination of the in-house developed ASIC and the commercial chip, along with a general-purposed high-performance CPU. SifoWorks Technical White Paper 1.0 Page 10

The proprietary chip accomplishes the main security functions, especially the data applications at the TCP layer and above; the commercial chip accomplishes the transmission of data at the IP layer, and the operation between IP and MAC layer; finally the general-purposed CPU runs the system software. The diagram below illustrates an example of these relationships: SifoWorks s hardware block diagram Programmable chip system - Sentinel One of the issues involved when utilizing computer chips to accomplish network security is design flexibility. With network security continuously evolving, the security solutions need also to update themselves constantly. But updating the chips to synchronize with the advancement of security technology can be time and resource-consuming. As such a programmable chip system, such as the Sentinel chip found in the SifoWorks series of firewalls, is an excellent solution. Sentinel is a highly integrated security chip consisting of four layers of intelligent defense system and an IPSec VPN microengine array. The four-layer intelligent defense system is made up of three layer of programmable hardware and software filtering accelerating engine, a static/dynamic packet filtering SifoWorks Technical White Paper 1.0 Page 11

engine and content-matching engine, and a dedicated Tag information mechanism. The other major module in Sentinel is the multi-protocol VPN engine assembled from the microengine array. As the microengine array has been optimized for IPSec protocol, its processing capability can goes up to giga speed. Conclusion With the new generation of security technology, such as one utilizing the programmable Sentinel chip in SifoWorks firewall series, it is not impossible to have power, high performance and flexible in one complete firewall solution. SifoWorks Technical White Paper 1.0 Page 12

About SifoWorks SifoWorks is a multi-function firewall system. It combines a core application proxy and a hardware state inspection mechanism to inspect and filter every data packets from the second to the seventh layer. These include data forwarding, classification, route selection, network service classification, security policies and access control, packet signature matching and bandwidth allocation (QoS). To learn more about O 2 Micro SifoWorks product, visit http://www.o2security.com. About O2Micro O 2 Micro develops and markets innovative power management, and security components and systems for the Computer, Consumer, Industrial, and Communications markets. Since its founding in April 1995, O 2 Micro has quickly established itself as a leading supplier of specialized devices designed to extend battery operating time, heighten efficiency, and enable secure e-commerce and security. O 2 Micro offers ACPI (Advanced Configuration and Power Interface) compliant products. The company designs products compliant with the System Management Bus (SMBus) and Smart Battery System (SBS) specifications, a subset of the ACPI specification (ACPI is an open industry specification co-developed by Intel, Microsoft, and Toshiba). O 2 Micro maintains an extensive portfolio of intellectual property, and has numerous trademark Applications and Copyright Registrations. The company maintains offices worldwide including Japan, Taiwan, Singapore, China, Korea and the United States. Sales office: O Micro - California 2 3118 Patrick Henry Drive Santa Clara, CA 95054 (408) 987-5920 SifoWorks Technical White Paper 1.0 Page 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information