1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Guide to Network Defense and Countermeasures Second Edition
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Copyright © sFlow.org All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Copyright 2009 FUJITSU TECHNOLOGY SOLUTIONS PRIMERGY Servers and Windows Server® 2008 R2 Benefit from an efficient, high performance and flexible platform.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
MIGRATION FROM SCREENOS TO JUNOS based firewall
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Getting Started with Oracle Compute Cloud
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Khaja Ahmed Architect Windows Networking Microsoft Corporation.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
COEN 252 Computer Forensics
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Honeypot and Intrusion Detection System
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Web Application Firewall (WAF) RSA ® Conference 2013.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) *Supported by the Division.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
LAN Switching and Wireless – Chapter 1
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Copyright 2007 Force10 Networks Extending Ethernet with Optical Networking Debbie Montano Oct 9, 2007.
Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.
High Performance Web Accelerator WEB INSIGHT AG Product Introduction March – 2007 MONITORAPP Co.,Ltd.
Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Gbps programmable IDS/IPS.
1 Role of Ethernet in Optical Networks Debbie Montano Director R&E Alliances Internet2 Member Meeting, Apr 2006.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Security fundamentals Topic 10 Securing the network perimeter.
Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) *Supported by the Division of Design Manufacturing and Industrial.
NSA 240 Overview For End Users. 2 New Challenges To Solve  Threats Are Increasing  Web 2.0 & SaaS  Impacts to servers, users & networks  Threats go.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Instructor Materials Chapter 1: LAN Design
Barracuda Firewall The Next-Generation Firewall for Everyone
Campus Communications Fabric
Securing the Network Perimeter with ISA 2004
CompTIA Security+ Study Guide (SY0-401)
* Essential Network Security Book Slides.
Networking Theory (part 2)
Presentation transcript:

1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano

2 Special Note Regarding Forward Looking Statements This presentation contains forward-looking statements that involve substantial risks and uncertainties, including but not limited to, statements relating to goals, plans, objectives and future events. All statements, other than statements of historical facts, included in this presentation regarding our strategy, future operations, future financial position, future revenues, projected costs, prospects and plans and objectives of management are forward-looking statements. The words “anticipates,” “believes,” “estimates,” “expects,” “intends,” “may,” “plans,” “projects,” “will,” “would” and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. Examples of such statements include statements relating to products and product features on our roadmap, the timing and commercial availability of such products and features, the performance of such products and product features, statements concerning expectations for our products and product features [and projections of revenue or other financial terms. These statements are based on the current estimates and assumptions of management of Force10 as of the date hereof and are subject to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the actual results to be materially different from those reflected in our forward looking statements. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. In addition, our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make. We do not assume any obligation to update any forward-looking statements. Any information contained in our product roadmap is intended to outline our general product direction and it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release and timing of any features or functionality described for our products remains at our sole discretion.

3 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap

4 The Challenge of Security University Networks Highly skilled users (x,000 sys admins) Firewall policies difficult to match dynamic applications Diverse desktops plus wireless client that the university cannot easily control Traditional corporate threats (large scale credit card thefts, DDOS blackmailing, etc.) now faced by Universities

5 Trends for High Speed Security and Monitoring in Universities Link speeds increasing faster than edge and campus security systems Increasing traffic and growing security threats create new requirements –Full security that can protect 100% of traffic without impacting performance –Flexibility to ensure more efficient response to unknown or malicious traffic

6 Securing 10 GbE WANs “do” the following at 10 Gbps –Deep packet inspection ("visibility") –Attack detection (IDS) –Packet filtering (fire walling) –DoS and DDoS protection traffic (rate shaping and rate limiting) Much less so... –VPNs and site to site encryption (most likely IPsec based) –Bots and other large scale worms/viruses –Honeypots / Honeynets –Source port verification

7 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap

8 Force10 Pioneers in 10 GbE Switching & Routing Founded in 1999 First to ship line-rate 10 GbE switching & routing Pioneered new switch/router architecture providing best-in- class resiliency and density, simplifying network topologies Customer base spans academic/research, data center, enterprise and service provider

9 Acquisition of P-Series Platform Force10 pioneered 10 GbE switching and routing Vision to become the next great networking company Applying high performance switching and routing innovation to network security Recommended to us by leading R&E and Gov’t customers

10 E Tbps Up to 1,260 GbE, GbE E Tbps Up to 1,260 GbE, GbE E Gbps Up to 630 GbE, GbE E Gbps Up to 630 GbE, GbE E Gbps Up to 288 GbE, GbE E Gbps Up to 288 GbE, GbE Force10 Product Portfolio Industry Leading Density, Resiliency & Security 1/6 Rack 1/2 Rack 1/3 Rack Capacity to grow for 10+ years S50 48 GbE 2 x 10 GbE S50 48 GbE 2 x 10 GbE 1-RU S x 10 GbE S x 10 GbE P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS S50V 48 GbE PoE 4 x 10 GbE S50V 48 GbE PoE 4 x 10 GbE S25P 24 GbE 4 x 10 GbE S25P 24 GbE 4 x 10 GbE

