Intoto Linley Tech Utm Architecture Presentation

  • 865 views
Uploaded on

Presentation on different architectures to implement UTM in Multicore chips - Presentation made in Linley conference in Sanjose

Presentation on different architectures to implement UTM in Multicore chips - Presentation made in Linley conference in Sanjose

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
865
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Unified Threat Management (Multi-function security) Next Generation UTM Security Solutions Software Architecture Discussion Contact: Srinivasa Rao Addepalli (Srini) CTO and Chief Architect srao@intoto.com Security Seminar Linley Tech 2006 Sep 21, 2006 – San Jose, California
  • 2. Intoto Overview Founded 1998 in CA, USA Santa Clara, CA – Headquarters Company Hyderabad, India and Chennai, India – Development Center Taipei, Taiwan – Regional sales office Top Tier networking OEMs Customers Over 120 designs with Intoto Software Very large volume shipments with Intoto Software Unified Threat Management (UTM) security software Products Firewall, IPSec- VPN, SSLVPN, IPS, Anti-Virus, Anti-Spam Team 240 employees Copyright © 1998-2006 Intoto Inc. All rights reserved. 2
  • 3. Intoto Value Proposition Production Ready Security Software Platform NETWORKING OEM END USER PRODUCT (OEM Branding + Channel + Support) SOFTWARE ODM PRODUCTION READY SECURITY SOFTWARE PLATFORM (Intoto Security Software Platform Software + Integration + Certifications) HARDWARE PLATFORM HARDWARE ODM (CPU, Network Processor or Multi-core processor; PCBA; OS & BSP) Copyright © 1998-2006 Intoto Inc. All rights reserved. 3
  • 4. Intoto’s iGateway™: UTM Architecture iGateway™ UTM Functionality Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP •SPI Firewall SSLVPN SSLVPN AV/AS AV/AS IKEv1/v2 Authentication Authentication •Inline IPS Services Services SMTP/S SMTP/S PKI (SCEP, OCSP, •IPSec VPN Reverse Proxy Proxy AV Proxy Proxy IPS IPS LDAP) Socks App Socks App DB Config Config POP3/s Proxy POP3/s Proxy XAUTH, EAP LDAP Client •SSLVPN Tunnel Tunnel Agent Agent L2 Tunnel L2 Tunnel HTTP Proxy AS IRAC RADIUS Client AS •Anti-Virus Portal FTP Proxy DB DB IRAS Local IRAS Local •Anti-Spam Intrusion Transparent Application Application •URL Filter Firewall Firewall Detection/ Proxy Level Level Policy Mgmt Policy Mgmt Prevention IPSec Packet Support Gateway TCP/ TCP/ Engine Processing •Routing IP IP Session Management and Packet processing •QoS Traffic Policing Traffic Shaping Traffic Shaping •Transparent mode support Ethernet, Bridging and WAN Protocols Ethernet, Bridging and WAN Protocols •High availability Hardware Layer •Clustering Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration Copyright © 1998-2006 Intoto Inc. All rights reserved. 4
  • 5. UTM: Key Problem Definition Price/Performance TODAY Future Market Requirement Functionality • Firewall + VPN appliance • IPS appliance 2-5 X (Security • All-in-One appliance Appliance) • Anti-virus gateway • Anti-spam gateway • 500 Mbps – 1 Gbps (Combined 2-5 X Performance • 100 – 500 Mbps (individual function) functionality) Street Price SAME • Varies • Remains SAME (per unit) Copyright © 1998-2006 Intoto Inc. All rights reserved. 5
