Mais conteúdo relacionado Semelhante a Intoto Linley Tech Utm Architecture Presentation (20) Intoto Linley Tech Utm Architecture Presentation1. Unified Threat Management
(Multi-function security)
Next Generation UTM Security Solutions
Software Architecture Discussion
Contact:
Srinivasa Rao Addepalli (Srini)
CTO and Chief Architect
srao@intoto.com
Security Seminar
Linley Tech 2006
Sep 21, 2006 – San Jose, California
2. Intoto Overview
Founded 1998 in CA, USA
Santa Clara, CA – Headquarters
Company Hyderabad, India and Chennai, India – Development Center
Taipei, Taiwan – Regional sales office
Top Tier networking OEMs
Customers Over 120 designs with Intoto Software
Very large volume shipments with Intoto Software
Unified Threat Management (UTM) security software
Products
Firewall, IPSec- VPN, SSLVPN, IPS, Anti-Virus, Anti-Spam
Team 240 employees
Copyright © 1998-2006 Intoto Inc. All rights reserved. 2
3. Intoto Value Proposition
Production Ready Security Software Platform
NETWORKING OEM END USER PRODUCT
(OEM Branding + Channel + Support)
SOFTWARE ODM PRODUCTION READY SECURITY SOFTWARE
PLATFORM
(Intoto Security Software Platform
Software + Integration + Certifications)
HARDWARE PLATFORM
HARDWARE ODM (CPU, Network Processor or Multi-core processor; PCBA; OS & BSP)
Copyright © 1998-2006 Intoto Inc. All rights reserved. 3
4. Intoto’s iGateway™: UTM Architecture
iGateway™ UTM Functionality
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP •SPI Firewall
SSLVPN
SSLVPN AV/AS
AV/AS IKEv1/v2 Authentication
Authentication •Inline IPS
Services
Services
SMTP/S
SMTP/S PKI (SCEP, OCSP, •IPSec VPN
Reverse Proxy
Proxy AV
Proxy
Proxy IPS
IPS LDAP)
Socks App
Socks App DB Config
Config
POP3/s Proxy
POP3/s Proxy XAUTH, EAP LDAP Client •SSLVPN
Tunnel
Tunnel Agent
Agent
L2 Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client
AS •Anti-Virus
Portal FTP Proxy DB
DB IRAS Local
IRAS Local
•Anti-Spam
Intrusion
Transparent Application
Application •URL Filter
Firewall
Firewall Detection/
Proxy Level
Level
Policy Mgmt
Policy Mgmt Prevention IPSec Packet
Support Gateway
TCP/
TCP/ Engine Processing •Routing
IP
IP
Session Management and Packet processing •QoS
Traffic Policing Traffic Shaping
Traffic Shaping •Transparent mode
support
Ethernet, Bridging and WAN Protocols
Ethernet, Bridging and WAN Protocols
•High availability
Hardware Layer
•Clustering
Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration
Copyright © 1998-2006 Intoto Inc. All rights reserved. 4
5. UTM: Key Problem Definition
Price/Performance
TODAY Future Market Requirement
Functionality • Firewall + VPN appliance
• IPS appliance 2-5 X
(Security • All-in-One appliance
Appliance) • Anti-virus gateway
• Anti-spam gateway
• 500 Mbps – 1 Gbps (Combined 2-5 X
Performance • 100 – 500 Mbps (individual function) functionality)
Street Price SAME
• Varies • Remains SAME
(per unit)
Copyright © 1998-2006 Intoto Inc. All rights reserved. 5
6. UTM: Key Problem Definition
Software development and complexity
TODAY Future Challenges
• Integration Complexity
• Existing working code base; and
• IPS systems, Anti-Virus, Anti-Spam
shipping products
Functionality • Open source components
• 3rd Party s/w on H/W architecture
choice
• 3rd party software functions
• Changing functional vector
• In-house ASIC • Multiple vendors and choices how to
H/W Choices • Multiple proven commercial off-the- evaluate;
shelf accelerators • Do we still need custom ASICs?
