2 Special Note Regarding Forward Looking Statements
Download
Report
Transcript 2 Special Note Regarding Forward Looking Statements
Force10 Networks
Security 2007
Denver – April 11, 2007
Debbie Montano
[email protected]
1
Special Note Regarding Forward
Looking Statements
This presentation contains forward-looking statements that involve substantial risks and uncertainties,
including but not limited to, statements relating to goals, plans, objectives and future events. All
statements, other than statements of historical facts, included in this presentation regarding our strategy,
future operations, future financial position, future revenues, projected costs, prospects and plans and
objectives of management are forward-looking statements. The words “anticipates,” “believes,”
“estimates,” “expects,” “intends,” “may,” “plans,” “projects,” “will,” “would” and similar expressions are
intended to identify forward-looking statements, although not all forward-looking statements contain these
identifying words. Examples of such statements include statements relating to products and product
features on our roadmap, the timing and commercial availability of such products and features, the
performance of such products and product features, statements concerning expectations for our products
and product features [and projections of revenue or other financial terms. These statements are based on
the current estimates and assumptions of management of Force10 as of the date hereof and are subject
to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the
actual results to be materially different from those reflected in our forward looking statements. We may
not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and
you should not place undue reliance on our forward-looking statements. In addition, our forward-looking
statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint
ventures or investments we may make. We do not assume any obligation to update any forward-looking
statements.
Any information contained in our product roadmap is intended to outline our general product direction and
it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for
information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a
commitment, promise or legal obligation to deliver any material, code, or functionality. The development,
release and timing of any features or functionality described for our products remains at our sole
discretion.
2
Agenda
3
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
The Challenge of Security
University Networks
4
Highly skilled users
(x,000 sys admins)
Firewall policies difficult to
match dynamic applications
Diverse desktops plus wireless
client that the university cannot
easily control
Traditional corporate threats (large scale credit
card thefts, DDOS blackmailing, etc.) now
faced by Universities
Trends for High Speed Security and
Monitoring in Universities
Link speeds increasing
faster than edge and
campus security
systems
Increasing traffic and
growing security threats
create new requirements
– Full security that can protect 100%
of traffic without impacting
performance
– Flexibility to ensure more efficient
response to unknown or malicious
traffic
5
Securing 10 GbE WANs
“do” the following at
10 Gbps
–
–
–
–
Deep packet inspection ("visibility")
Attack detection (IDS)
Packet filtering (fire walling)
DoS and DDoS protection traffic
(rate shaping and rate limiting)
Much less so...
– VPNs and site to site encryption
(most likely IPsec based)
– Bots and other large scale
worms/viruses
– Honeypots / Honeynets
– Source port verification
6
Agenda
7
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
Force10 Pioneers in 10 GbE
Switching & Routing
8
Founded in 1999
First to ship line-rate 10 GbE
switching & routing
Pioneered new switch/router
architecture providing best-inclass resiliency and density,
simplifying network topologies
Customer base spans
academic/research, data
center, enterprise and service
provider
