Intoto Linley Tech Utm Architecture Presentation

Unified Threat Management
(Multi-function security)

Next Generation UTM Security Solutions
Software Architecture Discussion

Contact:
Srinivasa Rao Addepalli (Srini)
CTO and Chief Architect
srao@intoto.com

Security Seminar
Linley Tech 2006
Sep 21, 2006 – San Jose, California

Intoto Overview

Founded 1998 in CA, USA
Santa Clara, CA – Headquarters
Company Hyderabad, India and Chennai, India – Development Center
Taipei, Taiwan – Regional sales office

Top Tier networking OEMs
Customers Over 120 designs with Intoto Software
Very large volume shipments with Intoto Software

Unified Threat Management (UTM) security software
Products
Firewall, IPSec- VPN, SSLVPN, IPS, Anti-Virus, Anti-Spam

Team 240 employees

Copyright © 1998-2006 Intoto Inc. All rights reserved. 2

Intoto Value Proposition
Production Ready Security Software Platform

NETWORKING OEM END USER PRODUCT
(OEM Branding + Channel + Support)

SOFTWARE ODM PRODUCTION READY SECURITY SOFTWARE
PLATFORM

(Intoto Security Software Platform
Software + Integration + Certifications)

HARDWARE PLATFORM
HARDWARE ODM (CPU, Network Processor or Multi-core processor; PCBA; OS & BSP)


Intoto’s iGateway™: UTM Architecture

iGateway™ UTM Functionality
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP •SPI Firewall

SSLVPN
SSLVPN AV/AS
AV/AS IKEv1/v2 Authentication
Authentication •Inline IPS
Services
Services
SMTP/S
SMTP/S PKI (SCEP, OCSP, •IPSec VPN
Reverse Proxy
Proxy AV
Proxy
Proxy IPS
IPS LDAP)
Socks App
Socks App DB Config
Config
POP3/s Proxy
POP3/s Proxy XAUTH, EAP LDAP Client •SSLVPN
Tunnel
Tunnel Agent
Agent
L2 Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client
AS •Anti-Virus
Portal FTP Proxy DB
DB IRAS Local
IRAS Local
•Anti-Spam
Intrusion
Transparent Application
Application •URL Filter
Firewall
Firewall Detection/
Proxy Level
Level
Policy Mgmt
Policy Mgmt Prevention IPSec Packet
Support Gateway
TCP/
TCP/ Engine Processing •Routing
IP
IP
Session Management and Packet processing •QoS

Traffic Policing Traffic Shaping
Traffic Shaping •Transparent mode
support
Ethernet, Bridging and WAN Protocols
•High availability
Hardware Layer
•Clustering
Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration


UTM: Key Problem Definition
Price/Performance

TODAY Future Market Requirement

Functionality • Firewall + VPN appliance
• IPS appliance 2-5 X
(Security • All-in-One appliance
Appliance) • Anti-virus gateway
• Anti-spam gateway

• 500 Mbps – 1 Gbps (Combined 2-5 X
Performance • 100 – 500 Mbps (individual function) functionality)

Street Price SAME
• Varies • Remains SAME
(per unit)


UTM: Key Problem Definition
Software development and complexity

TODAY Future Challenges

• Integration Complexity
• Existing working code base; and
• IPS systems, Anti-Virus, Anti-Spam
shipping products
Functionality • Open source components
• 3rd Party s/w on H/W architecture
choice
• 3rd party software functions
• Changing functional vector
• In-house ASIC • Multiple vendors and choices how to
H/W Choices • Multiple proven commercial off-the- evaluate;
shelf accelerators • Do we still need custom ASICs?

• Design considerations under multiple
S/W vectors (functionality, H/W choice,
• In-house development
Architecture • Extension of existing architectures
flexibility, budgets, time to market)
Choices • Build in-house vs. Outsource vs. open
source

• Need a large software development team
Development • Lack of skilled software engineers in new
• Current in-house expertise
Team and architectures
• Mainly bug fixes and extensions
EXPERTISE • Main QUESTIONS: HOW MUCH TIME
and HOW MANY PEOPLE?