• Design considerations under multiple
S/W vectors (functionality, H/W choice,
• In-house development
Architecture • Extension of existing architectures
flexibility, budgets, time to market)
Choices • Build in-house vs. Outsource vs. open
source
• Need a large software development team
Development • Lack of skilled software engineers in new
• Current in-house expertise
Team and architectures
• Mainly bug fixes and extensions
EXPERTISE • Main QUESTIONS: HOW MUCH TIME
and HOW MANY PEOPLE?
Copyright © 1998-2006 Intoto Inc. All rights reserved. 6
7. UTM System Requirements
SP/Carrier
Service Provider
• Throughput: Up to 4Gbps Infrastructure
• VPN tunnels: 250K
• FW/IPS sessions: 1M
• FW policies: 30k; sessions/s:25K
• VPN: 2Gbps; Tunnels/sec: 500
• Firewall/IPS: 2Gbps Multi-Core CPU / NPU with
• Anti Virus: 2500 HTTP con./sec External RegEx
High-end
High-end Enterprise
•Throughput: Up to 2Gbps Enterprise
•VPN tunnels: 10K
•FW/IPS sessions: 250K
•FW policies: 20k; sessions/s:15K
•VPN: 1Gbps; Tunnels/sec: 100
•Firewall/IPS: 1.5Gbps
•Anti Virus: 400 HTTP con./sec IA (x86, SMP)/Multi-Core
CPU w/Crypto & RegEx accl
Enterprise/SME Enterprise
EN E
M NC
•Throughput: Up to 1Gbps
T
VE A
•VPN tunnels: 2K
O M
•FW/IPS sessions: 100K
M OR
•FW policies: 10k; sessions/s:5K
R F
•VPN: 300Mbps; Tunnels/sec: 25
O ER
•Firewall+IPS: 500Mbps
CT e P
•Anti Virus: 200 HTTP con./sec
IA (x86) w/Crypto, Regex
VE tur
accl
Fu
SMB/SME SMB/SME
•Throughput: Up to 100Mbps
•VPN tunnels: 500
•FW/IPS sessions: 10K
•FW policies: 1k; sessions/s:1K
•VPN: 70Mbps; Tunnels/sec: 4
•Firewall+IPS: 100Mbps
•Anti Virus: 25 HTTP con./sec
SoC w/Crypto
<100 <250 <500 <1000 5000- 50000-
1000 5000
Number of Users
Copyright © 1998-2006 Intoto Inc. All rights reserved. 7
8. Software Architecture Choices for UTM
SA1: Solo core model
SA2: SMP model (Dual-core or a multi-core processor in SMP mode)
SA3: Drop-in clustering model (Multi solo cores)
SA4: External clustering model (Load balanced by external
agent)
SA5: Bare-Metal-DataPlane™ + Control plane model (for
Multi-core processor)
SA6: SA5 with clustering model (10 Gbps performance)
Copyright © 1998-2006 Intoto Inc. All rights reserved. 8
9. Software Architecture Choices for UTM
Based on industry projects
Development
Performance for Full Functional Maintenance
Complexity; Time
Multi-function Availability Complexity and
to Market and
Security (as of today) COST
COST
SA1: Solo core LOW
SA2: SMP LOW
SA3: Drop-in HIGH
cluster
SA4: External HIGH
Cluster
SA5: Bare-Metal- HIGH
DataPlane™
SA6: SA5 With HIGH
Cluster
Copyright © 1998-2006 Intoto Inc. All rights reserved. 9
10. S/W Architecture SA1 and SA2
(Single Image or SMP Mode)
iGateway UTM •Suitable for one processor or
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP
CLI, HTTP, LDSV, EMAIL, SNMP multi-processors running in SMP
SSLVPN AV/AS IKEv1/v2 Authentication
mode
User Space
Services
SMTP/S PKI (SCEP, OCSP,
(SCEP,
• Example: P4 or single Xeon
Reverse Proxy AV
Proxy LDAP)
Socks App IPS
POP3/s Proxy DB XAUTH, EAP LDAP Client
Tunnel Manager
L2 Tunnel
Portal
HTTP Proxy
FTP Proxy
AS
DB
IRAC
IRAS
RADIUS Client
Local
system or Dual-Xeon running
Intrusion
SMP Linux
Transparent Application
Firewall Detection/
Proxy Level
Policy Mgmt Prevention IPSec Packet
Support Gateway
Kernel Space
TCP/ Engine Processing
IP
Session Management and Packet processing •Multi-Core silicon with less than
Traffic Policing
Traffic Traffic Shaping
Traffic
4 cores running Linux SMP.
