Force10 Networks
description
Transcript of Force10 Networks
2
Special Note Regarding Forward Looking Statements
This presentation contains forward-looking statements that involve substantial risks and uncertainties, including but not limited to, statements relating to goals, plans, objectives and future events. All statements, other than statements of historical facts, included in this presentation regarding our strategy, future operations, future financial position, future revenues, projected costs, prospects and plans and objectives of management are forward-looking statements. The words “anticipates,” “believes,” “estimates,” “expects,” “intends,” “may,” “plans,” “projects,” “will,” “would” and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. Examples of such statements include statements relating to products and product features on our roadmap, the timing and commercial availability of such products and features, the performance of such products and product features, statements concerning expectations for our products and product features [and projections of revenue or other financial terms. These statements are based on the current estimates and assumptions of management of Force10 as of the date hereof and are subject to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the actual results to be materially different from those reflected in our forward looking statements. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. In addition, our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make. We do not assume any obligation to update any forward-looking statements. Any information contained in our product roadmap is intended to outline our general product direction and it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release and timing of any features or functionality described for our products remains at our sole discretion.
3
Agenda
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
4
The Challenge of Security University Networks
Highly skilled users (x,000 sys admins)
Firewall policies difficult to match dynamic applications
Diverse desktops plus wireless client that the university cannot easily control
Traditional corporate threats (large scale credit card thefts, DDOS blackmailing, etc.) now faced by Universities
5
Trends for High Speed Security and Monitoring in Universities
Link speeds increasing faster than edge and campus security systems
Increasing traffic and growing security threats create new requirements– Full security that can protect 100%
of traffic without impacting performance
– Flexibility to ensure more efficient response to unknown or malicious traffic
6
Securing 10 GbE WANs
“do” the following at 10 Gbps – Deep packet inspection ("visibility")– Attack detection (IDS)– Packet filtering (fire walling)– DoS and DDoS protection traffic
(rate shaping and rate limiting) Much less so...
– VPNs and site to site encryption (most likely IPsec based)
– Bots and other large scale worms/viruses
– Honeypots / Honeynets– Source port verification
7
Agenda
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
8
Force10 Pioneers in 10 GbE Switching & Routing
Founded in 1999
First to ship line-rate 10 GbE switching & routing
Pioneered new switch/router architecture providing best-in-class resiliency and density, simplifying network topologies
Customer base spans academic/research, data center, enterprise and service provider
9
Acquisition of P-Series Platform
Force10 pioneered 10 GbE switching and routing
Vision to become the next great networking company
Applying high performance switching and routing innovation to network security
Recommended to us by leading R&E and Gov’t customers
10
E12001.68 TbpsUp to 1,260 GbE, 224 - 10 GbE
E12001.68 TbpsUp to 1,260 GbE, 224 - 10 GbE
E600900 GbpsUp to 630 GbE, 112 - 10 GbE
E600900 GbpsUp to 630 GbE, 112 - 10 GbE
E300 400 Gbps Up to 288 GbE,48 - 10 GbE
E300 400 Gbps Up to 288 GbE,48 - 10 GbE
Force10 Product PortfolioIndustry Leading Density, Resiliency & Security
1/6 Rack 1/6
Rack
1/2 Rack 1/2
Rack
1/3 Rack 1/3
Rack
Capacity to growfor 10+ years
S5048 GbE2 x 10 GbE
S5048 GbE2 x 10 GbE
1-RU1-RU S2410 24 x 10 GbES2410 24 x 10 GbE
P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS
P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS
S50V48 GbE PoE4 x 10 GbE
S50V48 GbE PoE4 x 10 GbE
S25P 24 GbE4 x 10 GbE
S25P 24 GbE4 x 10 GbE
11
P-Series Development
Originally funded by NSF grant
Subsequent application fundingby:– USAF (Design of 10 GbE card)– NSA (Surveillance inside IPV6 traffic)
12
Agenda
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
13
Network Security EvolutionP
erf
orm
an
ce
1995-1999 2000-2005 2006-2008
Custom hardware in an appliance
Dynamic mapping of inspection policies into hardware
Force10 P-Series, line-rate 10 GbE performance
Software based
Central CPU Slow, < 100
Mbps
ASIC assist to central CPU
Better filtering, active protection
GbE up to 2 Gbps
Designed for 20 – 80 Gbps
2007-2010
Custom hardware integrated into modular switches & routers
Full security integration on every port all the time
Designed for 336 – 672
Gbps
14
Dynamic Parallel Inspection (DPI)Delivering High Speed Network Security
Fundamentally new architecture at the core of the P-Series– DPI delivers the highest deep
packet inspection scalability and flexibility in the industry
– Apply thousands of signatures to every packet in parallel
Open programmability at 10 GbE delivers leading flexibility– Create signatures in hardware to
speed processing
Parallel processing ensures massive rule scalability under all traffic loads
15
Inside the 10 GE linecard
16
Open architecture to leverage open source software– More robust, more flexible, promotes composability– Hardware acceleration of important network applications– Abstract hardware as a network interface from OS prospective
Retain high-degree of programmability – Extend to application beyond IDS/IPS– New threat models (around the corner)
Line-speed/low latency to allow integration in production networks– Unanchored payload string search – Support analysis across packets– Gracefully handle state exhaustion
Hardware support for adaptive information management– Detailed reporting when reporting bandwidth is available– Dynamically switch to more compact representations when necessary– Support the insertion of application-specific analysis code in the fast path
1-10 Gbps Programmable Network Security
17
Agenda
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
18
Firewall IDS/IPS
High Performance (> 330K cps; 20 Gbps) Unique level of programmability
– What is IN and what is OUT?– Two organizations sharing each other’s services– Insider attacks
– Can define stateful policies asymmetrically or symmetrically
– Hardcode part of the policies in hardware– Keep software-like flexibility– Can code specific policies directly into fast-path
Layer-1– Invisible -- 1.5 µs latency– True-line rate (20 Gbps)– Drops in and out with NO L2/3 reconfiguration
19
10 GbE Inspection and Blocking:Needles & Haystacks
Ability to define "internal" and "external" interfaces:– Custom rules based on
traditional firewall controls (Source, dest., mask, range, protocol, service & port, VLAN)
– Stateful: Allow internal holes to go out, but stop external traffic to come in.
