Download presentation
Presentation is loading. Please wait.
Published byEleanor Armstrong Modified over 8 years ago
1
Blue Coat Confidential Rethinking the Network With X-Series Nathan Brady – Technical Marketing
2
2 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Typical Defense-in-Depth Strategy Layer 2 switches for interconnectivity Application load balancers for scalability / flow management High-speed edge routers Internet core or distribution layer routing Defense in depth: Firewalls, IPS, Antivirus, Content and URL Filtering, and other security services
3
3 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Consolidating with Next-Generation Firewalls Next-Generation Firewall Benefits Fewer devices Less network complexity Reduced CAPEX and OPEX Increased availability “Will the all-in-one features in NGFW appliance satisfy my security needs?” “Will NGFW appliances meet current and future performance needs of my network?” Consolidate all of these devices… …onto this pair of NGFW devices. Next-generation firewalls promise outstanding device consolidation, but raise new questions…
4
4 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Can NGFW Appliances Keep Up? 70 0 Security Features Enabled Great large packet performance Use realistic protocols and traffic sizes Identify users and applications Enable Light- Duty IPS …based on datasheet numbers* with optimal port configuration, small policies, no redundancy, few IPS features, and no logging. Throughput (Gbps) 20 10 40 30 50 60 Performance Impact of Security on NGFW Appliances *As of March, 2012
5
5 © Blue Coat Systems, Inc. 2012Blue Coat Confidential A Constellation of Metrics 5 Network Performance Connections per second Concurrent Connections Security Application s Deployed Packet Sizes Protocol Mix Application Features Enabled Security infrastructure should be able to adapt to changing metrics and requirements. Vendor data sheets list a few metrics, but each independently. But what about other metrics? How does each of these impact network performance?
6
6 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Security is Processing Intensive Realism & Security FeaturesPerformance Performance/Security Trade-off Very little inspection, large packets Realistic traffic inspected thoroughly True for many services Firewall Intrusion Prevention Data Loss Prevention Web, Database, and Application firewalls Antivirus This effect is multiplied for Next Generation Firewall devices performing multiple security functions.
7
7 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Security FeaturesPerformance Security Requirements Changing Network and Security Landscape 10 Gbps 20 Gbps Next Generation Firewall Performance Performance Requirements FW IPS LB FW IPS LB
8
8 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Strategies for Scaling Appliances AdvantagesDisadvantages Scales linearlyComplex switching and load balancing Scaling does not affect architecture Difficult to troubleshoot Simplified routing tablesHigh capital costs High operational costs AdvantagesDisadvantages Lower CAPEXNo scalability within segments Easy to troubleshootScaling changes network architecture Simplified switchingComplex routing tables High operational costs Physical Segmentation Load Balancing Still a complex mesh of several appliances. NGFW appliances often create the same problem they were intended to solve. Still a complex mesh of several appliances. NGFW appliances often create the same problem they were intended to solve.
9
9 © Blue Coat Systems, Inc. 2012Blue Coat Confidential The X-Series Strategy Internet X-Series creates a “Network in a Box” Network Processor Modules Application Processor Modules Control Processing Modules FW L2 IPS LB X-Series provides unprecedented consolidation and scalability in a single chassis.
10
10 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Network Processing Module (NPM) Provides Switching Fabric for Data Plane Switching fabric connects all NPMS and APMs 9600 series provides 10 to 40Gb/s per module 8600 series provides 5 to 10Gb/s per module Up to 140Gbps of non-blocking backplane Flexible Physical Network Interfaces Multiple configurations available from 10xGbE to 16x10GbE All ports are hot-pluggable, standard SFP, SFP+, XFP form factor Distributes Traffic Efficiently and Intelligently Scales by distributing traffic across APMs and processing cores Automatically redistributes load around failed resources Consolidates Network Infrastructure Virtualizes switches, load balancers, patch & power cords Eliminates common network devices found in security infrastructure NPM 9650
11
11 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Application Processing Module (APM) Hosts Applications Responsible for running the security application(s) Can be pooled into a “Virtual Application Processor Group” (VAP Group) Dynamically provisioned - no local configuration Scales Performance Multiple APMs in a VAP Group share load to scale performance APM 8650: 4 Core and 8 Core configurations, up to 16Gb RAM APM 9600:12 Core configuration, up to 24Gb RAM Maintain Defense in Depth Layer multiple VAP Groups with different security applications NPM’s network virtualization provides connectivity between layers Provides Application Redundancy VAPs can run on any APM APMs can be re-provisioned on-the-fly Un-provisioned APMs automatically assume warm-standby role APM-9600