Ethernet, Bridging and WAN Protocols
•Firewall, IPsec packet
processing, IPS and other packet
processing engines run in Kernel
mode.
•Signaling stacks such as IKE,
L2TP, AV/AS and routing engines
run in user space.
10
11. S/W Architecture SA3
(Drop-in Clustering Model)
• Group of like devices working
together to improve
performance
• No external load redirector, a
devices takes responsibility of
load distribution on per session
basis (Drop-in)
• Complexity of implementation;
• Configuration synchronization,
Master election, load
distribution algorithms,
Liveness check and auto
adjustment of load
distribution, Exception to
Load balancing (ETL)
• Facility to forward traffic at
the Drop-in module
11
12. S/W Architecture SA4
(External Clustering Model)
Management
processor
Device/blade 1 Device/blade 2 Device/blade 3 Device/blade n running
running running running running iGateway
iGateway-UTM iGateway-UTM iGateway-UTM iGateway-UTM configuration
application
Back plane
Network processor blade doing session
distribution
• Similar to Drop-in clustering, except
for external network processor
doing the session distribution.
EXAMPLE IMPLEMENTATION • Device/blade can be run on general
Network processor is used for session distribution purpose processors Or Multi-core
More than 4 General purpose processors for running processor
security functions as separate devices.
12
13. S/W Architecture SA5
Fully loaded Multi Core processor – UTM design
considerations
Typical market requirements
– Line rate throughput of firewall, IPS and IPsec VPN.
• Minimum of 3 Gbps with Firewall and IPS
• Minimum of 3 Gbps with Firewall and IPsec VPN.
– High connection rate with firewall and IPS
• Every 1Gbps require 25000 connections/sec.
• 75000 connections/sec is required to saturate 3Gbps bandwidth.
Decisions and Recommendations
– Run complete firewall, IPS and IPsec VPN packet processing functionality in
with Bare metal OS – Data plane.
– Run signaling daemons, routing daemons and AV/AS functionality in the
control plane running Linux OS.
– Divide # of cores between control plane and data plane based on
application performance requirement & market segment
– Take advantage of hardware capabilities such as flow identification,
Checksum verifications, Symmetric and public Crypto acceleration and DFA
accelerations.
Copyright © 1998-2006 Intoto Inc. All rights reserved. 13
14. S/W Architecture SA5
(Bare-Metal-DataPlane™ architecture)
iGateway UTM
Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP
Embedded Management: CLI, HTTP,
Control Plane
Control Plane
SSLVPN
SSLVPN AV/AS IKEv1/v2 Authentication
Services
Services
SMTP/S
SMTP/S PKI (SCEP, OCSP,
Reverse Proxy AV
Proxy
Proxy LDAP)
Socks App
Socks App DB Config
POP3/s Proxy
POP3/s Proxy agent XAUTH, EAP LDAP Client
Tunnel
Tunnel
L2 Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client
AS
Portal FTP Proxy DB
DB IRAS Local
Portal IRAS Local
communication
CP-DP
Transparent Intrusion
Application
Application URL
Firewall
Firewall Proxy Detection/
Level
Level filter IPSec
Data Plane
Policy Mgmt Prevention
Data Plane
Policy Mgmt Support Gateway
Octeon/
Octeon/ Engine Packet
RLR HAL
RLR HAL Process
+
+ Session Management and Packet processing
Session Management and Packet processing