UTM System Requirements
SP/Carrier
Service Provider
• Throughput: Up to 4Gbps Infrastructure
• VPN tunnels: 250K
• FW/IPS sessions: 1M
• FW policies: 30k; sessions/s:25K
• VPN: 2Gbps; Tunnels/sec: 500
• Firewall/IPS: 2Gbps Multi-Core CPU / NPU with
• Anti Virus: 2500 HTTP con./sec External RegEx

High-end
High-end Enterprise
•Throughput: Up to 2Gbps Enterprise
•VPN tunnels: 10K
•FW/IPS sessions: 250K
•FW policies: 20k; sessions/s:15K
•VPN: 1Gbps; Tunnels/sec: 100
•Firewall/IPS: 1.5Gbps
•Anti Virus: 400 HTTP con./sec IA (x86, SMP)/Multi-Core
CPU w/Crypto & RegEx accl

Enterprise/SME Enterprise

EN E
M NC
•Throughput: Up to 1Gbps

T
VE A
•VPN tunnels: 2K

O M

M OR

R F
•VPN: 300Mbps; Tunnels/sec: 25

O ER
•Firewall+IPS: 500Mbps

CT e P
•Anti Virus: 200 HTTP con./sec
IA (x86) w/Crypto, Regex

VE tur
accl

Fu
SMB/SME SMB/SME
•Throughput: Up to 100Mbps
•VPN tunnels: 500
•VPN: 70Mbps; Tunnels/sec: 4
•Firewall+IPS: 100Mbps
•Anti Virus: 25 HTTP con./sec
SoC w/Crypto

<100 <250 <500 <1000 5000- 50000-
1000 5000
Number of Users

Software Architecture Choices for UTM

SA1: Solo core model

SA2: SMP model (Dual-core or a multi-core processor in SMP mode)

SA3: Drop-in clustering model (Multi solo cores)

SA4: External clustering model (Load balanced by external
agent)

SA5: Bare-Metal-DataPlane™ + Control plane model (for
Multi-core processor)

SA6: SA5 with clustering model (10 Gbps performance)


Software Architecture Choices for UTM
Based on industry projects

Development
Performance for Full Functional Maintenance
Complexity; Time
Multi-function Availability Complexity and
to Market and
Security (as of today) COST
COST

SA1: Solo core LOW

SA2: SMP LOW

SA3: Drop-in HIGH
cluster

SA4: External HIGH
Cluster

SA5: Bare-Metal- HIGH
DataPlane™

SA6: SA5 With HIGH
Cluster


S/W Architecture SA1 and SA2
(Single Image or SMP Mode)
iGateway UTM •Suitable for one processor or
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP
CLI, HTTP, LDSV, EMAIL, SNMP multi-processors running in SMP
SSLVPN AV/AS IKEv1/v2 Authentication
mode

User Space
Services
SMTP/S PKI (SCEP, OCSP,
(SCEP,

• Example: P4 or single Xeon
Reverse Proxy AV
Proxy LDAP)
Socks App IPS
POP3/s Proxy DB XAUTH, EAP LDAP Client
Tunnel Manager
L2 Tunnel

Portal
HTTP Proxy

FTP Proxy
AS
DB
IRAC

IRAS
RADIUS Client

Local
system or Dual-Xeon running
Intrusion
SMP Linux
Firewall Detection/
Proxy Level
Policy Mgmt Prevention IPSec Packet
Support Gateway

Kernel Space
TCP/ Engine Processing
IP
Session Management and Packet processing •Multi-Core silicon with less than
Traffic Policing
Traffic Traffic Shaping
Traffic
4 cores running Linux SMP.

•Firewall, IPsec packet
processing, IPS and other packet
processing engines run in Kernel
mode.

•Signaling stacks such as IKE,
L2TP, AV/AS and routing engines
run in user space.

10

S/W Architecture SA3
(Drop-in Clustering Model)
• Group of like devices working
together to improve
performance

• No external load redirector, a
devices takes responsibility of
load distribution on per session
basis (Drop-in)

• Complexity of implementation;
• Configuration synchronization,
Master election, load
distribution algorithms,
Liveness check and auto
adjustment of load
distribution, Exception to
Load balancing (ETL)

• Facility to forward traffic at
the Drop-in module

11

(External Clustering Model)

Management
processor
Device/blade 1 Device/blade 2 Device/blade 3 Device/blade n running
running running running running iGateway
iGateway-UTM iGateway-UTM iGateway-UTM iGateway-UTM configuration
application

Back plane

Network processor blade doing session
distribution

• Similar to Drop-in clustering, except
for external network processor
doing the session distribution.

EXAMPLE IMPLEMENTATION • Device/blade can be run on general
Network processor is used for session distribution purpose processors Or Multi-core
More than 4 General purpose processors for running processor
security functions as separate devices.

