X-Series Architecture Overview for Systems Engineers
Hardware
XOS (X-Series Operating System) Designed scalability and performance Providing 5Gbps to 40Gbps performance Change-Ready to 160G X45 Designed to meet physical space constraints Providing 5Gbps to 20Gbps performance Change-Ready to 80G NPM Network Processor Module Connectivity & Load Balancing for all applications Up to 2 x 10G ports /NPM Up to 10x 1G ports / NPM APM Application Processor Module Example: Run-Time engine for the Application CPM Control Processor Module Master control and monitoring for chassis & modules Harddisk © 2009 Crossbeam Systems
X-Series Chassis Features 14 Slot Chassis 18U Rack Units Modules Up to 4 NPM 10 APM 2 CPM Interfaces 8x 10G xFP 40x 1G SFP Application Performance 40Gbps X45 7 Slot Chassis 8U Rack Units Modules Up to 2 NPM 5 APM 2 CPM Interfaces 4x 10G xFP 20x 1G SFP Application Performance 20Gbps Redundant Fans PSUs Backplane Common Operating System Feature Set © 2009 Crossbeam Systems
Basic Architecture
Crossbeam Approach… The Next Generation Security Platform Network Processor Modules Policy switching, load balancing Application Processor Modules Virtualized security application delivery Control Processing Modules High availability monitoring, fail over, self-healing Crossbeam has a fundamentally different approach to deploying security services. Our Next Generation Security Platform allows enterprises and service providers to consolidate network infrastructure (switches, load balancers, patch cabling & power cords) and appliances supporting security applications, “virtualize” the delivery of security applications and dramatically simplify deployment and on-going management. First, each network processing module creates a high-performance switching fabric (10Gbps of super low latency forwarding capability) that consolidates layer 2 switches and load balancers. Crossbeam replaces each of the layers of network “glue” in its Network Processing Modules. It then creates a virtual instance of these capabilities so that it can recreate the sequence of security services thru a sequenced flow of traffic (e.g. IPS first, then firewall). Next, the application processor module “virtualizes” processing power for various best of breed 3rd-party security applications. Each APM is a fully hot-swappable dual core Intel-based processor supporting up to 4GB of memory and one or two 100GB disks that can mirror each other. The actual services are absorbed into the Application Processing Modules (APM) have no inherent profile so on APM or multiple APMs can become any service (e.g. firewall or IPS) the administrator assigns. Thus, racks of IPS devices and racks of firewalls or any other security appliance can be virtualized. Finally, the Control Processor Module (CPM) provides the key management interfaces and capabilities to the rest of the chassis. Administrators create on the CPM a virtual representation of the chassis, which services will run on which blades and how policy selection is governed. As the chassis and its components come on line they assume the identity and behaviors that the administrator has previously assigned in the virtual representation. The CPM also governs failover policies, service priority and service pre-emption rights. For example, a firewall service may be provisioned in such a way that on failure it will automatically “borrow” processing resources from a lower priority service. Thus… (Go to next Slide) FW IPS L2 LB LB Internet © 2009 Crossbeam Systems 6 6 6
X-Series Physical Architecture Switched control path: 1 Gbps full duplex links Physically isolated control network 2 CPMs Up to 10 APMs Mgmt Firewall Group Secure Web Gateway IPS Group Dynamic Standby Main message: Only by parallelizing computes can you keep up with application processing requirements. 2 - 4 NPMs Data Switched Data Path: 160 Gbps of backplane capacity 3.2 Gbps full duplex links between each NPM and each APM Up to 4 switching fabrics per chassis (One per NPM) Crossbeam Confidential
Secure Flows Processing: Serialization Flow Processing The ability to move traffic / data between APMs within the X series chassis. There is “NO” requirement of a physical interface to pass traffic between the APMs. X45 / X80 Chassis NPM Firewall Firewall APMs Trend Micro InterScan VirusWall IPS / Content APMs NPM
Secure Flows Processing: Parallelization X45 / X80 Secure Flow Processing NPM Trend Micro InterScan VirusWall Firewall IDS/IDP Content Scanning, URL filtering APMs Firewall APMs IDS APMs NPM
XOS™ Virtualization Workflow X45 / X80 Add Application Modules (Virtual Application Processors) to VAP-Group Create VAP-Group Interconnect Vap-Group with Port via Circuit Define Circuit + IPs 10.10. 10.(x-y)/24 VLAN 1010 Install a single Application inside VAP-Group Choose Physical NPM Port Configure Application via ISV Tool © 2009 Crossbeam Systems
X-Series Logical Architecture X-Series Backplane Internet Mgmt Internet DMZ 192.168.2.0/24 IP .1+.2 vIP .254 Promiscous Mode FW AV IDS Central Storage Access via NFS Mounts DMZ IP .1 + .2 IP .1 10.1.1.0/24 IDS AV IP .1+.2 vIP .254 IP .3+.4 vIP .253 Mgmt FW 192.168.1.0/24 NPM APM CPM Crossbeam Confidential
High Availability
Redundancy Backplane trace redundancy 1:1 CPM redundancy 1:1 NPM redundancy 1:1 Service restoration < 1 second < 60 seconds (cold standby APM) No single point of failure Hot swap modules 99.999% availability In-service upgrade hardware and software APM redundancy 1:N load sharing Fan redundancy 1:1
Single Box High Availability (Physical) Physical-level SBHA Redundant power/fans/modules Ex. Redundant CPMs Network-level SBHA Interface redundancy Active/Standby “VRRP-like” Simpler to deploy Better response Multi-link trunking (MLT) Via LACP Active/Active Up to 8 ports per group Layer 2 or 3 network connections The X-Series stands alone in the industry in providing true single box high availability. On a physical level, at a network level, and at an application level. On a physical level, the chassis provides redundant power supplies with separate connectors, redundant fans/CPMs/APMs/NPMs At a Network level, [advance slide] Interface redundancy [advance slide] multi-link trunking… [advance slide] redundant Modules, the CPM for example CPM Availability CPM works in Active/Standby mode In the event the primary fails The secondary is automatically enabled
Load Balancing and Self Healing Single Box High Availability (Logical) Leading to Lower Operating Risk VAPS Load Balancing and Self Healing FIREWALL STANDBY IPS FAILED APM in IPS VAP group fails NPM moves traffic to available APM Standby VAP boots with same image NPM balances flows APM in Firewall VAP group fails NPM moves traffic to available APMs Firewall preempts IPS Failed IPS module is replaced Module boots as IPS to replenish VAP group Failed Firewall module is replaced Module boots as Stand-By VAP Automatic reversion avoided Load Balancing & Self Healing APM in IDS VAP group fails – failure could be application or module failure NPM moves traffic to available APM Standby VAP boots with same image NPM distributes new flows to new VAP to balance load APM in FW VAP group fails NPM moves traffic to available APMs FW preempts IDS; IDS APM is booted as a FW The failed IDS card is replaced Card boots as IDS to replenish VAP group The failed FW card is replaced Automatic reversion is avoided as this causes a second hit 100% 0% Load/Capacity Utilization © 2009 Crossbeam Systems 15
Multiple box redundancy If IPS only, DBHA is based on spanning tree VRRP is of interest when IPS comes with firewall VRRP-like on out-of-band link(s) Interface grouping to avoid black holes situation Fail-over triggered by: Interface failure (calculation based on weights) APM(s) failure (triggered by the number of APMs) CPM failure Next hop health check VRRP available on internal circuit Trap/Syslog messages Intranet 192.168.1.0/24 Secondary path X80a VRRP master X80b VRRP backup HA Link VRRP Sync state sent across HA Link Active flow state are synchronized