Common
Common
Modules
Modules
Traffic Policing Traffic Shaping
Traffic Shaping
Ethernet, Bridging and WAN Protocols
Copyright © 1998-2006 Intoto Inc. All rights reserved. 14
15. S/W Architecture SA6
(Bare-Metal-DataPlane™ with clustering)
Control
Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent
SNMP, CMS Agent Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP, CMS Agent
CMS Agent
plane
SSLVPN AV/AS IKEv1/v2 Authentication SSLVPN AV/AS IKEv1/v2 Authentication
Services Services
SMTP/S PKI (SCEP, OCSP, SMTP/S PKI (SCEP, OCSP,
Reverse Proxy AV Reverse Proxy AV
Proxy LDAP) Proxy LDAP)
Socks App DB Config Socks App DB Config
POP3/s Proxy agent XAUTH, EAP LDAP Client POP3/s Proxy agent XAUTH, EAP LDAP Client
Tunnel Tunnel
L2 Tunnel HTTP Proxy AS IRAC RADIUS Client L2 Tunnel HTTP Proxy AS IRAC RADIUS Client
Portal FTP Proxy DB IRAS Local Portal FTP Proxy DB IRAS Local
Transparent Intrusion
Intrusion
Transparent Application
Application URL
Intrusion
Intrusion Firewall
Firewall Proxy Detection/
Detection/ URL
Transparent
Transparent Application
Application Proxy Level
Level IPSec
IPSec
Firewall Detection/ URL
URL Policy Mgmt
Policy Mgmt Prevention
Prevention filter
filter
Firewall Proxy
Proxy Detection/ Support
Support Gateway
Gateway Packet
Packet
Level
Level filter IPSec
IPSec Octeon/
Octeon/ Engine
Engine
Policy Mgmt
Policy Mgmt Support Prevention
Prevention filter Process
Octeon/ Support Gateway
Gateway Packet
Packet RLR HAL
RLR HAL Process
Octeon/ Engine
Engine
+
RLR HAL
RLR HAL
+
+ Session Management and Packet processing
Session Management and Packet processing
Process
Process
Inter +
Common
Common
Session Management and Packet processing
Session Management and Packet processing
Modules
Common
Common
Modules
Modules
DP Modules
Traffic Policing
Traffic Policing Traffic Shaping
Traffic Shaping
Traffic Policing
Traffic Policing Traffic Shaping
Traffic Shaping
Ethernet, Bridging and WAN Protocols
Ethernet, Bridging and WAN Protocols
Ethernet, Bridging and WAN Protocols
Ethernet, Bridging and WAN Protocols
Data plane
• Scales to 10Gbps and above
• Multiple data plane instances and control plane instances.
• Flexibility to add more control plane instances to achieve higher performance of
deep data inspection related security Engines such as anti-X
• Flexibility to add more data plane instances to achieve higher performance of
packet processing engines.
Copyright © 1998-2006 Intoto Inc. All rights reserved. 15
16. Case Study: 1
iGateway ™ on Cavium OCTEON Processor
Demonstrated at Interop,
Las Vegas, 5/4/06
– iGateway Firewall
– Performance 4Gbps
Other functions being
implemented
Copyright © 1998-2006 Intoto Inc. All rights reserved. 16
17. Case Study: 2
iGateway ™ on RMI XLR Processor
Demonstrated at Interop,
Las Vegas, 5/4/06
– iGateway Firewall
– Performance 4Gbps
Other functions being
implemented
Copyright © 1998-2006 Intoto Inc. All rights reserved. 17
18. Case Study: 3
Tarari content acceleration
IntruPro IPS (Measured performance with TARARI Accelerator)
– Pentium 4 w/ Tarari RegEx acceleration card
– Near 3X HTTP Connection Rate Improvement over S/W only
Copyright © 1998-2006 Intoto Inc. All rights reserved. 18
19. Unified Threat Management
(Multi-function security)
Thank you.