  • 6. UTM: Key Problem Definition Software development and complexity TODAY Future Challenges • Integration Complexity • Existing working code base; and • IPS systems, Anti-Virus, Anti-Spam shipping products Functionality • Open source components • 3rd Party s/w on H/W architecture choice • 3rd party software functions • Changing functional vector • In-house ASIC • Multiple vendors and choices how to H/W Choices • Multiple proven commercial off-the- evaluate; shelf accelerators • Do we still need custom ASICs? • Design considerations under multiple S/W vectors (functionality, H/W choice, • In-house development Architecture • Extension of existing architectures flexibility, budgets, time to market) Choices • Build in-house vs. Outsource vs. open source • Need a large software development team Development • Lack of skilled software engineers in new • Current in-house expertise Team and architectures • Mainly bug fixes and extensions EXPERTISE • Main QUESTIONS: HOW MUCH TIME and HOW MANY PEOPLE? Copyright © 1998-2006 Intoto Inc. All rights reserved. 6
  • 7. UTM System Requirements SP/Carrier Service Provider • Throughput: Up to 4Gbps Infrastructure • VPN tunnels: 250K • FW/IPS sessions: 1M • FW policies: 30k; sessions/s:25K • VPN: 2Gbps; Tunnels/sec: 500 • Firewall/IPS: 2Gbps Multi-Core CPU / NPU with • Anti Virus: 2500 HTTP con./sec External RegEx High-end High-end Enterprise •Throughput: Up to 2Gbps Enterprise •VPN tunnels: 10K •FW/IPS sessions: 250K •FW policies: 20k; sessions/s:15K •VPN: 1Gbps; Tunnels/sec: 100 •Firewall/IPS: 1.5Gbps •Anti Virus: 400 HTTP con./sec IA (x86, SMP)/Multi-Core CPU w/Crypto & RegEx accl Enterprise/SME Enterprise EN E M NC •Throughput: Up to 1Gbps T VE A •VPN tunnels: 2K O M •FW/IPS sessions: 100K M OR •FW policies: 10k; sessions/s:5K R F •VPN: 300Mbps; Tunnels/sec: 25 O ER •Firewall+IPS: 500Mbps CT e P •Anti Virus: 200 HTTP con./sec IA (x86) w/Crypto, Regex VE tur accl Fu SMB/SME SMB/SME •Throughput: Up to 100Mbps •VPN tunnels: 500 •FW/IPS sessions: 10K •FW policies: 1k; sessions/s:1K •VPN: 70Mbps; Tunnels/sec: 4 •Firewall+IPS: 100Mbps •Anti Virus: 25 HTTP con./sec SoC w/Crypto <100 <250 <500 <1000 5000- 50000- 1000 5000 Number of Users Copyright © 1998-2006 Intoto Inc. All rights reserved. 7
  • 8. Software Architecture Choices for UTM SA1: Solo core model SA2: SMP model (Dual-core or a multi-core processor in SMP mode) SA3: Drop-in clustering model (Multi solo cores) SA4: External clustering model (Load balanced by external agent) SA5: Bare-Metal-DataPlane™ + Control plane model (for Multi-core processor) SA6: SA5 with clustering model (10 Gbps performance) Copyright © 1998-2006 Intoto Inc. All rights reserved. 8
  • 9. Software Architecture Choices for UTM Based on industry projects Development Performance for Full Functional Maintenance Complexity; Time Multi-function Availability Complexity and to Market and Security (as of today) COST COST SA1: Solo core LOW SA2: SMP LOW SA3: Drop-in HIGH cluster SA4: External HIGH Cluster SA5: Bare-Metal- HIGH DataPlane™ SA6: SA5 With HIGH Cluster Copyright © 1998-2006 Intoto Inc. All rights reserved. 9
  • 10. S/W Architecture SA1 and SA2 (Single Image or SMP Mode) iGateway UTM •Suitable for one processor or Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP CLI, HTTP, LDSV, EMAIL, SNMP multi-processors running in SMP SSLVPN AV/AS IKEv1/v2 Authentication mode User Space Services SMTP/S PKI (SCEP, OCSP, (SCEP, • Example: P4 or single Xeon Reverse Proxy AV Proxy LDAP) Socks App IPS POP3/s Proxy DB XAUTH, EAP LDAP Client Tunnel Manager L2 Tunnel Portal HTTP Proxy FTP Proxy AS DB IRAC IRAS RADIUS Client Local system or Dual-Xeon running Intrusion SMP Linux Transparent Application Firewall Detection/ Proxy Level Policy Mgmt Prevention IPSec Packet Support Gateway Kernel Space TCP/ Engine Processing IP Session Management and Packet processing •Multi-Core silicon with less than Traffic Policing Traffic Traffic Shaping Traffic 4 cores running Linux SMP. Ethernet, Bridging and WAN Protocols •Firewall, IPsec packet processing, IPS and other packet processing engines run in Kernel mode. •Signaling stacks such as IKE, L2TP, AV/AS and routing engines run in user space. 10
