Firewall Network Processor: basic concept and solutions FNP

Firewall Network Processor: basic concept and solutions FNP is a trademark of Fractel Incorporated July 2003 Firewall Network Processor: basic concept and solutions Content Introduction Network Processor: common aspects Network Processor: FNP architecture stealth mode, performance, functionality Conclusion 2 Firewall Network Processor: basic concept and solutions Introduction: distributed network concept and security aspects

Appl 1 Superposition of overlay layers and networks Appl 2 Appl i Distributed Network: Appl n interconnected grid of paths without sharp boundaries between zones, Internet - superposition of the overlay networks without central and third-party control point Security aspects: all of them depend on the concept of trust: third-party of direct Where are the boundaries of the trust? 3 Firewall Network Processor: basic concept and solutions Multilevel Network environment and security problems

Application processes Virus attack virtual grid Denial of service Intrusion channel structure Physical nodes Data corruption Hacking auth - u/a packets Packet processes 4 Firewall Network Processor: basic concept and solutions Network security aspects: transit security and traffic regulation protocol network environment TCP physical link bit speed

packet application TCP buffer packet drops direct virtual channel node 0 Transit packets control node x node x+1 feedback virtual channel node M Traffictransport and app. control 5 Firewall Network Processor: basic concept and solutions Tasks,

technology, Communication Filtering Share Tunnelling info apps products Firewall Anti-virus VPN Authentication PKI Remote access Encryption Internet presence Management Security management

6 Firewall Network Processor: basic concept and solutions Security concept and basic components Concept: Many layers packet processing which retains openness of Internet original design. Basic Components: administrative solution, including VLANs, Access Control Lists, MAC locks special network processor which separate data traffic, provide authentication and encryption 7 Firewall Network Processor: basic concept and solutions Network Processor: common aspects Definition: NPs programmable devices aimed generally at communication tasks and packet specific data set. Challenge:

What are software architectures that are effective for network tasks? Why we need new functionality? What do network processors do? Prototypes: Intel IXP 1200: special chip which combine high-speed core with system bus and 6 programmable microengines. Interphase iNAV4000: PCI chip which offers unparalleled features including packet processing and switching. 8 Firewall Network Processor: basic concept and solutions Basic types of hardware architecture GPP RAM PHY CSI NP GPP PHY RAM

Co-processor system bus GPP GPP general purpose processor CSI NP PHY physical network interface (bytes) RAM control plane system bus PHY DMAC RAM CSI common switch interface (packets) CSI data plane

NP 9 Firewall Network Processor: basic concept and solutions FNP core incoming traffic =F(1,2) 1 Filtering module incoming interface(s) External storage (logging, authorization, UI daemon) Local storage outgoing interface(s) Sf=F(2) 2 Service module

outgoing traffic Ss=F(2) Cache hierarchy 10 Firewall Network Processor: basic concept and solutions NP: basic characteristics manipulate packet specific data on Internet layers 2 -4 based in open software interface programmability Target: performance openness Deliver hardware level performance of packet processing tasks to software

programmable system 11 Firewall Network Processor: basic concept and solutions Packet processing tasks parse modify search Silicon design limited flexibility wire speed performance forward resolve ? Program design limited performance + new features can be added 12 Firewall Network Processor: basic concept and solutions Firewall Network Processor (FNP) Processing tasks:

identifying a packet based on headers characteristics (address, VC, protocol, etc) forwarding or discard a packet to the appropriate interface(s) (security police rules) Specific tasks: (stealth mode) no modification (no updating fields in the packet header) no scheduling (no queuing for specific application) provide speed improvement through parallel processing (cluster) pipeline processing (conveyor) 13 Firewall Network Processor: basic concept and solutions FNP specific design stealth mode for packet processing (no MAC, IP address on PHYs interfaces) orthogonal address spaces for control and data interfaces

cluster architectures specific structure of buffer and cache memory (depends on fractal nature of network traffic) multi protocol IP/IPX scalable firewall solution 14 Firewall Network Processor: basic concept and solutions Architecture for secure corporate network Open Network Segment Web database portals DNS, servers Confidential catalogues and data VPN Segment 15