Parallel processing provides rules logic flexibility– Rules can be ordered, summed,
or written with explicit overrides (e.g. whitelisting)
20
IPS Application
Industry’s first IPS to support line-rate 10 GbE inspection on every packet
SNORT 2.0 rules compiler
Expansion to any rules base:– Govt customers utilizing Bro
– R&E customers utilizing PF firewall rules
– Growing list of SNORT-like variant (ACID, Bleeding Edge, etc.)
Resilient system architecture– Inspection ports are invisible to attackers
– System does not fail under high load conditions
– No active components (CPU, PCI bus) in data path
Used inline, offline, or as pre-filter
MixedMixed
Inspection/captureclean/block
policies
GoodGood
Captured
Captured
TrafficMonitoring
Packet Capture
CustomRules
SignatureDetection
StatefulPacketFirewall
IntrusionProtection
21
Over 1500 Signatures Supported Sample IDS/IPS Signatures
Layer 3 IP Protocol– Unknown IP Protocol
– RFC1918 address
– Ping Of Death
TCP – Netbios OOB Data
– Windows RPC DCOM Overflow
– Sametime Activity
– Worm Mitigation
UDP– Snork, MP2P Client Scan
IP OPTIONS – BAD IP OPTION
– Record Packet Rte
ICMP – ICMP Echo Rply, ICMP
Unreachable
– ICMP Src Quench
HTTP– HTTP tunneling
– AIM/ICQ Through HTTP Proxy
– MSN Messenger Through HTTP Proxy
– Yahoo Messenger Through HTTP Proxy
DNS– DNS Request All
– DNS SIG Overflow
SMTP– SPAM attacks (SMTP RCPT TO:
Bounce)
– Lotus Notes Mail Loop DoS
FTP– FTP Improper Address, FTP
Improper port
RPC– RPC Dump, Proxied RPC
22
Campus and WAN Applications forUniversities
WAN Universities are deploying
P-Series in WAN edges and in high speed cores
Key Applications– 1 & 10 GBE IDS/IPS (SNORT,
Bro, or Custom)– 10 GBE Firewalling and Deep
Packet Inspection– High Speed Network Monitoring– Flexible, Customized
Wire-Speed Packet Analysis Campus Core
23
University Innovators
Univ. of Nebraska’s PKI Institute:– In conjunction with Dept of Homeland
Security, runs security research lab– Uses P10 inline to accelerate SNORT for
high speed core
Oxford University:– “Argus” research group
(www.robots.ox.ac.uk/~argus/ )– Customized packet analysis for
high speed networks
University of Cal., Santa Cruz– 1 Gigabit inspection for WAN edge– Facing WAN edge inline,
filters “hay” from needles– Presentation of UCSD High Speed IDS at:
http://www.nanog.org/mtg-0501/tatarsky.html
24
High Performance Surveillance
Technically a “hard problem” – high performance inspection with open programmatic flexibility to dynamic, fast-changing requirements of Lawful Intercept
Key system design goals– Predictable– Provable - Legal– Responsive (low latency)– Simplicity / reliability– Secure (access and capture)– Packet/frame/IPv agnostic– Ideally, as few boxes as possible
25
Surveillance Application
Technical features for lawful intercept include:– Stateful rules– Line-rate capture performance; No packet loss under full
load– Packet hardware-based time stamping– Exact search and match strings in known and “unanchored”
search criteria across IPv4 and v6– No extra packet buffering or “contaminants”– Gracefully handle state exhaustion– Scaling to 1000 (16 byte) on-the-fly dynamic searches– Secure, remote box management via SSH
E600 or E1200POP
Storage Servers
InternetP-Series P1 or P10
26
Configuration + Reporting
Compile policies off-line– Makefile (open Unix CLI environment)– Add user code in Fast-path
Add Permit and Deny on the fly– Immediate action
Run any pcap application on interface– Use Snort’s output plugins syslog, email, packet archive
MIB-II Host/Interface Monitoring– Disk, Daemons, SNMP traps
27
Agenda
University Security Challenges
Force10 and P-Series Overview
Key Technology
Applications
Platform Details and Roadmap
28
Available Today
P10 PCI-X Card (10 GbE interface)– High speed PCI card in 1U
chassis– Wire-speed stateful deep packet