12

Fully loaded Multi Core processor – UTM design
considerations

Typical market requirements
– Line rate throughput of firewall, IPS and IPsec VPN.
• Minimum of 3 Gbps with Firewall and IPS
• Minimum of 3 Gbps with Firewall and IPsec VPN.

– High connection rate with firewall and IPS
• Every 1Gbps require 25000 connections/sec.
• 75000 connections/sec is required to saturate 3Gbps bandwidth.

Decisions and Recommendations
– Run complete firewall, IPS and IPsec VPN packet processing functionality in
with Bare metal OS – Data plane.

– Run signaling daemons, routing daemons and AV/AS functionality in the
control plane running Linux OS.

– Divide # of cores between control plane and data plane based on
application performance requirement & market segment

– Take advantage of hardware capabilities such as flow identification,
Checksum verifications, Symmetric and public Crypto acceleration and DFA
accelerations.


(Bare-Metal-DataPlane™ architecture)

iGateway UTM
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP
Embedded Management: CLI, HTTP,

Control Plane
Control Plane
SSLVPN
SSLVPN AV/AS IKEv1/v2 Authentication
Services
Services
SMTP/S
SMTP/S PKI (SCEP, OCSP,
Reverse Proxy AV
Proxy
Proxy LDAP)
Socks App
Socks App DB Config
POP3/s Proxy
POP3/s Proxy agent XAUTH, EAP LDAP Client
Tunnel
Tunnel
L2 Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client
AS
Portal FTP Proxy DB
DB IRAS Local
Portal IRAS Local

communication
CP-DP
Transparent Intrusion
Application
Application URL
Firewall
Firewall Proxy Detection/
Level
Level filter IPSec

Data Plane
Policy Mgmt Prevention

Data Plane
Policy Mgmt Support Gateway
Octeon/
Octeon/ Engine Packet
RLR HAL
RLR HAL Process
+
+ Session Management and Packet processing
Session Management and Packet processing
Common
Common
Modules
Modules
Traffic Shaping



(Bare-Metal-DataPlane™ with clustering)

Control
Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent
SNMP, CMS Agent Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent
CMS Agent
plane
SSLVPN AV/AS IKEv1/v2 Authentication SSLVPN AV/AS IKEv1/v2 Authentication
Services Services
SMTP/S PKI (SCEP, OCSP, SMTP/S PKI (SCEP, OCSP,
Reverse Proxy AV Reverse Proxy AV
Proxy LDAP) Proxy LDAP)
Socks App DB Config Socks App DB Config
POP3/s Proxy agent XAUTH, EAP LDAP Client POP3/s Proxy agent XAUTH, EAP LDAP Client
Tunnel Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client L2 Tunnel HTTP Proxy AS IRAC RADIUS Client

Portal FTP Proxy DB IRAS Local Portal FTP Proxy DB IRAS Local

Transparent Intrusion
Intrusion
Application URL
Intrusion
Intrusion Firewall
Firewall Proxy Detection/
Detection/ URL
Transparent
Application Proxy Level
Level IPSec
IPSec
Firewall Detection/ URL
URL Policy Mgmt
Policy Mgmt Prevention
Prevention filter
filter
Firewall Proxy
Proxy Detection/ Support
Support Gateway
Gateway Packet
Packet
Level
Level filter IPSec
IPSec Octeon/
Octeon/ Engine
Engine
Policy Mgmt
Policy Mgmt Support Prevention
Prevention filter Process
Octeon/ Support Gateway
Gateway Packet
Packet RLR HAL
RLR HAL Process
Octeon/ Engine
Engine
+
RLR HAL
RLR HAL
+
+ Session Management and Packet processing
Process
Process
Inter +
Common
Common
Modules
Common
Common
Modules
Modules
DP Modules
Traffic Policing
Traffic Shaping
Traffic Policing
Traffic Shaping

Data plane

• Scales to 10Gbps and above
• Multiple data plane instances and control plane instances.
• Flexibility to add more control plane instances to achieve higher performance of
deep data inspection related security Engines such as anti-X
• Flexibility to add more data plane instances to achieve higher performance of
packet processing engines.