  • 11. S/W Architecture SA3 (Drop-in Clustering Model) • Group of like devices working together to improve performance • No external load redirector, a devices takes responsibility of load distribution on per session basis (Drop-in) • Complexity of implementation; • Configuration synchronization, Master election, load distribution algorithms, Liveness check and auto adjustment of load distribution, Exception to Load balancing (ETL) • Facility to forward traffic at the Drop-in module 11
  • 12. S/W Architecture SA4 (External Clustering Model) Management processor Device/blade 1 Device/blade 2 Device/blade 3 Device/blade n running running running running running iGateway iGateway-UTM iGateway-UTM iGateway-UTM iGateway-UTM configuration application Back plane Network processor blade doing session distribution • Similar to Drop-in clustering, except for external network processor doing the session distribution. EXAMPLE IMPLEMENTATION • Device/blade can be run on general Network processor is used for session distribution purpose processors Or Multi-core More than 4 General purpose processors for running processor security functions as separate devices. 12
  • 13. S/W Architecture SA5 Fully loaded Multi Core processor – UTM design considerations Typical market requirements – Line rate throughput of firewall, IPS and IPsec VPN. • Minimum of 3 Gbps with Firewall and IPS • Minimum of 3 Gbps with Firewall and IPsec VPN. – High connection rate with firewall and IPS • Every 1Gbps require 25000 connections/sec. • 75000 connections/sec is required to saturate 3Gbps bandwidth. Decisions and Recommendations – Run complete firewall, IPS and IPsec VPN packet processing functionality in with Bare metal OS – Data plane. – Run signaling daemons, routing daemons and AV/AS functionality in the control plane running Linux OS. – Divide # of cores between control plane and data plane based on application performance requirement & market segment – Take advantage of hardware capabilities such as flow identification, Checksum verifications, Symmetric and public Crypto acceleration and DFA accelerations. Copyright © 1998-2006 Intoto Inc. All rights reserved. 13
  • 14. S/W Architecture SA5 (Bare-Metal-DataPlane™ architecture) iGateway UTM Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP Embedded Management: CLI, HTTP, Control Plane Control Plane SSLVPN SSLVPN AV/AS IKEv1/v2 Authentication Services Services SMTP/S SMTP/S PKI (SCEP, OCSP, Reverse Proxy AV Proxy Proxy LDAP) Socks App Socks App DB Config POP3/s Proxy POP3/s Proxy agent XAUTH, EAP LDAP Client Tunnel Tunnel L2 Tunnel L2 Tunnel HTTP Proxy AS IRAC RADIUS Client AS Portal FTP Proxy DB DB IRAS Local Portal IRAS Local communication CP-DP Transparent Intrusion Application Application URL Firewall Firewall Proxy Detection/ Level Level filter IPSec Data Plane Policy Mgmt Prevention Data Plane Policy Mgmt Support Gateway Octeon/ Octeon/ Engine Packet RLR HAL RLR HAL Process + + Session Management and Packet processing Session Management and Packet processing Common Common Modules Modules Traffic Policing Traffic Shaping Traffic Shaping Ethernet, Bridging and WAN Protocols Copyright © 1998-2006 Intoto Inc. All rights reserved. 14
