firewall network processortm: basic concept and solutions

July2003

Firewall Network Processor™:Firewall Network Processor™:basic concept and solutionsbasic concept and solutions

™ ™ FNP – is a trademark of Fractel IncorporatedFNP – is a trademark of Fractel Incorporated

Firewall Network Processor: basic concept and solutions

22

ContentContent

Introduction Introduction Network Processor: common aspectsNetwork Processor: common aspects Network Processor: FNP architectureNetwork Processor: FNP architecture

“stealth” mode,“stealth” mode,performance, performance,

functionalityfunctionality ConclusionConclusion


33

Introduction: distributed network Introduction: distributed network concept and security aspectsconcept and security aspects

Distributed Network:

interconnected grid of paths without sharp boundaries between zones,

Internet - superposition of the overlay networks without central and third-party control point

Security aspects: all of them depend on the concept of trust: third-party of direct

Where are the boundaries of the trust?

Superposition of

overlay layers and networks

Appl n

Appl i

Appl 1

Appl 2


44

Multilevel Network environment and Multilevel Network environment and security problemssecurity problems

channelstructure

Physicalnodes

virtual grid

Application processes

Packet processes

Virus attack

Denial of service

Intrusion

Data corruption

Hacking

auth - u/a packets


55

network environment

node 0 node x node x+1 node M… …

direct virtual channel

packet

physical link bit speed

buffer

packet drops

TCP

protocol

TCP

application

feedback virtual channelTransit - packets control

Traffic-

transport and app. control

Network security aspects: transit security and traffic regulation


66

Tasks, technology, products Tasks, technology, products

CommunicationCommunication

Share

info apps

Remote access

Internet presence

FilteringFiltering

Tunnelling

Authentication

Encryption

Management

FirewallFirewall

Anti-virus

VPN

PKI

Security

management


77

Security concept and basic Security concept and basic componentscomponents

Concept: Many layers packet processing which retainsopenness of Internet original design.

Basic Components: administrative solution, including VLANs, Access Control Lists,

MAC locks special network processor which separate data traffic,

provide authentication and encryption


88

Network Processor: common aspectsNetwork Processor: common aspects

Definition:Definition:NPs – programmable devices aimed generally at communication NPs – programmable devices aimed generally at communication tasks and packet specific data set.tasks and packet specific data set.

ChallengeChallenge: : What are software architectures that are effective for network tasks?What are software architectures that are effective for network tasks? Why we need new functionality?Why we need new functionality? What do network processors do?What do network processors do?

Prototypes:Prototypes:

Intel IXP 1200Intel IXP 1200:: special chip which combine high-speed core with special chip which combine high-speed core with system bus and 6 programmable microengines.system bus and 6 programmable microengines.

Interphase iNAV4000Interphase iNAV4000:: PCI chip which offers unparalleled PCI chip which offers unparalleled features features including packet processing and switching.including packet processing and switching.


99

Basic types of hardware architectureBasic types of hardware architecture

GPP – general purpose processor

CSI – common switch interface (packets)

PHY – physical network interface (bytes)

GPP RAM

PHY CSIsystem bus

NP

Co-processor

GPP RAM

PHY CSINP

PHY CSI

NPRAM

DMAC

GPP RAM

system bus controlplane

dataplane


1010

FNP coreFNP core

Filtering module

Servicemodule(logging,

authorization, UI daemon)

Localstorage

Externalstorage …

……

Cache hierarchy

incoming traffic outgoing traffic

incominginterface(s)

outgoinginterface(s)

1

2

Ss=F(2)

Sf=F(2)

=F(1,2)


1111

NP: basic characteristicsNP: basic characteristics

manipulate packet specific data on Internet layers 2 manipulate packet specific data on Internet layers 2 -4-4

based in open software interfacebased in open software interface

performance opennessprogrammability

Target: Deliver hardware level performance of packet processing tasks to software programmable system


1212

Packet processing tasksPacket processing tasks

parse modify forward

resolvesearch

Silicon design

– limited flexibility– wire speed performance

Program design

– limited performance+ new features can be added

?