Case Study: 1
iGateway ™ on Cavium OCTEON Processor

Demonstrated at Interop,
Las Vegas, 5/4/06
– iGateway Firewall
– Performance 4Gbps

Other functions being
implemented


Case Study: 2
iGateway ™ on RMI XLR Processor

Demonstrated at Interop,
Las Vegas, 5/4/06
– iGateway Firewall
– Performance 4Gbps

Other functions being
implemented


Case Study: 3
Tarari content acceleration

IntruPro IPS (Measured performance with TARARI Accelerator)
– Pentium 4 w/ Tarari RegEx acceleration card
– Near 3X HTTP Connection Rate Improvement over S/W only


Unified Threat Management
(Multi-function security)

Thank you.

Srinivasa Rao Addepalli (Srini)
CTO and Chief Architect
Email : srao@intoto.com

Key UTM Functionality

Intoto iGateway Security Functionality Details

Backup slides

Intoto’s iGateway™: UTM Functionality

Features
– Stateful inspection firewall with forward and reverse NAT

– Signature, Protocol anomaly and traffic anomaly based Intrusion Prevention system with
protocol intelligent processing modules

– IPsec VPN for data security supporting site-to-site, hub-and-spoke, route based VPN and
remote user access capabilities

– SSL VPN supporting browser based access, application tunnel and full tunnel modes

– Anti Virus running transparently scanning and cleaning viruses in HTTP objects, emails

– Anti Spam running transparently and removing/marking spam emails

– URL Filter

– QoS (Traffic Policing and Traffic Shaping)

– L2 (Transparent) mode support

– User based profiles – ACLs, Bandwidth, URLF, etc.

– High availability support.

– Clustering support.

21

iGateway™ Firewall

AdministrationEngine Management Engine
Administration and Management
and

Stateful inspection firewall Syslog Support
Syslog Support
E-mailLog
E-mail Export
Export Log Web Based Configuration
Web Based Configuration
CLI
CLI

– Defense against DoS & DDoS attacks Event Log
Event Log
Network Access Policy Manager
Network Access Policy Manager

– Application level filtering & cookie
filtering Stateful Inspection Engine
Stateful Inspection Engine

– Event logging (SMTP client, syslog Network Access Statistics
Network Access Statistics
Application Specific Content Filtering
Application Specific Content Filtering

client) NAT with
NAT with
Network Access Policy Engine
Network Access Policy Engine

– ICSA Certification ALG Weekly User Specific Access Policies Dynamic
ALG Weekly User Specific Access Policies Dynamic

Support
Support
Activation
Activation
Remote
Remote

Schedule
Schedule System-Wide Access Policies
System-Wide Access Policies
User Access
User Access

Comprehensive configuration CyberDefense Engine™
CyberDefense Engine™

– Granular, user specific policies IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks
IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks

• Traffic type, protocol/port, direction, Smurf WinNuke Land ICMP Redirects IP Source Routing
Smurf WinNuke Land ICMP Redirects IP Source Routing

Source/destination, time of the day as
well as authentication based access
– Security domain specific policies
– User based profiles. (User can be
authenticated using HTTP Portal, Firewall ALGs

802.1x, IKE etc..)
allow SIP
connections

Comprehensive NAT w/ ALGs Internet

– ALGs (application layer gateways)
• Communications, security, video
• and gaming


iGateway™ VPN (IPsec/IKE)

Proven interoperability
– ICSA and VPNC certified
OCSP
OCSP IKE v1 and v2 Engine
IKE v1 and v2 Engine
Client
Client
RADIUS
RADIUS LDAP
LDAP XAuth NGM Mode Config
VPN protocol support
Client
Client Client
Client SECP
SECP EAP
IKE Policy Certificate
Client
Client IKE-IPSec APIs
Manager Manager
– Layer 3: IPSec, IKE PKI (and IKEv2)
– Layer 2: PPTP and L2TP BSD Sockets ISecPDri IPsecDrv

– Certificates: Support for X.509v3
including SCEP, OCSP, PKCS 7, 10 and UDP Interface ICMP Interface IPsec Engine
IPsec Engine
LDAP client for CRL retrieval

IPSec APIs
IPSec APIs
SPD
SPD
SAD
SAD
IP Layer
IP Layer MKMD

Advanced Features
MKMD
AH/ESP
AH/ESP

– Granular policy management for specific Public Key Crypto APIs
Public Key Crypto APIs Symmetric Key Crypto APIs
Symmetric Key Crypto APIs
protocols
Software Crypto Software Crypto
– DPD(Dead peer detection), DPTD (Dead Software Crypto
Library
Library
PKEP Driver
PKEP Driver SKEP Driver
SKEP Driver
Software Crypto
Library
Library
peer tunnel detection)
– NAT traversal V2 Link Layer
Link Layer
Public Key Encryption
Public Key Encryption
Processor
Symmetric Key Encryption
Symmetric Key Encryption
Processor
Processor Processor
– Security Domain based policy support Physical Layer
Physical Layer
– IKEv2 Support
– Hardware encryption accelerator
support


iGateway™ IKEv2

IKEv2 basics
– Latest IETF standard for IPsec VPNs
• Most popular VPN standard for enterprises and carriers
– Improved performance, security and reliability
– IPv6 support

