380 likes | 396 Views
Force10 Networks. Security 2007 Denver – April 11, 2007 Debbie Montano dmontano@force10networks.com. Special Note Regarding Forward Looking Statements.
E N D
Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano dmontano@force10networks.com
Special Note Regarding Forward Looking Statements This presentation contains forward-looking statements that involve substantial risks and uncertainties, including but not limited to, statements relating to goals, plans, objectives and future events. All statements, other than statements of historical facts, included in this presentation regarding our strategy, future operations, future financial position, future revenues, projected costs, prospects and plans and objectives of management are forward-looking statements. The words “anticipates,” “believes,” “estimates,” “expects,” “intends,” “may,” “plans,” “projects,” “will,” “would” and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. Examples of such statements include statements relating to products and product features on our roadmap, the timing and commercial availability of such products and features, the performance of such products and product features, statements concerning expectations for our products and product features [and projections of revenue or other financial terms. These statements are based on the current estimates and assumptions of management of Force10 as of the date hereof and are subject to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the actual results to be materially different from those reflected in our forward looking statements. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. In addition, our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make. We do not assume any obligation to update any forward-looking statements. Any information contained in our product roadmap is intended to outline our general product direction and it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release and timing of any features or functionality described for our products remains at our sole discretion.
Agenda • University Security Challenges • Force10 and P-Series Overview • Key Technology • Applications • Platform Details and Roadmap
The Challenge of Security University Networks • Highly skilled users (x,000 sys admins) • Firewall policies difficult to match dynamic applications • Diverse desktops plus wireless client that the university cannot easily control • Traditional corporate threats (large scale credit card thefts, DDOS blackmailing, etc.) now faced by Universities
Trends for High Speed Security and Monitoring in Universities • Link speeds increasing faster than edge and campus security systems • Increasing traffic and growing security threats create new requirements • Full security that can protect 100% of traffic without impacting performance • Flexibility to ensure more efficient response to unknown or malicious traffic
Securing 10 GbE WANs • “do” the following at 10 Gbps • Deep packet inspection ("visibility") • Attack detection (IDS) • Packet filtering (fire walling) • DoS and DDoS protection traffic (rate shaping and rate limiting) • Much less so... • VPNs and site to site encryption (most likely IPsec based) • Bots and other large scale worms/viruses • Honeypots / Honeynets • Source port verification
Agenda • University Security Challenges • Force10 and P-Series Overview • Key Technology • Applications • Platform Details and Roadmap
Force10 Pioneers in 10 GbE Switching & Routing • Founded in 1999 • First to ship line-rate 10 GbE switching & routing • Pioneered new switch/router architecture providing best-in-class resiliency and density, simplifying network topologies • Customer base spans academic/research, data center, enterprise and service provider
Acquisition of P-Series Platform • Force10 pioneered 10 GbE switching and routing • Vision to become the next great networking company • Applying high performance switching and routing innovation to network security • Recommended to us by leading R&E and Gov’t customers
Capacity to growfor 10+ years Force10 Product PortfolioIndustry Leading Density, Resiliency & Security E1200 1.68 Tbps Up to 1,260 GbE, 224 - 10 GbE 1/2 Rack 1/3 Rack E600 900 Gbps Up to 630 GbE, 112 - 10 GbE E300 400 Gbps Up to 288 GbE, 48 - 10 GbE 1/6 Rack S50V 48 GbE PoE4 x 10 GbE S25P 24 GbE4 x 10 GbE P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS S50 48 GbE2 x 10 GbE 1-RU S2410 24 x 10 GbE
P-Series Development • Originally funded by NSF grant • Subsequent application fundingby: • USAF (Design of 10 GbE card) • NSA (Surveillance inside IPV6 traffic)