Acquisition of P-Series Platform
9
Force10 pioneered 10 GbE
switching and routing
Vision to become the next great
networking company
Applying high performance
switching and routing innovation
to network security
Recommended to us by leading
R&E and Gov’t customers
Force10 Product Portfolio
Industry Leading Density, Resiliency & Security
1/2
Rack
Capacity to grow
for 10+ years
1/3
Rack
Up to 630 GbE,
112 - 10 GbE
E300
400 Gbps
Up to 288 GbE,
48 - 10 GbE
S50V
48 GbE PoE
4 x 10 GbE
10
Up to 1,260 GbE,
224 - 10 GbE
E600
900 Gbps
1/6
Rack
1-RU
E1200
1.68 Tbps
S50
48 GbE
2 x 10 GbE
S25P
24 GbE
4 x 10 GbE
S2410
24 x 10 GbE
P1/P10
Line-rate Gbps &
10 Gbps IDS/IPS
P-Series Development
Originally funded by NSF grant
Subsequent application funding
by:
– USAF (Design of 10 GbE card)
– NSA (Surveillance inside IPV6 traffic)
11
Agenda
12
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
Network Security Evolution
ASIC assist
to central CPU
Better filtering,
active
protection
GbE up to
2 Gbps
Performance
Software
based
Central CPU
Slow, < 100
Mbps
1995-1999
13
2000-2005
Custom hardware
in an appliance
Dynamic mapping
of inspection
policies into
hardware
Force10 P-Series,
line-rate 10 GbE
performance
Custom hardware
integrated into
modular switches
& routers
Full security
integration on
every port all the
time
Designed for
20 – 80 Gbps
Designed for
336 – 672
Gbps
2006-2008
2007-2010
Dynamic Parallel Inspection (DPI)
Delivering High Speed Network Security
Fundamentally new architecture
at the core of the P-Series
– DPI delivers the highest deep
packet inspection scalability and
flexibility in the industry
– Apply thousands of signatures to
every packet in parallel
Open programmability at 10
GbE delivers leading flexibility
– Create signatures in hardware to
speed processing
14
Parallel processing ensures
massive rule scalability under all
traffic loads
Inside the 10 GE linecard
15
1-10 Gbps Programmable Network
Security
Open architecture to leverage open source software
– More robust, more flexible, promotes composability
– Hardware acceleration of important network applications
– Abstract hardware as a network interface from OS prospective
Retain high-degree of programmability
– Extend to application beyond IDS/IPS
– New threat models (around the corner)
Line-speed/low latency to allow integration in production networks
– Unanchored payload string search
– Support analysis across packets
– Gracefully handle state exhaustion
Hardware support for adaptive information management
– Detailed reporting when reporting bandwidth is available
– Dynamically switch to more compact representations when necessary
– Support the insertion of application-specific analysis code in the fast path
16
Agenda
17
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
Firewall IDS/IPS
High Performance (> 330K cps; 20 Gbps)
Unique level of programmability
– What is IN and what is OUT?
– Two organizations sharing each other’s services
– Insider attacks
– Can define stateful policies asymmetrically or
symmetrically
– Hardcode part of the policies in hardware
– Keep software-like flexibility
– Can code specific policies directly into fast-path
Layer-1
– Invisible -- 1.5 µs latency
– True-line rate (20 Gbps)
– Drops in and out with NO L2/3 reconfiguration
18
10 GbE Inspection and Blocking:
Needles & Haystacks
Ability to define "internal" and
"external" interfaces:
– Custom rules based on
traditional firewall controls
(Source, dest., mask, range,
protocol, service & port, VLAN)
– Stateful: Allow internal holes to
go out, but stop external traffic
to come in.
Parallel processing provides
rules logic flexibility
– Rules can be ordered, summed,
or written with explicit overrides
(e.g. whitelisting)
19
IPS Application
Industry’s first IPS to support
line-rate 10 GbE inspection on every
packet
SNORT 2.0 rules compiler
Expansion to any rules base:
– Govt customers utilizing Bro
– R&E customers utilizing PF firewall rules
– Growing list of SNORT-like variant (ACID,
Bleeding Edge, etc.)