1313

Firewall Network Processor (FNP)Firewall Network Processor (FNP)

Processing tasks:Processing tasks: identifying a packet based on headers characteristics identifying a packet based on headers characteristics

(address, VC, protocol, etc)(address, VC, protocol, etc) forwarding or discard a packet to the appropriate interface(s) forwarding or discard a packet to the appropriate interface(s)

(security police rules)(security police rules)

Specific tasks: Specific tasks: (“stealth” mode)(“stealth” mode) no modification (no updating fields in the packet header)no modification (no updating fields in the packet header) no scheduling (no queuing for specific application)no scheduling (no queuing for specific application) provide speed improvement throughprovide speed improvement through

parallel processing (cluster)parallel processing (cluster) pipeline processing (conveyor)pipeline processing (conveyor)


1414

FNP specific designFNP specific design

““stealth” mode for packet processing (no MAC, IP address stealth” mode for packet processing (no MAC, IP address on PHYon PHYss interfaces) interfaces)

““orthogonal” address spaces for control and data interfacesorthogonal” address spaces for control and data interfaces

cluster architecturescluster architectures

specific structure of buffer and cache memory (depends on specific structure of buffer and cache memory (depends on fractal nature of network traffic)fractal nature of network traffic)

multi protocol IP/IPX scalable firewall solutionmulti protocol IP/IPX scalable firewall solution


1515

Architecture for secure corporate networkArchitecture for secure corporate network

Open Network Segment

VPN Segment

Webdatabase

portals

DNS,servers

Confidentialcatalogues and

data


1616

FNP-100 Security PlatformFNP-100 Security Platform

10/100Ethernet port(control interface)

10/100Ethernet ports

LAN, DMZ, WAN(stealth mode)

interfaces

powerswitch


1717

corporate network

Global Internet

Stealth and Control interfacesStealth and Control interfaces

ISP network

corporate routeror backbone switch

DMZ

Web server

applicationservers

protectednetwork segment

admin WS

modemdial-up

access orterminalaccess

LAN accessFNP-100/4

private IP addresscontrol interface

(RS232 or Ethernetstealth interfaces(no MAC and IP addresses)


1818

redundantdomain

FNP-100/2

control VPN or trusted distinct network segment

FNP redundancy modeFNP redundancy mode

ISP networkISP network

protectedservers

and hosts

backbone switches

c o r p o r a t e s e g m e n t s

access segment access segment

NAS orIDS

primarydomain

FNP-100/2

control or admin WS

stealthinterfaces

stealthinterfaces

synchronizationprocesses via

control interfaces

router or LAN backbone switches


1919

FNP-1000 Cluster PlatformFNP-1000 Cluster Platform

switched network infrastructure

G l o b a l I n t e r n e t

cluster of the security appliances

WDM access(1,...,4 modes)MUX or multi Gigabit VLANEthernet splitter

FNP-1000/2FNP-1000/2FNP-1000/2FNP-1000/2

1 2 3 4

stealthGigabit

Ethernetinterfaces

access GigabitVLAN switches

controlinterfaces

internalnetworksensor

internalEthernet 100BTswitchedinfrastructure

controldistinctnetwork

adminWS

NAS orIDS

FNP-100/4S

protected network segment

stealth interfaces


2020

Multi layers Security conveyorMulti layers Security conveyor

inne

r p

erim

ete

r o

f se

cure

net

wo

rk

corporate segments and users

firewalls

VPN-server

router

comm

on ne

twork

elements

Ethernet switch

switch

DNS

Webserver

admin WS

info securityserver

computing cluster/IDS system

FNP-100/4

public Internet

NAS-servernetwork storage

secure segment

of corporatenetwork

transaction data

control commands

SNMP data

FNP-100/2

FNP-100/2FNP-100/2

exte

rnal

per

imet

er o

f se

cure

net

wor

k


2121

Performance characteristics Performance characteristics

throughput (Mbps) vs packet size (byte)

throughput (Mbps) vs number of rules

120

100

80

60

40

20

00 500 1000 1500 2000

Mbps

packet size,byte

120

100

80

60

40

20

00 500 1000 1500 2000

Mbps

number of rules

FNP

PC

FNP

PC


2222

ConclusionConclusion

Network Processor (NP) - a new type of Network Processor (NP) - a new type of programmable device for network specific applicationsprogrammable device for network specific applications

FNP or Firewall NP - scalable network device based FNP or Firewall NP - scalable network device based on open source OS, standard PCI platform and on open source OS, standard PCI platform and “stealth” interfaces “stealth” interfaces

FNP can be viewed as a platform for broad types of FNP can be viewed as a platform for broad types of network appliances which based on clusters network appliances which based on clusters architecture and many layers packets processing architecture and many layers packets processing

firewall network processortm: basic concept and solutions

Documents