Agenda • University Security Challenges • Force10 and P-Series Overview • Key Technology • Applications • Platform Details and Roadmap
Designed for 20 – 80 Gbps Designed for 336 – 672 Gbps Network Security Evolution • Custom hardware in an appliance • Dynamic mapping of inspection policies into hardware • Force10 P-Series, line-rate 10 GbE performance • ASIC assist to central CPU • Better filtering, active protection • GbE up to 2 Gbps • Custom hardware integrated into modular switches & routers • Full security integration on every port all the time • Software based • Central CPU • Slow, < 100 Mbps Performance 2007-2010 1995-1999 2000-2005 2006-2008
Dynamic Parallel Inspection (DPI)Delivering High Speed Network Security • Fundamentally new architecture at the core of the P-Series • DPI delivers the highest deep packet inspection scalability and flexibility in the industry • Apply thousands of signatures to every packet in parallel • Open programmability at 10 GbE delivers leading flexibility • Create signatures in hardware to speed processing • Parallel processing ensures massive rule scalability under all traffic loads
1-10 Gbps Programmable Network Security • Open architecture to leverage open source software • More robust, more flexible, promotes composability • Hardware acceleration of important network applications • Abstract hardware as a network interface from OS prospective • Retain high-degree of programmability • Extend to application beyond IDS/IPS • New threat models (around the corner) • Line-speed/low latency to allow integration in production networks • Unanchored payload string search • Support analysis across packets • Gracefully handle state exhaustion • Hardware support for adaptive information management • Detailed reporting when reporting bandwidth is available • Dynamically switch to more compact representations when necessary • Support the insertion of application-specific analysis code in the fast path
Agenda • University Security Challenges • Force10 and P-Series Overview • Key Technology • Applications • Platform Details and Roadmap
Firewall IDS/IPS • High Performance (> 330K cps; 20 Gbps) • Unique level of programmability • What is IN and what is OUT? • Two organizations sharing each other’s services • Insider attacks • Can define stateful policies asymmetrically or symmetrically • Hardcode part of the policies in hardware • Keep software-like flexibility • Can code specific policies directly into fast-path • Layer-1 • Invisible -- 1.5 µs latency • True-line rate (20 Gbps) • Drops in and out with NO L2/3 reconfiguration
10 GbE Inspection and Blocking:Needles & Haystacks • Ability to define "internal" and "external" interfaces: • Custom rules based on traditional firewall controls (Source, dest., mask, range, protocol, service & port, VLAN) • Stateful: Allow internal holes to go out, but stop external traffic to come in. • Parallel processing provides rules logic flexibility • Rules can be ordered, summed, or written with explicit overrides (e.g. whitelisting)
Captured Mixed Good Inspection/captureclean/block policies Traffic Monitoring Packet Capture IntrusionProtection CustomRules StatefulPacketFirewall SignatureDetection IPS Application • Industry’s first IPS to support line-rate 10 GbE inspection on every packet • SNORT 2.0 rules compiler • Expansion to any rules base: • Govt customers utilizing Bro • R&E customers utilizing PF firewall rules • Growing list of SNORT-like variant (ACID, Bleeding Edge, etc.) • Resilient system architecture • Inspection ports are invisible to attackers • System does not fail under high load conditions • No active components (CPU, PCI bus) in data path • Used inline, offline, or as pre-filter
Layer 3 IP Protocol Unknown IP Protocol RFC1918 address Ping Of Death TCP Netbios OOB Data Windows RPC DCOM Overflow Sametime Activity Worm Mitigation UDP Snork, MP2P Client Scan IP OPTIONS BAD IP OPTION Record Packet Rte ICMP ICMP Echo Rply, ICMP Unreachable ICMP Src Quench HTTP HTTP tunneling AIM/ICQ Through HTTP Proxy MSN Messenger Through HTTP Proxy Yahoo Messenger Through HTTP Proxy DNS DNS Request All DNS SIG Overflow SMTP SPAM attacks (SMTP RCPT TO: Bounce) Lotus Notes Mail Loop DoS FTP FTP Improper Address, FTP Improper port RPC RPC Dump, Proxied RPC Over 1500 Signatures Supported Sample IDS/IPS Signatures
Campus and WAN Applications forUniversities WAN • Universities are deploying P-Series in WAN edges and in high speed cores • Key Applications • 1 & 10 GBE IDS/IPS (SNORT, Bro, or Custom) • 10 GBE Firewalling and Deep Packet Inspection • High Speed Network Monitoring • Flexible, Customized Wire-Speed Packet Analysis Campus Core