inspection; 20G-in/20G-out– 2 x 1 GbE mirror ports– 8000 static rule capacity 600
dynamic rules; – 8 million concurrent flows
P1 PCI Card (GbE interface)– High speed PCI card in 1U
chassis– Wire-speed stateful deep packet
inspection; 2G-in/2G-out– 1000 static rule capacity; up to
200 dynamic; (currently being increased);
– 2 million concurrent flows– Line-rate IPv6
P1/P10 Appliance– 1U host embeds a P1 or P10 PCI
card– Software and drivers pre-installed
and pre-configured
29
Deployment Models
Sensing & Mirroring port
Sensing & Mirroring port
Logging port or PCI interface
Sensing port
Logging port or PCI interface
Sensing port
Logging port or PCI interface
Inline Operation Block unwanted traffic Capture interesting flows Good traffic passes thru Two sensing ports (full
duplex) + two mirroring ports
Passive Operation Capture interesting flows Up to two sensing
ports
30
High Availability
No power– Stateful In-line No packet loss; No
loss of connection state– Traditional rerouting L2/L3
convergence time; loss of state
Reporting
By
pa
ss
ReportingB
yp
as
s
Based on external bypass units
All state maintained by active-active P10s
31
Power Failure
No power– Stateful In-line No packet loss; No
loss of connection state– Traditional rerouting L2/L3
convergence time; loss of state
CPU
Reporting
CPU
ReportingB
ypassB
ypass
32
OS Upgrade
Soft reboot, OS reconfiguration, change OS– Forwarding + policies are unaffected; no loss of connection
state– Once upgrade is over OS reattaches to forwarding path
CPU
Reporting
CPU
ReportingB
ypassB
ypass
33
Policy update
Fast-path reconfiguration (new policies are added/deleted)– Loading new static policies open for < 1s; loss of
connection state– Loading dynamic policies No loss of state
CPU
Reporting
CPU
ReportingB
ypassB
ypass
34
Always line-rate– Unanchored payload string search – Support analysis across packets– Gracefully handle state exhaustion
Retain high-degree of programmability – Architecture gaurantees determinism– New threat models (around the corner)
Open architecture to leverage open source software– More robust, more flexible, promotes composability– Abstract hardware as a network interface from OS prospective– Future proofing to extend to application beyond IDS/IPS
Summary of Differentiation
35
P-Series Delivers Industry’s Highest Performance and Lowest Price Per Gbps
Price Per Gbps Throughput
$0
$10,000
$20,000
$30,000
$40,000
$50,000
$60,000
Force10 TippingPoint
McAfee Cisco Juniper
Throughput
% L
ine
-Ra
te T
hro
ug
hp
ut
wit
h 1
00
%
Ru
les
100
80
60
40
20
0
1 Gb 2 Gb 4 Gb 6 Gb 8 Gb 10 Gb 20 Gb
Traffic Throughput
Force10 P-Series
Traditional IPS
Performance Throughput
36
Competitive Analysis Summary
Force10 Cisco Juniper Endace Bivio
Interface Options 2 x 10 GbE2 to 5 10/100/1000
2 to 6 10/100/1000
NIC or App. 4 x 1 GbE2 x 10 GbE
12x GE6x GE Fiber2 x 10GE
Interface Speed Line-rate 10 GbE 1 GbE OS 1 GbE OS 10 GbE OS 10 GBE OS
Total Throughput: 20 Gbps 800 Mps 1 Gps 5 Gbps 10 Gbps
Latency ~16 us 750 us 100 us 100 us 215 us
Rule Flexibility Open; Snort Proprietary Proprietary Capture-only Proprietary
TCP 2-8,000,000 1,00000 800,000 800,000 2,000,000
Price Range $130,000 $40,000 $57,000 $120,000 $200,000
Signatures: 8000 1,700 3200 1,400 3,000
Placement Inline/Offline Inline/Offline Inline/Offline Offline Inline/Offline
37
P-Series PTSP Roadmap
2.1
May 31, 2007
2.2 July
31, 2007
Hard
ware
P10–8000 signatures–2 x 1 GbE Mirror ports
So
ftware
Session Scaling to 8M
Blocking During Boot
Field Upgradeable FPGAs
PCI-X Core
Stateful temporary packet capture
API
Linux driver support
Dynamic content rules
2 + 2 Mirroring
Management UI
Rules Counter
Line-rate stateful firewall
IPv6
Packet re-write
Black: Committed FeatureRed: Targeted FeatureBlue: Feature on Our Radar
38
Debbie Montano
Director of Research & Education Alliances