12
12 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Control Processing Module (CPM) System Management Provides out of band management of chassis through dedicated backplane and management ports. Centralized configuration for all elements in the system Provision Applications Easily Define VAP groups and install applications centrally Automatically provisions the right resources for the application Hosts a dedicated file system for each Application Processor Health Monitoring Continuously checks health and collects statistics on of all modules (available through SNMP or web interface) Dynamically provisions new resources to replace failed resources CPM-9600
13
13 © Blue Coat Systems, Inc. 2012Blue Coat Confidential 1GE & 10GE Network Interfaces NPM Flow Distribution Switch ASIC Network Processor FPGAs Flow Classification XOS Linux Management Local I/O Control XOS Linux CPM Provisioning Management Storage CPUs & Memory Control I/O 1GE System Architecture APM CPUs & Memory Linux Application XOS Linux Non-Linux Application KVM VM High-Performance Network Flow Distribution Interface
14
14 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Security FeaturesPerformance X-Series System Performance Performance Requirements Security Requirements X-Series Flexibility 14 FW IPS 15 Gbps 30 Gbps
15
15 © Blue Coat Systems, Inc. 2012Blue Coat Confidential APM VersionAPM 8650 4 CoreAPM 8650 8 CoreAPM 9600 # Processing Cores4 CPU Cores per Module8 CPU Cores per Module12 CPU Cores per Module IP Forwarding Packet Rate (PPS)1.7 Mpps2.2 Mpps7.0 Mpps Fabric Connection Speed12.8 Gbps 20 Gbps Memory4GB Standard (Upgradable to 16 GB) 8GB Standard (Upgradable to 16 GB) 12GB Standard (Upgradable to 24 GB Hard DriveDiskless Design Optional up to 2 HDD‘s available with RAID System Specs At-a-Glance NPM VersionNPM 8620NPM 8650NPM 9600 Network Throughput5 Gbps10 Gbps40 Gbps Packet Forwarding Rate (PPS)7 Mpps12 Mpps40 Mpps Maximum Connections8 Million / 40 Million (8G) 18 Million / 100 Million Connection Setup Rate65,000 CPS130,000 CPS
16
16 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Architecture Redundancy X60 / X80-S CPM (Control) redundancy APM (Application) redundancy NPM (Network) redundancy Fan redundancy Backplane trace redundancy Power redundancy Crossbeam’s Virtual Infrastructure has created a design with no single points of failure
17
17 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Self-healing with Hot Standby Firewalls IPS Stand-by Original Configuration 4 Firewall APMs 3 IPS APMs 1 Stand-by APM One Firewall APM experiences a problem The Stand-by APM automatically takes the Firewall APM’s profile “No more emergency wake-up calls at 3AM to replace appliances”
18
18 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Original Configuration 4 Firewall APMs 4 IPS APMs One Firewall APM experiences a problem A IPS APM automatically takes the Firewall APM’s profile based on priority Self-healing via Prioritization Firewalls (Priority 1) IPS (Priority 2) “Automate self-healing to fit your business”
19
19 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Greenlight Element Manager A visual, information-rich interface to your X-Series. Power supply and fan status Chassis utilization and usage statistics Application and system software information Efficiency and capacity planning statistics
20
20 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Modular Chassis X60X80-S Network Connectivity (Maximum)32 Ten Gigabit / Gigabit Ethernet64 Ten Gigabit / Gigabit Ethernet Network Throughput68 Gbps140 Gbps Packet Rate (PPS)21 Million54 Million Concurrent Connections40 Million100 Million Connection Setup Rate (CPS)180,000320,000 Check Point R75 FW+IPS Throughput68 Gbps135 Gbps
21
21 © Blue Coat Systems, Inc. 2012Blue Coat Confidential Flexible Chassis X20 X30X50 Network Connectivity (Maximum)10 Gigabit Ethernet10 Gigabit + 2 10Gb Ethernet16 Ten Gigabit / Gigabit Ethernet Network Throughput5Gbps10Gbps17.5Gbps Packet Rate (PPS)4.4 Million 11 Million Concurrent Connections8 Million 18 Million Connection Setup Rate (CPS)110,000 115,000 Check Point R75 FW+IPS Throughput5Gbps10Gbps17Gbps
22
22 © Blue Coat Systems, Inc. 2012Blue Coat Confidential X-Series Key Values Consolidation House multiple security applications in a single chassis. Scale each application to meet performance demands.Consolidation House multiple security applications in a single chassis. Scale each application to meet performance demands. Adaptability Add, remove, or change applications on a common hardware platform. Provision resources where and when they are needed.Adaptability Add, remove, or change applications on a common hardware platform. Provision resources where and when they are needed. Availability Self healing architecture. 5-9’s high availability in a single chassis, 7-9’s with dual chassis.Availability Self healing architecture. 5-9’s high availability in a single chassis, 7-9’s with dual chassis. Operational Efficiency Dramatically reduce maintenance time and effort. Manage and monitor the security environment from a common interface. Operational Efficiency Dramatically reduce maintenance time and effort. Manage and monitor the security environment from a common interface.
23
Blue Coat Confidential – Internal Use Only Please provide feedback on this webcast to: supportnewsletter@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.