Mobility capabilities
– Enables use of standardized GSM SIM authentication
through EAP
– IRAS and IRAC support

Standardized and simplified client configuration
– IP addresses, DNS addresses and netmasks
– IKEv1 applications are upgradeable to IKEv2


Intoto IntruPro™ IPS

IntruPro Inline IPS sensor
– Advanced detection techniques with Stateful application
intelligence
• Greater accuracy over traditional IPS
• Reduced false positives & High performance
– Protocol anomaly detection
– Traffic Learning and Anomaly detection and preventing
for configurable amount of time.

IntruPro Inline IPS Manager
– Comprehensive configuration
capabilities with support for multiple
sensors
– Correlation
– Real time monitors and reporting
capabilities
– Active feedback mechanism.

Centralized signature updates
– Intoto produces IPS signature updates
– Provides centralized update capabilities


IntruPro™ IPS Manager

Comprehensive Configuration
– Configure and tune to increase
system effectiveness & reduce false
positives
– Supports multiple sensors

Real-time Monitoring and Alerts
– Configurable alert generation for
event notification
– Real time attack graphs to monitor
intrusions

Extensive Reporting
– Report generation based on user
configured parameters
– Intuitive charts and logs for forensic
analysis


iGateway™ SSL-VPN

Operational Modes
Endpoint Control CLI Secure Web Portal
Endpoint Control CLI Secure Web Portal

– Basic Mode Application Connector Architecture

• Portal XML Control Plane Authentication, Authorization, Access

Management
Management
XML Control Plane Authentication,Audit (AAAA) Access
Control, Authorization,

Management
Management
Control, Audit (AAAA)
• Webified Applications
– Port-forwarding Mode (Java applet) Web
connector
Email
connector
File Share
connectors
Generic Application
Connectors
VPN
Connector

• HTTP/SOCKS/Email proxies HTTP/
HTTP/
HTTPS
SMTP
SMTP
POP3
SMB/
SMB/
CIFS
Web-
Web-
DAV
TCP /UDP
TCP /UDP
forwarder
SOCKS
SOCKS
Proxy
PPP
PPP
over
HTTPS POP3 CIFS DAV forwarder Proxy over
– Hybrid Mode (Java applet)
IMAP SSL
IMAP SSL

• L2/L3 tunneling over SSL
SSL
• All applications supported Caching & Crypto Acceleration SSL

Complete management
TCP/UDP/IP
TCP/UDP/IP

– AAAA: Authentication, Authorization, Access, Audit
– Fine-grain security policies

Customizable UI
Seamless integration with Intoto iGateway products
– e.g. Firewall, VPN, IPS

ICSA certifiable


iGateway™ SSL-VPN
Web Portal – User Pages

User Home page
– Collection of quick access links: Intranet,
Files, Email, specific applications
– User-specific configuration

Customization
– UI completely decoupled; pages may be
stored outside the box
– Portal functions accessible through XML
requests
– Easy Admin customization of UI
• Colors, icons, banners, msg-of-the-day


iGateway™ Anti-Virus & Anti-Spam

Functionality
– Complete protocol proxy implementation. Acts as Server and Client.

– Configurable to act as fully transparent proxy or standard proxy.

– Any vendor AV or AS Engines can be hooked to the proxies.

– Multiple AV Engines or AS Engines can be used.

– Statistics collection and review on historical basis.

– Log collection and store the logs.

– Actions upon Virus/spam detection: Decorate subject, Send
notification to the sender (in case of SMTP), Decorate subject with
email body detached, Remove email without any notification to
sender or receiver.

– Block sender (SMTP), receiver (POP3) for configurable amount of
time upon anomaly based on throttling is detected.


Intoto Linley Tech Utm Architecture Presentation

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Intoto Linley Tech Utm Architecture Presentation

Semelhante a Intoto Linley Tech Utm Architecture Presentation (20)

Intoto Linley Tech Utm Architecture Presentation