Resilient system architecture
– Inspection ports are invisible to attackers
– System does not fail under high load
conditions
– No active components (CPU, PCI bus) in
data path
20
Used inline, offline, or as pre-filter
Mixed
Good
Inspection/capture
clean/block
policies
Traffic
Monitoring
Intrusion
Protection
Stateful
Packet
Firewall
Packet
Capture
Custom
Rules
Signature
Detection
Over 1500 Signatures Supported
Sample IDS/IPS Signatures
Layer 3 IP Protocol
21
HTTP
–
Unknown IP Protocol
–
HTTP tunneling
–
RFC1918 address
–
AIM/ICQ Through HTTP Proxy
–
Ping Of Death
–
MSN Messenger Through HTTP
Proxy
–
Yahoo Messenger Through HTTP
Proxy
TCP
–
Netbios OOB Data
–
Windows RPC DCOM Overflow
–
Sametime Activity
–
Worm Mitigation
UDP
–
Snork, MP2P Client Scan
DNS
–
DNS Request All
–
DNS SIG Overflow
SMTP
–
SPAM attacks (SMTP RCPT TO:
Bounce)
–
Lotus Notes Mail Loop DoS
IP OPTIONS
–
BAD IP OPTION
–
Record Packet Rte
–
ICMP
–
ICMP Echo Rply, ICMP Unreachable
–
ICMP Src Quench
FTP
FTP Improper Address, FTP
Improper port
RPC
–
RPC Dump, Proxied RPC
Campus and WAN Applications for
Universities
Universities are deploying
P-Series in WAN edges and
in high speed cores
Key Applications
– 1 & 10 GBE IDS/IPS (SNORT,
Bro, or Custom)
– 10 GBE Firewalling and Deep
Packet Inspection
– High Speed Network Monitoring
– Flexible, Customized
Wire-Speed Packet Analysis
22
WAN
Campus Core
University Innovators
Univ. of Nebraska’s PKI Institute:
– In conjunction with Dept of Homeland
Security, runs security research lab
– Uses P10 inline to accelerate SNORT for
high speed core
Oxford University:
– “Argus” research group
(www.robots.ox.ac.uk/~argus/ )
– Customized packet analysis for
high speed networks
University of Cal., Santa Cruz
– 1 Gigabit inspection for WAN edge
– Facing WAN edge inline,
filters “hay” from needles
– Presentation of UCSD High Speed IDS at:
http://www.nanog.org/mtg-0501/tatarsky.html
23
High Performance Surveillance
Technically a “hard problem” –
high performance inspection with
open programmatic flexibility to
dynamic, fast-changing
requirements of Lawful Intercept
Key system design goals
–
–
–
–
–
–
–
24
Predictable
Provable - Legal
Responsive (low latency)
Simplicity / reliability
Secure (access and capture)
Packet/frame/IPv agnostic
Ideally, as few boxes as possible
Surveillance Application
Internet
P-Series P1 or P10
Storage
Servers
POP
25
E600 or E1200
Technical features for lawful intercept include:
– Stateful rules
– Line-rate capture performance; No packet loss under full
load
– Packet hardware-based time stamping
– Exact search and match strings in known and “unanchored”
search criteria across IPv4 and v6
– No extra packet buffering or “contaminants”
– Gracefully handle state exhaustion
– Scaling to 1000 (16 byte) on-the-fly dynamic searches
– Secure, remote box management via SSH
Configuration + Reporting
Compile policies off-line
– Makefile (open Unix CLI environment)
– Add user code in Fast-path
Add Permit and Deny on the fly
– Immediate action
Run any pcap application on interface
– Use Snort’s output plugins syslog, email, packet archive
MIB-II Host/Interface Monitoring
– Disk, Daemons, SNMP traps
26
Agenda
27
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
Available Today
P10 PCI-X Card (10 GbE interface)
– High speed PCI card in 1U
chassis
– Wire-speed stateful deep packet
inspection; 20G-in/20G-out
– 2 x 1 GbE mirror ports
– 8000 static rule capacity 600
dynamic rules;
– 8 million concurrent flows
P1 PCI Card (GbE interface)
– High speed PCI card in 1U
chassis
– Wire-speed stateful deep packet
inspection; 2G-in/2G-out