  • 15. S/W Architecture SA6 (Bare-Metal-DataPlane™ with clustering) Control Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent SNMP, CMS Agent Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent CMS Agent plane SSLVPN AV/AS IKEv1/v2 Authentication SSLVPN AV/AS IKEv1/v2 Authentication Services Services SMTP/S PKI (SCEP, OCSP, SMTP/S PKI (SCEP, OCSP, Reverse Proxy AV Reverse Proxy AV Proxy LDAP) Proxy LDAP) Socks App DB Config Socks App DB Config POP3/s Proxy agent XAUTH, EAP LDAP Client POP3/s Proxy agent XAUTH, EAP LDAP Client Tunnel Tunnel L2 Tunnel HTTP Proxy AS IRAC RADIUS Client L2 Tunnel HTTP Proxy AS IRAC RADIUS Client Portal FTP Proxy DB IRAS Local Portal FTP Proxy DB IRAS Local Transparent Intrusion Intrusion Transparent Application Application URL Intrusion Intrusion Firewall Firewall Proxy Detection/ Detection/ URL Transparent Transparent Application Application Proxy Level Level IPSec IPSec Firewall Detection/ URL URL Policy Mgmt Policy Mgmt Prevention Prevention filter filter Firewall Proxy Proxy Detection/ Support Support Gateway Gateway Packet Packet Level Level filter IPSec IPSec Octeon/ Octeon/ Engine Engine Policy Mgmt Policy Mgmt Support Prevention Prevention filter Process Octeon/ Support Gateway Gateway Packet Packet RLR HAL RLR HAL Process Octeon/ Engine Engine + RLR HAL RLR HAL + + Session Management and Packet processing Session Management and Packet processing Process Process Inter + Common Common Session Management and Packet processing Session Management and Packet processing Modules Common Common Modules Modules DP Modules Traffic Policing Traffic Policing Traffic Shaping Traffic Shaping Traffic Policing Traffic Policing Traffic Shaping Traffic Shaping Ethernet, Bridging and WAN Protocols Ethernet, Bridging and WAN Protocols Ethernet, Bridging and WAN Protocols Ethernet, Bridging and WAN Protocols Data plane • Scales to 10Gbps and above • Multiple data plane instances and control plane instances. • Flexibility to add more control plane instances to achieve higher performance of deep data inspection related security Engines such as anti-X • Flexibility to add more data plane instances to achieve higher performance of packet processing engines. Copyright © 1998-2006 Intoto Inc. All rights reserved. 15
  • 16. Case Study: 1 iGateway ™ on Cavium OCTEON Processor Demonstrated at Interop, Las Vegas, 5/4/06 – iGateway Firewall – Performance 4Gbps Other functions being implemented Copyright © 1998-2006 Intoto Inc. All rights reserved. 16
  • 17. Case Study: 2 iGateway ™ on RMI XLR Processor Demonstrated at Interop, Las Vegas, 5/4/06 – iGateway Firewall – Performance 4Gbps Other functions being implemented Copyright © 1998-2006 Intoto Inc. All rights reserved. 17
  • 18. Case Study: 3 Tarari content acceleration IntruPro IPS (Measured performance with TARARI Accelerator) – Pentium 4 w/ Tarari RegEx acceleration card – Near 3X HTTP Connection Rate Improvement over S/W only Copyright © 1998-2006 Intoto Inc. All rights reserved. 18
  • 19. Unified Threat Management (Multi-function security) Thank you. Srinivasa Rao Addepalli (Srini) CTO and Chief Architect Email : srao@intoto.com
  • 20. Key UTM Functionality Intoto iGateway Security Functionality Details Backup slides
  • 21. Intoto’s iGateway™: UTM Functionality Features – Stateful inspection firewall with forward and reverse NAT – Signature, Protocol anomaly and traffic anomaly based Intrusion Prevention system with protocol intelligent processing modules – IPsec VPN for data security supporting site-to-site, hub-and-spoke, route based VPN and remote user access capabilities – SSL VPN supporting browser based access, application tunnel and full tunnel modes – Anti Virus running transparently scanning and cleaning viruses in HTTP objects, emails – Anti Spam running transparently and removing/marking spam emails – URL Filter – QoS (Traffic Policing and Traffic Shaping) – L2 (Transparent) mode support – User based profiles – ACLs, Bandwidth, URLF, etc. – High availability support. – Clustering support. 21