University Innovators • Univ. of Nebraska’s PKI Institute: • In conjunction with Dept of Homeland Security, runs security research lab • Uses P10 inline to accelerate SNORT forhigh speed core • Oxford University: • “Argus” research group (www.robots.ox.ac.uk/~argus/ ) • Customized packet analysis forhigh speed networks • University of Cal., Santa Cruz • 1 Gigabit inspection for WAN edge • Facing WAN edge inline, filters “hay” from needles • Presentation of UCSD High Speed IDS at:http://www.nanog.org/mtg-0501/tatarsky.html
High Performance Surveillance • Technically a “hard problem” – high performance inspection with open programmatic flexibility to dynamic, fast-changing requirements of Lawful Intercept • Key system design goals • Predictable • Provable - Legal • Responsive (low latency) • Simplicity / reliability • Secure (access and capture) • Packet/frame/IPv agnostic • Ideally, as few boxes as possible
Surveillance Application • Internet • P-Series P1 or P10 • Technical features for lawful intercept include: • Stateful rules • Line-rate capture performance; No packet loss under full load • Packet hardware-based time stamping • Exact search and match strings in known and “unanchored” search criteria across IPv4 and v6 • No extra packet buffering or “contaminants” • Gracefully handle state exhaustion • Scaling to 1000 (16 byte) on-the-fly dynamic searches • Secure, remote box management via SSH • Storage Servers • POP • E600 or E1200
Configuration + Reporting • Compile policies off-line • Makefile (open Unix CLI environment) • Add user code in Fast-path • Add Permit and Deny on the fly • Immediate action • Run any pcap application on interface • Use Snort’s output plugins syslog, email, packet archive • MIB-II Host/Interface Monitoring • Disk, Daemons, SNMP traps
Agenda • University Security Challenges • Force10 and P-Series Overview • Key Technology • Applications • Platform Details and Roadmap
Available Today • P10 PCI-X Card (10 GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 20G-in/20G-out • 2 x 1 GbE mirror ports • 8000 static rule capacity 600 dynamic rules; • 8 million concurrent flows • P1 PCI Card (GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 2G-in/2G-out • 1000 static rule capacity; up to 200 dynamic; (currently being increased); • 2 million concurrent flows • Line-rate IPv6 • P1/P10 Appliance • 1U host embeds a P1 or P10 PCI card • Software and drivers pre-installed and pre-configured
Sensing port Sensing port Logging port or PCI interface Logging port or PCI interface Deployment Models • Inline Operation • Block unwanted traffic • Capture interesting flows • Good traffic passes thru • Two sensing ports (full duplex) + two mirroring ports Sensing & Mirroring port Sensing & Mirroring port Logging port or PCI interface • Passive Operation • Capture interesting flows • Up to two sensing ports
High Availability Reporting • Based on external bypass units • All state maintained by active-active P10s Bypass • No power • Stateful In-line No packet loss; No loss of connection state • Traditional rerouting L2/L3 convergence time; loss of state Reporting Bypass
Power Failure Reporting Bypass CPU • No power • Stateful In-line No packet loss; No loss of connection state • Traditional rerouting L2/L3 convergence time; loss of state Reporting Bypass CPU
OS Upgrade Reporting Bypass CPU • Soft reboot, OS reconfiguration, change OS • Forwarding + policies are unaffected; no loss of connection state • Once upgrade is over OS reattaches to forwarding path Reporting Bypass CPU
Policy update Reporting Bypass CPU • Fast-path reconfiguration (new policies are added/deleted) • Loading new static policies open for < 1s; loss of connection state • Loading dynamic policies No loss of state Reporting Bypass CPU
Summary of Differentiation • Always line-rate • Unanchored payload string search • Support analysis across packets • Gracefully handle state exhaustion • Retain high-degree of programmability • Architecture gaurantees determinism • New threat models (around the corner) • Open architecture to leverage open source software • More robust, more flexible, promotes composability • Abstract hardware as a network interface from OS prospective • Future proofing to extend to application beyond IDS/IPS
Price Per Gbps Throughput P-Series Delivers Industry’s Highest Performance and Lowest Price Per Gbps Performance Throughput % Line-Rate Throughput with 100% Rules Force10 P-Series 100 80 60 40 20 0 Traditional IPS Traffic Throughput Throughput 1 Gb 2 Gb 4 Gb 6 Gb 8 Gb 10 Gb 20 Gb
Black: Committed Feature Red: Targeted Feature Blue: Feature on Our Radar P-Series PTSP Roadmap
Debbie Montano dmontano@force10networks.com Director of Research & Education Alliances