Upload
networkingcentral
View
203
Download
2
Tags:
Embed Size (px)
Citation preview
July2003
Firewall Network Processor™:Firewall Network Processor™:basic concept and solutionsbasic concept and solutions
™ ™ FNP – is a trademark of Fractel IncorporatedFNP – is a trademark of Fractel Incorporated
Firewall Network Processor: basic concept and solutions
22
ContentContent
Introduction Introduction Network Processor: common aspectsNetwork Processor: common aspects Network Processor: FNP architectureNetwork Processor: FNP architecture
“stealth” mode,“stealth” mode,performance, performance,
functionalityfunctionality ConclusionConclusion
Firewall Network Processor: basic concept and solutions
33
Introduction: distributed network Introduction: distributed network concept and security aspectsconcept and security aspects
Distributed Network:
interconnected grid of paths without sharp boundaries between zones,
Internet - superposition of the overlay networks without central and third-party control point
Security aspects: all of them depend on the concept of trust: third-party of direct
Where are the boundaries of the trust?
Superposition of
overlay layers and networks
Appl n
Appl i
Appl 1
Appl 2
Firewall Network Processor: basic concept and solutions
44
Multilevel Network environment and Multilevel Network environment and security problemssecurity problems
channelstructure
Physicalnodes
virtual grid
Application processes
Packet processes
Virus attack
Denial of service
Intrusion
Data corruption
Hacking
auth - u/a packets
Firewall Network Processor: basic concept and solutions
55
network environment
node 0 node x node x+1 node M… …
direct virtual channel
packet
physical link bit speed
buffer
packet drops
TCP
protocol
TCP
application
feedback virtual channelTransit - packets control
Traffic-
transport and app. control
Network security aspects: transit security and traffic regulation
Firewall Network Processor: basic concept and solutions
66
Tasks, technology, products Tasks, technology, products
CommunicationCommunication
Share
info apps
Remote access
Internet presence
FilteringFiltering
Tunnelling
Authentication
Encryption
Management
FirewallFirewall
Anti-virus
VPN
PKI
Security
management
Firewall Network Processor: basic concept and solutions
77
Security concept and basic Security concept and basic componentscomponents
Concept: Many layers packet processing which retainsopenness of Internet original design.
Basic Components: administrative solution, including VLANs, Access Control Lists,
MAC locks special network processor which separate data traffic,
provide authentication and encryption
Firewall Network Processor: basic concept and solutions
88
Network Processor: common aspectsNetwork Processor: common aspects
Definition:Definition:NPs – programmable devices aimed generally at communication NPs – programmable devices aimed generally at communication tasks and packet specific data set.tasks and packet specific data set.
ChallengeChallenge: : What are software architectures that are effective for network tasks?What are software architectures that are effective for network tasks? Why we need new functionality?Why we need new functionality? What do network processors do?What do network processors do?
Prototypes:Prototypes:
Intel IXP 1200Intel IXP 1200:: special chip which combine high-speed core with special chip which combine high-speed core with system bus and 6 programmable microengines.system bus and 6 programmable microengines.
Interphase iNAV4000Interphase iNAV4000:: PCI chip which offers unparalleled PCI chip which offers unparalleled features features including packet processing and switching.including packet processing and switching.
Firewall Network Processor: basic concept and solutions
99
Basic types of hardware architectureBasic types of hardware architecture
GPP – general purpose processor
CSI – common switch interface (packets)
PHY – physical network interface (bytes)
GPP RAM
PHY CSIsystem bus
NP
Co-processor
GPP RAM
PHY CSINP
PHY CSI
NPRAM
DMAC
GPP RAM
system bus controlplane
dataplane
Firewall Network Processor: basic concept and solutions
1010
FNP coreFNP core
Filtering module
Servicemodule(logging,
authorization, UI daemon)
Localstorage
Externalstorage …
……
Cache hierarchy
incoming traffic outgoing traffic
incominginterface(s)
outgoinginterface(s)
1
2
Ss=F(2)
Sf=F(2)
=F(1,2)
Firewall Network Processor: basic concept and solutions
1111
NP: basic characteristicsNP: basic characteristics
manipulate packet specific data on Internet layers 2 manipulate packet specific data on Internet layers 2 -4-4
based in open software interfacebased in open software interface
performance opennessprogrammability
Target: Deliver hardware level performance of packet processing tasks to software programmable system
Firewall Network Processor: basic concept and solutions
1212
Packet processing tasksPacket processing tasks
parse modify forward
resolvesearch
Silicon design
– limited flexibility– wire speed performance
Program design
– limited performance+ new features can be added
?