  • 22. iGateway™ Firewall AdministrationEngine Management Engine Administration and Management and Stateful inspection firewall Syslog Support Syslog Support E-mailLog E-mail Export Export Log Web Based Configuration Web Based Configuration CLI CLI – Defense against DoS & DDoS attacks Event Log Event Log Network Access Policy Manager Network Access Policy Manager – Application level filtering & cookie filtering Stateful Inspection Engine Stateful Inspection Engine – Event logging (SMTP client, syslog Network Access Statistics Network Access Statistics Application Specific Content Filtering Application Specific Content Filtering client) NAT with NAT with Network Access Policy Engine Network Access Policy Engine – ICSA Certification ALG Weekly User Specific Access Policies Dynamic ALG Weekly User Specific Access Policies Dynamic Support Support Activation Activation Remote Remote Schedule Schedule System-Wide Access Policies System-Wide Access Policies User Access User Access Comprehensive configuration CyberDefense Engine™ CyberDefense Engine™ – Granular, user specific policies IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks • Traffic type, protocol/port, direction, Smurf WinNuke Land ICMP Redirects IP Source Routing Smurf WinNuke Land ICMP Redirects IP Source Routing Source/destination, time of the day as well as authentication based access – Security domain specific policies – User based profiles. (User can be authenticated using HTTP Portal, Firewall ALGs 802.1x, IKE etc..) allow SIP connections Comprehensive NAT w/ ALGs Internet – ALGs (application layer gateways) • Communications, security, video • and gaming Copyright © 1998-2006 Intoto Inc. All rights reserved. 22
  • 23. iGateway™ VPN (IPsec/IKE) Proven interoperability – ICSA and VPNC certified OCSP OCSP IKE v1 and v2 Engine IKE v1 and v2 Engine Client Client RADIUS RADIUS LDAP LDAP XAuth NGM Mode Config VPN protocol support Client Client Client Client SECP SECP EAP IKE Policy Certificate Client Client IKE-IPSec APIs Manager Manager – Layer 3: IPSec, IKE PKI (and IKEv2) – Layer 2: PPTP and L2TP BSD Sockets ISecPDri IPsecDrv – Certificates: Support for X.509v3 including SCEP, OCSP, PKCS 7, 10 and UDP Interface ICMP Interface IPsec Engine IPsec Engine LDAP client for CRL retrieval IPSec APIs IPSec APIs SPD SPD SAD SAD IP Layer IP Layer MKMD Advanced Features MKMD AH/ESP AH/ESP – Granular policy management for specific Public Key Crypto APIs Public Key Crypto APIs Symmetric Key Crypto APIs Symmetric Key Crypto APIs protocols Software Crypto Software Crypto – DPD(Dead peer detection), DPTD (Dead Software Crypto Library Library PKEP Driver PKEP Driver SKEP Driver SKEP Driver Software Crypto Library Library peer tunnel detection) – NAT traversal V2 Link Layer Link Layer Public Key Encryption Public Key Encryption Processor Symmetric Key Encryption Symmetric Key Encryption Processor Processor Processor – Security Domain based policy support Physical Layer Physical Layer – IKEv2 Support – Hardware encryption accelerator support Copyright © 1998-2006 Intoto Inc. All rights reserved. 23
  • 24. iGateway™ IKEv2 IKEv2 basics – Latest IETF standard for IPsec VPNs • Most popular VPN standard for enterprises and carriers – Improved performance, security and reliability – IPv6 support Mobility capabilities – Enables use of standardized GSM SIM authentication through EAP – IRAS and IRAC support Standardized and simplified client configuration – IP addresses, DNS addresses and netmasks – IKEv1 applications are upgradeable to IKEv2 Copyright © 1998-2006 Intoto Inc. All rights reserved. 24
