Upload
leila-hebert
View
27
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Firewall Network Processor™: Technical Concept and Business Solutions. FNP™ – is a trademark of Fractel Inc. December 2008 Columbus. Content. Introduction: business value and technology trend Seeking decision: concept of secure network environment and intelligent “wire” - PowerPoint PPT Presentation
Citation preview
Firewall Network Processor™:Firewall Network Processor™:Technical Concept and Business Technical Concept and Business
SolutionsSolutions
FNP™ – is a trademark of Fractel Inc.FNP™ – is a trademark of Fractel Inc.
December 2008 December 2008 ColumbusColumbus
..
Firewall Network Processor: core concept and solutions
22
ContentContent
Introduction: business value and technology Introduction: business value and technology trend trend
Seeking decision: concept of secure network Seeking decision: concept of secure network environment and intelligent “wire” environment and intelligent “wire”
FNP as a patented capability to keeping FNP as a patented capability to keeping network infrastructure securenetwork infrastructure secure
technical aspectstechnical aspects
functionality functionality business solutionbusiness solution
SummarySummary
Firewall Network Processor: core concept and solutions
33
KeyKey issuesissues
many companies many companies :: spend millions of dollars each year investing in spend millions of dollars each year investing in
business systems to make information available to business systems to make information available to authorized persons and customersauthorized persons and customers
seeing business value in access to Internet information seeing business value in access to Internet information infrastructure to improve employee performanceinfrastructure to improve employee performance
… … andand seeking technology that can seeking technology that can to give employees new to give employees new
functionality without opening the door to attacks and functionality without opening the door to attacks and unauthorized access to unauthorized access to securing sensitive business securing sensitive business datadata
Firewall Network Processor: core concept and solutions
44
IntroductionIntroduction
best-effort servicebest-effort service (no internal QoS mechanism) (no internal QoS mechanism)
simple authentication model simple authentication model ( trust network environment( trust network environment) )
Basic Internet principal and security issue:
Comments: Comments: •To enjoy Internet as a business media people must take control of traffic content in the many forms (VLAN,VPN, VoIP,…) and channels (IP, P2P..)•A deep understanding of how employees use Internet recourses requires effective security and management solution.
Firewall Network Processor: core concept and solutions
55
Network infrastructure: Network infrastructure: are any are any “right places” for “right places” for investment with low risks and expense?investment with low risks and expense?
Network access policy
communication
lines
Set of “intelligent” nodes - applications
Business in a form of “applications” – Benephisheries: ASP, banks, electronic commerce companies,GRID computing, etc
Business in a form of “packet traffic” , connectivity, and bandwidth Benephisheries: hardware and software suppliers, ISP, Telco, e-PTN
Service level
Low
Expense
“border”Packet processes
Low
Risk “border”
Comments: •business opportunity is close to service and access “border”•customers will deploy the security solution that suits their existing environment.
Firewall Network Processor: core concept and solutions
66
Solution examples Solution examples
TechnologyTechnology added “value”added “value” Income Income
E-commerce E-commerce wide access turnover upwide access turnover up VPN VPN remote office outsourcingremote office outsourcing Access ManagementAccess Management Single Sign-on Single Sign-on employee employee
productivityproductivity
Comments:Comments:
the best investments - reduction of business expenses the best investments - reduction of business expenses
The best innovations - reduction of technology risks The best innovations - reduction of technology risks
Firewall Network Processor: core concept and solutions
77
Internet as a service media: Internet as a service media:
Intellectual services (DB, CAD, PDM, routing, switching,) belongs to the network nodes;
Telco service measures - bandwidth and delay
Comment: There is “Gap” in the network service space - no “intelligent ” service
processing on wire level Is this gap” become the business opportunity?
User needs - Applications
ASP keeps Servers
ISP controls IP Routers
Telco provides wire grid
ApplicationPort/MAC/IP n
MAC/IP i
Applicationport/IP/MAC 1
ApplicationIP/MAC 2
Firewall Network Processor: core concept and solutions
88
“ “it_is_secure” wire infrastructureit_is_secure” wire infrastructure
“itiss” means :
Merge existing packet switching technology and access management tools management tools with innovative concept of “intelligent wire” - IP node preprocessor
Find out the cost-effective decision to add intelligent feature to the wire infrastructure
Application network
IP logical space
MAC grid
MAC/IP n
MAC/IP i
IP/MAC 1
IP/MAC 2
Firewall Network Processor: core concept and solutions
99
FractelFractel™™ - Security Approach and Components - Security Approach and Components & know-how& know-how
Technical aspect: provides multilevel packet processing which retains current routing and access policies available in secure computer networks
Decision & know how: “stealth” firewall network processor (FNP) that provides
security functions “outside standard network nodes” (IPv4, IPv6, IPX,...) on the “wire level”
Cost-effective platform for packet processing on MAC, IP, TCP and application levels
Firewall Network Processor: core concept and solutions
1010
Design Aspects: Design Aspects:
Asynchrony packet flow processing– “one hop many Asynchrony packet flow processing– “one hop many functions” (content and packet filtering) functions” (content and packet filtering)
Scalable filtering performance – “one transport protocol Scalable filtering performance – “one transport protocol many security applications” (web, ftp, sql, ..)many security applications” (web, ftp, sql, ..)