– 1000 static rule capacity; up to
200 dynamic; (currently being
increased);
– 2 million concurrent flows
– Line-rate IPv6
P1/P10 Appliance
– 1U host embeds a P1 or P10 PCI
card
– Software and drivers pre-installed
and pre-configured
28
Deployment Models
Inline Operation
Block unwanted traffic
Capture interesting flows
Good traffic passes thru
Two sensing ports (full
duplex) + two mirroring
ports
Sensing &
Mirroring port
Sensing &
Mirroring port
Logging port or
PCI interface
Passive Operation
Capture interesting flows
Up to two sensing
ports
Sensing port
29
Sensing port
Logging port or
PCI interface
Logging port or
PCI interface
High Availability
All state maintained by
active-active P10s
No power
– Stateful In-line No packet loss; No
loss of connection state
– Traditional rerouting L2/L3
convergence time; loss of state
30
Bypass
Based on external
bypass units
Bypass
Reporting
Reporting
Power Failure
Bypass
Bypass
No power
– Stateful In-line No packet loss; No
loss of connection state
– Traditional rerouting L2/L3
convergence time; loss of state
31
Reporting
Reporting
OS Upgrade
Bypass
Bypass
Soft reboot, OS reconfiguration, change OS
– Forwarding + policies are unaffected; no loss of connection
state
– Once upgrade is over OS reattaches to forwarding path
32
Reporting
Reporting
Policy update
Bypass
Bypass
Fast-path reconfiguration (new policies are
added/deleted)
– Loading new static policies open for < 1s; loss of
connection state
– Loading dynamic policies No loss of state
33
Reporting
Reporting
Summary of Differentiation
Always line-rate
– Unanchored payload string search
– Support analysis across packets
– Gracefully handle state exhaustion
Retain high-degree of programmability
– Architecture gaurantees determinism
– New threat models (around the corner)
Open architecture to leverage open source
software
– More robust, more flexible, promotes composability
– Abstract hardware as a network interface from OS prospective
– Future proofing to extend to application beyond IDS/IPS
34
% Line-Rate Throughput with 100% Rules
P-Series Delivers Industry’s Highest
Performance and Lowest Price Per Gbps
35
Performance Throughput
Price Per Gbps Throughput
$60,000
Force10 P-Series
$50,000
100
$40,000
80
$30,000
60
Traditional IPS
40
$20,000
$10,000
Throughput
20
$0
0
1 Gb 2 Gb 4 Gb
6 Gb
8 Gb 10 Gb
Traffic Throughput
20 Gb
Force10 Tipping McAfee
Point
Cisco
Juniper
Competitive Analysis Summary
36
Force10
Cisco
Juniper
Endace
Bivio
Interface Options
2 x 10 GbE
2 to 5
10/100/1000
2 to 6
10/100/1000
NIC or App.
4 x 1 GbE
2 x 10 GbE
12x GE
6x GE Fiber
2 x 10GE
Interface Speed
Line-rate 10 GbE
1 GbE OS
1 GbE OS
10 GbE OS
10 GBE OS
Total Throughput:
20 Gbps
800 Mps
1 Gps
5 Gbps
10 Gbps
Latency
~16 us
750 us
100 us
100 us
215 us
Rule Flexibility
Open; Snort
Proprietary
Proprietary
Captureonly
Proprietary
TCP
2-8,000,000
1,00000
800,000
800,000
2,000,000
Price Range
$130,000
$40,000
$57,000
$120,000
$200,000
Signatures:
8000
1,700
3200
1,400
3,000
Placement
Inline/Offline
Inline/Offline
Inline/Offline
Offline
Inline/Offline
P-Series PTSP
Roadmap
Black: Committed Feature
Red: Targeted Feature
Blue: Feature on Our Radar
2.1
May 31, 2007
Hardware
P10
–8000 signatures
–2 x 1 GbE Mirror ports
Session
Software
Scaling to 8M
Dynamic content rules
Blocking During Boot
2 + 2 Mirroring
Field Upgradeable FPGAs
Management
PCI-X Core
Rules
Stateful temporary packet
capture
API
37
2.2
July 31, 2007
Linux driver support
UI
Counter
Line-rate
stateful firewall
IPv6
Packet
re-write
Debbie Montano
[email protected]
Director of Research & Education
Alliances
38