Srinivasa Rao Addepalli (Srini)
CTO and Chief Architect
Email : srao@intoto.com
21. Intoto’s iGateway™: UTM Functionality
Features
– Stateful inspection firewall with forward and reverse NAT
– Signature, Protocol anomaly and traffic anomaly based Intrusion Prevention system with
protocol intelligent processing modules
– IPsec VPN for data security supporting site-to-site, hub-and-spoke, route based VPN and
remote user access capabilities
– SSL VPN supporting browser based access, application tunnel and full tunnel modes
– Anti Virus running transparently scanning and cleaning viruses in HTTP objects, emails
– Anti Spam running transparently and removing/marking spam emails
– URL Filter
– QoS (Traffic Policing and Traffic Shaping)
– L2 (Transparent) mode support
– User based profiles – ACLs, Bandwidth, URLF, etc.
– High availability support.
– Clustering support.
21
22. iGateway™ Firewall
AdministrationEngine Management Engine
Administration and Management
and
Stateful inspection firewall Syslog Support
Syslog Support
E-mailLog
E-mail Export
Export Log Web Based Configuration
Web Based Configuration
CLI
CLI
– Defense against DoS & DDoS attacks Event Log
Event Log
Network Access Policy Manager
Network Access Policy Manager
– Application level filtering & cookie
filtering Stateful Inspection Engine
Stateful Inspection Engine
– Event logging (SMTP client, syslog Network Access Statistics
Network Access Statistics
Application Specific Content Filtering
Application Specific Content Filtering
client) NAT with
NAT with
Network Access Policy Engine
Network Access Policy Engine
– ICSA Certification ALG Weekly User Specific Access Policies Dynamic
ALG Weekly User Specific Access Policies Dynamic
Support
Support
Activation
Activation
Remote
Remote
Schedule
Schedule System-Wide Access Policies
System-Wide Access Policies
User Access
User Access
Comprehensive configuration CyberDefense Engine™
CyberDefense Engine™
– Granular, user specific policies IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks
IP Spoofing Ping Of Death Reassembly Attacks DoS Attacks
• Traffic type, protocol/port, direction, Smurf WinNuke Land ICMP Redirects IP Source Routing
Smurf WinNuke Land ICMP Redirects IP Source Routing
Source/destination, time of the day as
well as authentication based access
– Security domain specific policies
– User based profiles. (User can be
authenticated using HTTP Portal, Firewall ALGs
802.1x, IKE etc..)
allow SIP
connections
Comprehensive NAT w/ ALGs Internet
– ALGs (application layer gateways)
• Communications, security, video
• and gaming
Copyright © 1998-2006 Intoto Inc. All rights reserved. 22
23. iGateway™ VPN (IPsec/IKE)
Proven interoperability
– ICSA and VPNC certified
OCSP
OCSP IKE v1 and v2 Engine
IKE v1 and v2 Engine
Client
Client
RADIUS
RADIUS LDAP
LDAP XAuth NGM Mode Config
VPN protocol support
Client
Client Client
Client SECP
SECP EAP
IKE Policy Certificate
Client
Client IKE-IPSec APIs
Manager Manager
– Layer 3: IPSec, IKE PKI (and IKEv2)
– Layer 2: PPTP and L2TP BSD Sockets ISecPDri IPsecDrv
– Certificates: Support for X.509v3
including SCEP, OCSP, PKCS 7, 10 and UDP Interface ICMP Interface IPsec Engine
IPsec Engine
LDAP client for CRL retrieval
IPSec APIs
IPSec APIs
SPD
SPD
SAD
SAD
IP Layer
IP Layer MKMD
Advanced Features
MKMD
AH/ESP
AH/ESP
– Granular policy management for specific Public Key Crypto APIs
Public Key Crypto APIs Symmetric Key Crypto APIs
Symmetric Key Crypto APIs
protocols
Software Crypto Software Crypto
– DPD(Dead peer detection), DPTD (Dead Software Crypto
Library
Library
PKEP Driver
PKEP Driver SKEP Driver
SKEP Driver
Software Crypto
Library
Library
peer tunnel detection)
– NAT traversal V2 Link Layer
Link Layer
Public Key Encryption
Public Key Encryption
Processor
Symmetric Key Encryption
Symmetric Key Encryption
Processor
Processor Processor
– Security Domain based policy support Physical Layer
Physical Layer
– IKEv2 Support
– Hardware encryption accelerator
support
Copyright © 1998-2006 Intoto Inc. All rights reserved. 23
24. iGateway™ IKEv2
IKEv2 basics
– Latest IETF standard for IPsec VPNs
• Most popular VPN standard for enterprises and carriers
– Improved performance, security and reliability
– IPv6 support
Mobility capabilities
– Enables use of standardized GSM SIM authentication
through EAP
– IRAS and IRAC support
Standardized and simplified client configuration
– IP addresses, DNS addresses and netmasks
– IKEv1 applications are upgradeable to IKEv2
Copyright © 1998-2006 Intoto Inc. All rights reserved. 24
25. Intoto IntruPro™ IPS
IntruPro Inline IPS sensor
– Advanced detection techniques with Stateful application
intelligence
• Greater accuracy over traditional IPS
• Reduced false positives & High performance
– Protocol anomaly detection
– Traffic Learning and Anomaly detection and preventing
for configurable amount of time.