Firewall Network Processor: basic concept and solutions FNP-100 Security Platform 10/100 Ethernet port (control interface) 10/100 Ethernet ports LAN, DMZ, WAN (stealth mode) interfaces power switch 16 Firewall Network Processor: basic concept and solutions Stealth and Control interfaces Global Internet ISP network corporate network private IP address control interface (RS232 or Ethernet admin WS

dial-up access or terminal access LAN access modem protected network segment corporate router or backbone switch FNP-100/4 stealth interfaces (no MAC and IP addresses) Web server application servers DMZ 17 Firewall Network Processor: basic concept and solutions FNP redundancy mode ISP network ISP network e access segm

primary domain nt stealth interfaces access segm e router or LAN backbone switches FNP-100/2 synchronization processes via control interfaces nt redundant domain FNP-100/2 stealth interfaces control or admin WS NAS or IDS control VPN or trusted distinct network segment

corporate segments backbone switches protected servers and hosts 18 Firewall Network Processor: basic concept and solutions FNP-1000 Cluster Platform Global Internet switched network infrastructure stealth Gigabit Ethernet interfaces access Gigabit VLAN switches WDM access (1,...,4 modes) 1 2 3 4 MUX or multi Gigabit VLAN Ethernet splitter cluster of the security appliances FNP-1000/2 FNP-1000/2 FNP-1000/2 FNP-1000/2 admin WS

control distinct network control interfaces protected network segment internal network sensor FNP-100/4S stealth interfaces NAS or IDS internal Ethernet 100BT switched infrastructure 19 public Internet admin WS secure segment of

corporate network info security server NAS-server network storage computing cluster/ IDS system control commands Ethernet switch transaction data inner perimeter of secure network external perimeter of secure network firewalls SNMP data FNP-100/2 FNP-100/2 FNP-100/2 router switch VPN-server

Web server FNP-100/4 corporate segments and users common network elements Firewall Network Processor: basic concept and solutions Multi layers Security conveyor DNS 20 Firewall Network Processor: basic concept and solutions Performance characteristics Mbps 120 100 80 60 40 20 0 FNP throughput (Mbps) vs packet size (byte)

PC packet size, byte 0 Mbps 120 100 80 60 40 20 0 500 1000 1500 2000 throughput (Mbps) vs number of rules FNP PC number of rules 0 500 1000

1500 2000 21 Firewall Network Processor: basic concept and solutions Conclusion Network Processor (NP) - a new type of programmable device for network specific applications FNP or Firewall NP - scalable network device based on open source OS, standard PCI platform and stealth interfaces FNP can be viewed as a platform for broad types of network appliances which based on clusters architecture and many layers packets processing 22

Recently Viewed Presentations

  • Distribution in the Fashion Industry - ctaeir.org

    Distribution in the Fashion Industry - ctaeir.org

    Distribution in the Fashion Industry Fashion Marketing Place Place, or distribution channel, is the method for making your product available to the consumer.
  • Chapter 5 - Electrons in Atoms

    Chapter 5 - Electrons in Atoms

    An atomic orbital is a region of space in which there is a high probability of finding an electron. ... The following is a diagram of the order of the sublevels. Aufbau's Principle and Hydrogen. For hydrogen, the 3s, 3p,...
  • How to Include People with Disabilities: Disability Awareness

    How to Include People with Disabilities: Disability Awareness

    Examples of Accommodations: • changes in schedules • modified tables, desks, workspaces • talking watches, calculators, rulers • private, quiet space • headphones • technology solutions, computer software • color coded tape • photos and visuals with text • verbal...
  • Enterprise Authentication - University of Waterloo

    Enterprise Authentication - University of Waterloo

    (Some of) Jason Testart's Frustrations. Wondering if the UW-WIRELESS network you're connected to, typing-in your password, is the real thing.
  • Capital Market Development in Zambia Reviewing Period 1994 - 2002

    Capital Market Development in Zambia Reviewing Period 1994 - 2002

    LAWYERS AND CAPITAL MARKETS . 2017 ANNUAL LAW CONFERENCE . Thursday, 4th May, 2017. Diana Sichone. Directorate of Enforcement and Legal Services. Securities and Exchange Commission
  • Construction Review - in

    Construction Review - in

    Have utilities pothole or potholing items and leave standpipes for verification purposes for construction. Contractor submits shop drawings for approval before ordering the structures and wingwalls. Precast wingwalls are chosen over pour in place due to the cure time for...
  • I - Introduction

    I - Introduction

    I -INTRODUCTION Le sommeil est un état physiologique particulier, qui se traduit par une suspension de la vie consciente : Naturelle , périodique, rapidement réversible (différent du coma )
  • Kingdom of Bahrain Arabian Gulf University College of ...

    Kingdom of Bahrain Arabian Gulf University College of ...

    Pleura and Lungs Prepared by: Ali Jassim Alhashli, BSc www.alhashli.com The Pleura Pleura: It is a thin serous membrane that forms a cavity on each side (pleural cavity) into which each lung sinks. Notice that the slippery surface is on...