10. S/W Architecture SA1 and SA2
(Single Image or SMP Mode)
iGateway UTM •Suitable for one processor or
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP
CLI, HTTP, LDSV, EMAIL, SNMP multi-processors running in SMP
SSLVPN AV/AS IKEv1/v2 Authentication
mode
User Space
Services
SMTP/S PKI (SCEP, OCSP,
(SCEP,
• Example: P4 or single Xeon
Reverse Proxy AV
Proxy LDAP)
Socks App IPS
POP3/s Proxy DB XAUTH, EAP LDAP Client
Tunnel Manager
L2 Tunnel
Portal
HTTP Proxy
FTP Proxy
AS
DB
IRAC
IRAS
RADIUS Client
Local
system or Dual-Xeon running
Intrusion
SMP Linux
Transparent Application
Firewall Detection/
Proxy Level
Policy Mgmt Prevention IPSec Packet
Support Gateway
Kernel Space
TCP/ Engine Processing
IP
Session Management and Packet processing •Multi-Core silicon with less than
Traffic Policing
Traffic Traffic Shaping
Traffic
4 cores running Linux SMP.
Ethernet, Bridging and WAN Protocols
•Firewall, IPsec packet
processing, IPS and other packet
processing engines run in Kernel
mode.
•Signaling stacks such as IKE,
L2TP, AV/AS and routing engines
run in user space.
10
11. S/W Architecture SA3
(Drop-in Clustering Model)
• Group of like devices working
together to improve
performance
• No external load redirector, a
devices takes responsibility of
load distribution on per session
basis (Drop-in)
• Complexity of implementation;
• Configuration synchronization,
Master election, load
distribution algorithms,
Liveness check and auto
adjustment of load
distribution, Exception to
Load balancing (ETL)
• Facility to forward traffic at
the Drop-in module
11
12. S/W Architecture SA4
(External Clustering Model)
Management
processor
Device/blade 1 Device/blade 2 Device/blade 3 Device/blade n running
running running running running iGateway
iGateway-UTM iGateway-UTM iGateway-UTM iGateway-UTM configuration
application
Back plane
Network processor blade doing session
distribution
• Similar to Drop-in clustering, except
for external network processor
doing the session distribution.
EXAMPLE IMPLEMENTATION • Device/blade can be run on general
Network processor is used for session distribution purpose processors Or Multi-core
More than 4 General purpose processors for running processor
security functions as separate devices.
12
21. Intoto’s iGateway™: UTM Functionality
Features
– Stateful inspection firewall with forward and reverse NAT
– Signature, Protocol anomaly and traffic anomaly based Intrusion Prevention system with
protocol intelligent processing modules
– IPsec VPN for data security supporting site-to-site, hub-and-spoke, route based VPN and
remote user access capabilities
– SSL VPN supporting browser based access, application tunnel and full tunnel modes
– Anti Virus running transparently scanning and cleaning viruses in HTTP objects, emails
– Anti Spam running transparently and removing/marking spam emails
– URL Filter
– QoS (Traffic Policing and Traffic Shaping)
– L2 (Transparent) mode support
– User based profiles – ACLs, Bandwidth, URLF, etc.
– High availability support.
– Clustering support.
21