  • 25. Intoto IntruPro™ IPS IntruPro Inline IPS sensor – Advanced detection techniques with Stateful application intelligence • Greater accuracy over traditional IPS • Reduced false positives & High performance – Protocol anomaly detection – Traffic Learning and Anomaly detection and preventing for configurable amount of time. IntruPro Inline IPS Manager – Comprehensive configuration capabilities with support for multiple sensors – Correlation – Real time monitors and reporting capabilities – Active feedback mechanism. Centralized signature updates – Intoto produces IPS signature updates – Provides centralized update capabilities Copyright © 1998-2006 Intoto Inc. All rights reserved. 25
  • 26. IntruPro™ IPS Manager Comprehensive Configuration – Configure and tune to increase system effectiveness & reduce false positives – Supports multiple sensors Real-time Monitoring and Alerts – Configurable alert generation for event notification – Real time attack graphs to monitor intrusions Extensive Reporting – Report generation based on user configured parameters – Intuitive charts and logs for forensic analysis Copyright © 1998-2006 Intoto Inc. All rights reserved. 26
  • 27. iGateway™ SSL-VPN Operational Modes Endpoint Control CLI Secure Web Portal Endpoint Control CLI Secure Web Portal – Basic Mode Application Connector Architecture • Portal XML Control Plane Authentication, Authorization, Access Management Management XML Control Plane Authentication,Audit (AAAA) Access Control, Authorization, Management Management Control, Audit (AAAA) • Webified Applications – Port-forwarding Mode (Java applet) Web connector Email connector File Share connectors Generic Application Connectors VPN Connector • HTTP/SOCKS/Email proxies HTTP/ HTTP/ HTTPS SMTP SMTP POP3 SMB/ SMB/ CIFS Web- Web- DAV TCP /UDP TCP /UDP forwarder SOCKS SOCKS Proxy PPP PPP over HTTPS POP3 CIFS DAV forwarder Proxy over – Hybrid Mode (Java applet) IMAP SSL IMAP SSL • L2/L3 tunneling over SSL SSL • All applications supported Caching & Crypto Acceleration SSL Complete management TCP/UDP/IP TCP/UDP/IP – AAAA: Authentication, Authorization, Access, Audit – Fine-grain security policies Customizable UI Seamless integration with Intoto iGateway products – e.g. Firewall, VPN, IPS ICSA certifiable Copyright © 1998-2006 Intoto Inc. All rights reserved. 27
  • 28. iGateway™ SSL-VPN Web Portal – User Pages User Home page – Collection of quick access links: Intranet, Files, Email, specific applications – User-specific configuration Customization – UI completely decoupled; pages may be stored outside the box – Portal functions accessible through XML requests – Easy Admin customization of UI • Colors, icons, banners, msg-of-the-day Copyright © 1998-2006 Intoto Inc. All rights reserved. 28
  • 29. iGateway™ Anti-Virus & Anti-Spam Functionality – Complete protocol proxy implementation. Acts as Server and Client. – Configurable to act as fully transparent proxy or standard proxy. – Any vendor AV or AS Engines can be hooked to the proxies. – Multiple AV Engines or AS Engines can be used. – Statistics collection and review on historical basis. – Log collection and store the logs. – Actions upon Virus/spam detection: Decorate subject, Send notification to the sender (in case of SMTP), Decorate subject with email body detached, Remove email without any notification to sender or receiver. – Block sender (SMTP), receiver (POP3) for configurable amount of time upon anomaly based on throttling is detected. Copyright © 1998-2006 Intoto Inc. All rights reserved. 29