Firewall Network Processor™: Technical Concept and Business Solutions

Firewall Network Processor™:Firewall Network Processor™:Technical Concept and Business Technical Concept and Business

SolutionsSolutions

FNP™ – is a trademark of Fractel Inc.FNP™ – is a trademark of Fractel Inc.

December 2008 December 2008 ColumbusColumbus

..

Firewall Network Processor: core concept and solutions

22

ContentContent

Introduction: business value and technology Introduction: business value and technology trend trend

Seeking decision: concept of secure network Seeking decision: concept of secure network environment and intelligent “wire” environment and intelligent “wire”

FNP as a patented capability to keeping FNP as a patented capability to keeping network infrastructure securenetwork infrastructure secure

technical aspectstechnical aspects

functionality functionality business solutionbusiness solution

SummarySummary


33

KeyKey issuesissues

many companies many companies :: spend millions of dollars each year investing in spend millions of dollars each year investing in

business systems to make information available to business systems to make information available to authorized persons and customersauthorized persons and customers

seeing business value in access to Internet information seeing business value in access to Internet information infrastructure to improve employee performanceinfrastructure to improve employee performance

… … andand seeking technology that can seeking technology that can to give employees new to give employees new

functionality without opening the door to attacks and functionality without opening the door to attacks and unauthorized access to unauthorized access to securing sensitive business securing sensitive business datadata


44

IntroductionIntroduction

best-effort servicebest-effort service (no internal QoS mechanism) (no internal QoS mechanism)

simple authentication model simple authentication model ( trust network environment( trust network environment) )

Basic Internet principal and security issue:

Comments: Comments: •To enjoy Internet as a business media people must take control of traffic content in the many forms (VLAN,VPN, VoIP,…) and channels (IP, P2P..)•A deep understanding of how employees use Internet recourses requires effective security and management solution.


55

Network infrastructure: Network infrastructure: are any are any “right places” for “right places” for investment with low risks and expense?investment with low risks and expense?

Network access policy

communication

lines

Set of “intelligent” nodes - applications

Business in a form of “applications” – Benephisheries: ASP, banks, electronic commerce companies,GRID computing, etc

Business in a form of “packet traffic” , connectivity, and bandwidth Benephisheries: hardware and software suppliers, ISP, Telco, e-PTN

Service level

Low

Expense

“border”Packet processes

Low

Risk “border”

Comments: •business opportunity is close to service and access “border”•customers will deploy the security solution that suits their existing environment.


66

Solution examples Solution examples

TechnologyTechnology added “value”added “value” Income Income

E-commerce E-commerce wide access turnover upwide access turnover up VPN VPN remote office outsourcingremote office outsourcing Access ManagementAccess Management Single Sign-on Single Sign-on employee employee

productivityproductivity

Comments:Comments:

the best investments - reduction of business expenses the best investments - reduction of business expenses

The best innovations - reduction of technology risks The best innovations - reduction of technology risks


77

Internet as a service media: Internet as a service media:

Intellectual services (DB, CAD, PDM, routing, switching,) belongs to the network nodes;

Telco service measures - bandwidth and delay

Comment: There is “Gap” in the network service space - no “intelligent ” service

processing on wire level Is this gap” become the business opportunity?

User needs - Applications

ASP keeps Servers

ISP controls IP Routers

Telco provides wire grid

ApplicationPort/MAC/IP n

MAC/IP i

Applicationport/IP/MAC 1

ApplicationIP/MAC 2


88

“ “it_is_secure” wire infrastructureit_is_secure” wire infrastructure

“itiss” means :

Merge existing packet switching technology and access management tools management tools with innovative concept of “intelligent wire” - IP node preprocessor

Find out the cost-effective decision to add intelligent feature to the wire infrastructure

Application network

IP logical space

MAC grid

MAC/IP n

MAC/IP i

IP/MAC 1

IP/MAC 2


99

FractelFractel™™ - Security Approach and Components - Security Approach and Components & know-how& know-how

Technical aspect: provides multilevel packet processing which retains current routing and access policies available in secure computer networks

Decision & know how: “stealth” firewall network processor (FNP) that provides

security functions “outside standard network nodes” (IPv4, IPv6, IPX,...) on the “wire level”

Cost-effective platform for packet processing on MAC, IP, TCP and application levels


1010

Design Aspects: Design Aspects:

Asynchrony packet flow processing– “one hop many Asynchrony packet flow processing– “one hop many functions” (content and packet filtering) functions” (content and packet filtering)

Scalable filtering performance – “one transport protocol Scalable filtering performance – “one transport protocol many security applications” (web, ftp, sql, ..)many security applications” (web, ftp, sql, ..)