11 P-Series Development Originally funded by NSF grant Subsequent application funding by: –USAF (Design of 10 GbE card) –NSA (Surveillance inside IPV6 traffic)

12 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap

13 Network Security Evolution Performance Custom hardware in an appliance Dynamic mapping of inspection policies into hardware Force10 P-Series, line-rate 10 GbE performance Software based Central CPU Slow, < 100 Mbps ASIC assist to central CPU Better filtering, active protection GbE up to 2 Gbps Designed for 20 – 80 Gbps Custom hardware integrated into modular switches & routers Full security integration on every port all the time Designed for 336 – 672 Gbps

14 Dynamic Parallel Inspection (DPI) Delivering High Speed Network Security Fundamentally new architecture at the core of the P-Series –DPI delivers the highest deep packet inspection scalability and flexibility in the industry –Apply thousands of signatures to every packet in parallel Open programmability at 10 GbE delivers leading flexibility –Create signatures in hardware to speed processing Parallel processing ensures massive rule scalability under all traffic loads

15 Inside the 10 GE linecard

16 Open architecture to leverage open source software –More robust, more flexible, promotes composability –Hardware acceleration of important network applications –Abstract hardware as a network interface from OS prospective Retain high-degree of programmability –Extend to application beyond IDS/IPS –New threat models (around the corner) Line-speed/low latency to allow integration in production networks –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Hardware support for adaptive information management –Detailed reporting when reporting bandwidth is available –Dynamically switch to more compact representations when necessary –Support the insertion of application-specific analysis code in the fast path 1-10 Gbps Programmable Network Security

17 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap

18 Firewall IDS/IPS High Performance (> 330K cps; 20 Gbps) Unique level of programmability –What is IN and what is OUT? –Two organizations sharing each other’s services –Insider attacks –Can define stateful policies asymmetrically or symmetrically –Hardcode part of the policies in hardware –Keep software-like flexibility –Can code specific policies directly into fast-path Layer-1 –Invisible µs latency –True-line rate (20 Gbps) –Drops in and out with NO L2/3 reconfiguration

19 10 GbE Inspection and Blocking: Needles & Haystacks Ability to define "internal" and "external" interfaces: –Custom rules based on traditional firewall controls (Source, dest., mask, range, protocol, service & port, VLAN) –Stateful: Allow internal holes to go out, but stop external traffic to come in. Parallel processing provides rules logic flexibility –Rules can be ordered, summed, or written with explicit overrides (e.g. whitelisting)

20 IPS Application Industry’s first IPS to support line-rate 10 GbE inspection on every packet SNORT 2.0 rules compiler Expansion to any rules base: –Govt customers utilizing Bro –R&E customers utilizing PF firewall rules –Growing list of SNORT-like variant (ACID, Bleeding Edge, etc.) Resilient system architecture –Inspection ports are invisible to attackers –System does not fail under high load conditions –No active components (CPU, PCI bus) in data path Used inline, offline, or as pre-filter Mixed Inspection/capture clean/block policies Good Captured Traffic Monitoring Packet Capture Custom Rules Signature Detection Stateful Packet Firewall Intrusion Protection

21 Over 1500 Signatures Supported Sample IDS/IPS Signatures Layer 3 IP Protocol –Unknown IP Protocol –RFC1918 address –Ping Of Death TCP –Netbios OOB Data –Windows RPC DCOM Overflow –Sametime Activity –Worm Mitigation UDP –Snork, MP2P Client Scan IP OPTIONS –BAD IP OPTION –Record Packet Rte ICMP –ICMP Echo Rply, ICMP Unreachable –ICMP Src Quench HTTP –HTTP tunneling –AIM/ICQ Through HTTP Proxy –MSN Messenger Through HTTP Proxy –Yahoo Messenger Through HTTP Proxy DNS –DNS Request All –DNS SIG Overflow SMTP –SPAM attacks (SMTP RCPT TO: Bounce) –Lotus Notes Mail Loop DoS FTP –FTP Improper Address, FTP Improper port RPC –RPC Dump, Proxied RPC

22 Campus and WAN Applications for Universities WAN Universities are deploying P-Series in WAN edges and in high speed cores Key Applications –1 & 10 GBE IDS/IPS (SNORT, Bro, or Custom) –10 GBE Firewalling and Deep Packet Inspection –High Speed Network Monitoring –Flexible, Customized Wire-Speed Packet Analysis Campus Core

23 University Innovators Univ. of Nebraska’s PKI Institute: –In conjunction with Dept of Homeland Security, runs security research lab –Uses P10 inline to accelerate SNORT for high speed core Oxford University: –“Argus” research group ( ) –Customized packet analysis for high speed networks University of Cal., Santa Cruz –1 Gigabit inspection for WAN edge –Facing WAN edge inline, filters “hay” from needles –Presentation of UCSD High Speed IDS at:

24 High Performance Surveillance Technically a “hard problem” – high performance inspection with open programmatic flexibility to dynamic, fast-changing requirements of Lawful Intercept Key system design goals –Predictable –Provable - Legal –Responsive (low latency) –Simplicity / reliability –Secure (access and capture) –Packet/frame/IPv agnostic –Ideally, as few boxes as possible

25 Surveillance Application Technical features for lawful intercept include: –Stateful rules –Line-rate capture performance; No packet loss under full load –Packet hardware-based time stamping –Exact search and match strings in known and “unanchored” search criteria across IPv4 and v6 –No extra packet buffering or “contaminants” –Gracefully handle state exhaustion –Scaling to 1000 (16 byte) on-the-fly dynamic searches –Secure, remote box management via SSH E600 or E1200 POP Storage Servers Internet P-Series P1 or P10

26 Configuration + Reporting Compile policies off-line –Makefile (open Unix CLI environment) –Add user code in Fast-path Add Permit and Deny on the fly –Immediate action Run any pcap application on interface –Use Snort’s output plugins  syslog, , packet archive MIB-II Host/Interface Monitoring –Disk, Daemons, SNMP traps

27 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap

28 Available Today P10 PCI-X Card (10 GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 20G-in/20G-out –2 x 1 GbE mirror ports –8000 static rule capacity 600 dynamic rules; –8 million concurrent flows P1 PCI Card (GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 2G-in/2G-out –1000 static rule capacity; up to 200 dynamic; (currently being increased); –2 million concurrent flows –Line-rate IPv6 P1/P10 Appliance –1U host embeds a P1 or P10 PCI card –Software and drivers pre-installed and pre-configured

29 Deployment Models Sensing & Mirroring port Logging port or PCI interface Sensing port Logging port or PCI interface Sensing port Logging port or PCI interface Inline Operation  Block unwanted traffic  Capture interesting flows  Good traffic passes thru  Two sensing ports (full duplex) + two mirroring ports Passive Operation  Capture interesting flows  Up to two sensing ports

30 High Availability No power –Stateful In-line  No packet loss; No loss of connection state –Traditional rerouting  L2/L3 convergence time; loss of state Reporting Bypass Reporting Bypass Based on external bypass units All state maintained by active-active P10s

31 Power Failure No power –Stateful In-line  No packet loss; No loss of connection state –Traditional rerouting  L2/L3 convergence time; loss of state CPU Reporting CPU Reporting Bypass

32 OS Upgrade Soft reboot, OS reconfiguration, change OS –Forwarding + policies are unaffected; no loss of connection state –Once upgrade is over OS reattaches to forwarding path CPU Reporting CPU Reporting Bypass

33 Policy update Fast-path reconfiguration (new policies are added/deleted) –Loading new static policies  open for < 1s; loss of connection state –Loading dynamic policies  No loss of state CPU Reporting CPU Reporting Bypass

34 Always line-rate –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Retain high-degree of programmability –Architecture gaurantees determinism –New threat models (around the corner) Open architecture to leverage open source software –More robust, more flexible, promotes composability –Abstract hardware as a network interface from OS prospective –Future proofing to extend to application beyond IDS/IPS Summary of Differentiation

35 P-Series Delivers Industry’s Highest Performance and Lowest Price Per Gbps Price Per Gbps Throughput Throughput % Line-Rate Throughput with 100% Rules Gb 2 Gb 4 Gb 6 Gb 8 Gb 10 Gb 20 Gb Traffic Throughput Force10 P-Series Traditional IPS Performance Throughput

36 Competitive Analysis Summary Force10 CiscoJuniperEndaceBivio Interface Options2 x 10 GbE 2 to 5 10/100/ to 6 10/100/1000 NIC or App. 4 x 1 GbE 2 x 10 GbE 12x GE 6x GE Fiber 2 x 10GE Interface SpeedLine-rate 10 GbE1 GbE OS 10 GbE OS10 GBE OS Total Throughput:20 Gbps800 Mps1 Gps5 Gbps10 Gbps Latency~16 us750 us100 us 215 us Rule FlexibilityOpen; SnortProprietary Capture- only Proprietary TCP2-8,000,0001, ,000 2,000,000 Price Range$130,000 $40,000 $57,000 $120,000 $200,000 Signatures:80001, ,4003,000 PlacementInline/Offline OfflineInline/Offline

37 P-Series PTSP Roadmap 2.1 May 31, July 31, 2007 Hardware P10 –8000 signatures –2 x 1 GbE Mirror ports Software Session Scaling to 8M Blocking During Boot Field Upgradeable FPGAs PCI-X Core Stateful temporary packet capture API Linux driver support Dynamic content rules Mirroring Management UI Rules Counter Line-rate stateful firewall IPv6 Packet re-write Black: Committed Feature Red: Targeted Feature Blue: Feature on Our Radar

38 Debbie Montano Director of Research & Education Alliances

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.