Firewall Network Processor: basic concept and solutions
1313
Firewall Network Processor (FNP)Firewall Network Processor (FNP)
Processing tasks:Processing tasks: identifying a packet based on headers characteristics identifying a packet based on headers characteristics
(address, VC, protocol, etc)(address, VC, protocol, etc) forwarding or discard a packet to the appropriate interface(s) forwarding or discard a packet to the appropriate interface(s)
(security police rules)(security police rules)
Specific tasks: Specific tasks: (“stealth” mode)(“stealth” mode) no modification (no updating fields in the packet header)no modification (no updating fields in the packet header) no scheduling (no queuing for specific application)no scheduling (no queuing for specific application) provide speed improvement throughprovide speed improvement through
parallel processing (cluster)parallel processing (cluster) pipeline processing (conveyor)pipeline processing (conveyor)
Firewall Network Processor: basic concept and solutions
1414
FNP specific designFNP specific design
““stealth” mode for packet processing (no MAC, IP address stealth” mode for packet processing (no MAC, IP address on PHYon PHYss interfaces) interfaces)
““orthogonal” address spaces for control and data interfacesorthogonal” address spaces for control and data interfaces
cluster architecturescluster architectures
specific structure of buffer and cache memory (depends on specific structure of buffer and cache memory (depends on fractal nature of network traffic)fractal nature of network traffic)
multi protocol IP/IPX scalable firewall solutionmulti protocol IP/IPX scalable firewall solution
Firewall Network Processor: basic concept and solutions
1515
Architecture for secure corporate networkArchitecture for secure corporate network
Open Network Segment
VPN Segment
Webdatabase
portals
DNS,servers
Confidentialcatalogues and
data
Firewall Network Processor: basic concept and solutions
1616
FNP-100 Security PlatformFNP-100 Security Platform
10/100Ethernet port(control interface)
10/100Ethernet ports
LAN, DMZ, WAN(stealth mode)
interfaces
powerswitch
Firewall Network Processor: basic concept and solutions
1717
corporate network
Global Internet
Stealth and Control interfacesStealth and Control interfaces
ISP network
corporate routeror backbone switch
DMZ
Web server
applicationservers
protectednetwork segment
admin WS
modemdial-up
access orterminalaccess
LAN accessFNP-100/4
private IP addresscontrol interface
(RS232 or Ethernetstealth interfaces(no MAC and IP addresses)
Firewall Network Processor: basic concept and solutions
1818
redundantdomain
FNP-100/2
control VPN or trusted distinct network segment
FNP redundancy modeFNP redundancy mode
ISP networkISP network
protectedservers
and hosts
backbone switches
c o r p o r a t e s e g m e n t s
access segment access segment
NAS orIDS
primarydomain
FNP-100/2
control or admin WS
stealthinterfaces
stealthinterfaces
synchronizationprocesses via
control interfaces
router or LAN backbone switches
Firewall Network Processor: basic concept and solutions
1919
FNP-1000 Cluster PlatformFNP-1000 Cluster Platform
switched network infrastructure
G l o b a l I n t e r n e t
cluster of the security appliances
WDM access(1,...,4 modes)MUX or multi Gigabit VLANEthernet splitter
FNP-1000/2FNP-1000/2FNP-1000/2FNP-1000/2
1 2 3 4
stealthGigabit
Ethernetinterfaces
access GigabitVLAN switches
controlinterfaces
internalnetworksensor
internalEthernet 100BTswitchedinfrastructure
controldistinctnetwork
adminWS
NAS orIDS
FNP-100/4S
protected network segment
stealth interfaces
Firewall Network Processor: basic concept and solutions
2020
Multi layers Security conveyorMulti layers Security conveyor
inne
r p
erim
ete
r o
f se
cure
net
wo
rk
corporate segments and users
firewalls
VPN-server
router
comm
on ne
twork
elements
Ethernet switch
switch
DNS
Webserver
admin WS
info securityserver
computing cluster/IDS system
FNP-100/4
public Internet
NAS-servernetwork storage
secure segment
of corporatenetwork
transaction data
control commands
SNMP data
FNP-100/2
FNP-100/2FNP-100/2
exte
rnal
per
imet
er o
f se
cure
net
wor
k
Firewall Network Processor: basic concept and solutions
2121
Performance characteristics Performance characteristics
throughput (Mbps) vs packet size (byte)
throughput (Mbps) vs number of rules
120
100
80
60
40
20
00 500 1000 1500 2000
Mbps
packet size,byte
120
100
80
60
40
20
00 500 1000 1500 2000
Mbps
number of rules
FNP
PC
FNP
PC
Firewall Network Processor: basic concept and solutions
2222
ConclusionConclusion
Network Processor (NP) - a new type of Network Processor (NP) - a new type of programmable device for network specific applicationsprogrammable device for network specific applications
FNP or Firewall NP - scalable network device based FNP or Firewall NP - scalable network device based on open source OS, standard PCI platform and on open source OS, standard PCI platform and “stealth” interfaces “stealth” interfaces
FNP can be viewed as a platform for broad types of FNP can be viewed as a platform for broad types of network appliances which based on clusters network appliances which based on clusters architecture and many layers packets processing architecture and many layers packets processing