Deliver hardware level performance to software programmable device by:

Aspect 1: Asynchrony traffic processing in Aspect 1: Asynchrony traffic processing in “intelligent” wire“intelligent” wire

router

FNPi1 router FNPin

process

p1

process

p2

process

pn

Node l Node m

IP1 IP2 IP3 IP4

IP1 IP2 IP3

IP4

Link l Link l+1


1212

….”Grid” of applications…

node 0 node x node x+1 node M… …

p2p virtual connection

packetphysical link

buffer

packet drops

TCP/UDP

Application1, application2

TCP/UDP

… application n

Aspect 2: One control mechanism for many applications content management


1313

Firewall NP (FNP) Design PrincipalsFirewall NP (FNP) Design Principals

Two types of network interfacesTwo types of network interfaces

Cost-effective platformCost-effective platform

Flexible and scalable ManagementFlexible and scalable Management

Innovative designInnovative design

Filtering and Control functions

Standard hardware and specific control softwareStandard hardware and specific control software

Industrial protocols (Active Directory, Open LDAP, WEB control interface)control interface)

Patented “address less” technology


1414

FNP Architecture FNP Architecture

Filtering module

Servicemodule

authorization, UI daemon

Localstorage

Externalstorage

……

…

Cache hierarchy

incoming traffic outgoing traffic

Stealth incominginterface(s)

Stealth outgoinginterface(s)

1

2

Ss=F(2)

Sf=F(2)

=F(1,2)

sockets

Open

source

OS

kernelkernel

Control interface


1515

FNP Hardware Platform: FNP Hardware Platform:

100/1000Ethernet port(control interface)

100/1000Ethernet ports

LAN, DMZ, WAN(stealth mode)

interfaces

powerswitch


1616

corporate network

Global Internet

Scenario 1: content switchingScenario 1: content switching(single-box deployment)(single-box deployment)

ISP network

routeror backbone switch

Web server

ftpservers

end-usersegment

FNP-1000/4

Control Interface Content switching

AdministrativeSegment with LDAP

and FNPLogfiles DB


1717

Scenario 2: SScenario 2: Solution for Data Center olution for Data Center (protection environment for complex infrastructure)(protection environment for complex infrastructure)

switched network infrastructure

G l o b a l I n t e r n e t

Scalability

Metro WDMEthernet switch

FNP-1000/2FNP-1000/2FNP-1000/2FNP-1000/2

1 2 3 4

Manageability

Local GigabitVLAN switches

controlinterfaces

internalnetworksensor

Availability

DistinctVLAN

segment

DC adminmonitor

Log DB

FNP-100/4S

protected network segment

stealth interfaces

Local adminmonitor


1818

Scenario 3: dynamic security control Scenario 3: dynamic security control (… and third-party integration)(… and third-party integration)

ta

fnp control interface

Firewall rules are generated and deleted automatically after WDC logon\logoff of the end user

Switch

Switch

DNS

ftp-server

admin and Log DB

Storage domain

Windows Domain

controller /Active Directory

public Internet

NAS-server

VLANsegment

FNP-1000/4


1919

Summary - FNP advantagesSummary - FNP advantages

:: Based on patented architectureBased on patented architecture

Delivers security appliance solutions for organizations of all types and Delivers security appliance solutions for organizations of all types and sizessizes

Support industrial standard and third-party integration withinSupport industrial standard and third-party integration within

existing network infrastructure.existing network infrastructure.

Increase company’s productivity through the management of non-Increase company’s productivity through the management of non-business activities.business activities.

Decreased bandwidth costs by limiting noncritical network trafficDecreased bandwidth costs by limiting noncritical network traffic

and blocking objectionable URLs and applications. and blocking objectionable URLs and applications.

Compatible with nearly every available cost-effective hardware platform Compatible with nearly every available cost-effective hardware platform

Firewall Network Processor™: Technical Concept and Business Solutions

Documents

Transcript of Firewall Network Processor™: Technical Concept and Business Solutions