Deliver hardware level performance to software programmable device by:
Aspect 1: Asynchrony traffic processing in Aspect 1: Asynchrony traffic processing in “intelligent” wire“intelligent” wire
router
FNPi1 router FNPin
process
p1
process
p2
process
pn
Node l Node m
IP1 IP2 IP3 IP4
IP1 IP2 IP3
IP4
Link l Link l+1
Firewall Network Processor: core concept and solutions
1212
….”Grid” of applications…
node 0 node x node x+1 node M… …
p2p virtual connection
packetphysical link
buffer
packet drops
TCP/UDP
Application1, application2
TCP/UDP
… application n
Aspect 2: One control mechanism for many applications content management
Firewall Network Processor: core concept and solutions
1313
Firewall NP (FNP) Design PrincipalsFirewall NP (FNP) Design Principals
Two types of network interfacesTwo types of network interfaces
Cost-effective platformCost-effective platform
Flexible and scalable ManagementFlexible and scalable Management
Innovative designInnovative design
Filtering and Control functions
Standard hardware and specific control softwareStandard hardware and specific control software
Industrial protocols (Active Directory, Open LDAP, WEB control interface)control interface)
Patented “address less” technology
Firewall Network Processor: core concept and solutions
1414
FNP Architecture FNP Architecture
Filtering module
Servicemodule
authorization, UI daemon
Localstorage
Externalstorage
……
…
Cache hierarchy
incoming traffic outgoing traffic
Stealth incominginterface(s)
Stealth outgoinginterface(s)
1
2
Ss=F(2)
Sf=F(2)
=F(1,2)
sockets
Open
source
OS
kernelkernel
Control interface
Firewall Network Processor: core concept and solutions
1515
FNP Hardware Platform: FNP Hardware Platform:
100/1000Ethernet port(control interface)
100/1000Ethernet ports
LAN, DMZ, WAN(stealth mode)
interfaces
powerswitch
Firewall Network Processor: core concept and solutions
1616
corporate network
Global Internet
Scenario 1: content switchingScenario 1: content switching(single-box deployment)(single-box deployment)
ISP network
routeror backbone switch
Web server
ftpservers
end-usersegment
FNP-1000/4
Control Interface Content switching
AdministrativeSegment with LDAP
and FNPLogfiles DB
Firewall Network Processor: core concept and solutions
1717
Scenario 2: SScenario 2: Solution for Data Center olution for Data Center (protection environment for complex infrastructure)(protection environment for complex infrastructure)
switched network infrastructure
G l o b a l I n t e r n e t
Scalability
Metro WDMEthernet switch
FNP-1000/2FNP-1000/2FNP-1000/2FNP-1000/2
1 2 3 4
Manageability
Local GigabitVLAN switches
controlinterfaces
internalnetworksensor
Availability
DistinctVLAN
segment
DC adminmonitor
Log DB
FNP-100/4S
protected network segment
stealth interfaces
Local adminmonitor
Firewall Network Processor: core concept and solutions
1818
Scenario 3: dynamic security control Scenario 3: dynamic security control (… and third-party integration)(… and third-party integration)
ta
fnp control interface
Firewall rules are generated and deleted automatically after WDC logon\logoff of the end user
Switch
Switch
DNS
ftp-server
admin and Log DB
Storage domain
Windows Domain
controller /Active Directory
public Internet
NAS-server
VLANsegment
FNP-1000/4
Firewall Network Processor: core concept and solutions
1919
Summary - FNP advantagesSummary - FNP advantages
:: Based on patented architectureBased on patented architecture
Delivers security appliance solutions for organizations of all types and Delivers security appliance solutions for organizations of all types and sizessizes
Support industrial standard and third-party integration withinSupport industrial standard and third-party integration within
existing network infrastructure.existing network infrastructure.
Increase company’s productivity through the management of non-Increase company’s productivity through the management of non-business activities.business activities.
Decreased bandwidth costs by limiting noncritical network trafficDecreased bandwidth costs by limiting noncritical network traffic
and blocking objectionable URLs and applications. and blocking objectionable URLs and applications.
Compatible with nearly every available cost-effective hardware platform Compatible with nearly every available cost-effective hardware platform