IntruPro Inline IPS Manager
– Comprehensive configuration
capabilities with support for multiple
sensors
– Correlation
– Real time monitors and reporting
capabilities
– Active feedback mechanism.
Centralized signature updates
– Intoto produces IPS signature updates
– Provides centralized update capabilities
Copyright © 1998-2006 Intoto Inc. All rights reserved. 25
26. IntruPro™ IPS Manager
Comprehensive Configuration
– Configure and tune to increase
system effectiveness & reduce false
positives
– Supports multiple sensors
Real-time Monitoring and Alerts
– Configurable alert generation for
event notification
– Real time attack graphs to monitor
intrusions
Extensive Reporting
– Report generation based on user
configured parameters
– Intuitive charts and logs for forensic
analysis
Copyright © 1998-2006 Intoto Inc. All rights reserved. 26
27. iGateway™ SSL-VPN
Operational Modes
Endpoint Control CLI Secure Web Portal
Endpoint Control CLI Secure Web Portal
– Basic Mode Application Connector Architecture
• Portal XML Control Plane Authentication, Authorization, Access
Management
Management
XML Control Plane Authentication,Audit (AAAA) Access
Control, Authorization,
Management
Management
Control, Audit (AAAA)
• Webified Applications
– Port-forwarding Mode (Java applet) Web
connector
Email
connector
File Share
connectors
Generic Application
Connectors
VPN
Connector
• HTTP/SOCKS/Email proxies HTTP/
HTTP/
HTTPS
SMTP
SMTP
POP3
SMB/
SMB/
CIFS
Web-
Web-
DAV
TCP /UDP
TCP /UDP
forwarder
SOCKS
SOCKS
Proxy
PPP
PPP
over
HTTPS POP3 CIFS DAV forwarder Proxy over
– Hybrid Mode (Java applet)
IMAP SSL
IMAP SSL
• L2/L3 tunneling over SSL
SSL
• All applications supported Caching & Crypto Acceleration SSL
Complete management
TCP/UDP/IP
TCP/UDP/IP
– AAAA: Authentication, Authorization, Access, Audit
– Fine-grain security policies
Customizable UI
Seamless integration with Intoto iGateway products
– e.g. Firewall, VPN, IPS
ICSA certifiable
Copyright © 1998-2006 Intoto Inc. All rights reserved. 27
28. iGateway™ SSL-VPN
Web Portal – User Pages
User Home page
– Collection of quick access links: Intranet,
Files, Email, specific applications
– User-specific configuration
Customization
– UI completely decoupled; pages may be
stored outside the box
– Portal functions accessible through XML
requests
– Easy Admin customization of UI
• Colors, icons, banners, msg-of-the-day
Copyright © 1998-2006 Intoto Inc. All rights reserved. 28
29. iGateway™ Anti-Virus & Anti-Spam
Functionality
– Complete protocol proxy implementation. Acts as Server and Client.
– Configurable to act as fully transparent proxy or standard proxy.
– Any vendor AV or AS Engines can be hooked to the proxies.
– Multiple AV Engines or AS Engines can be used.
– Statistics collection and review on historical basis.
– Log collection and store the logs.
– Actions upon Virus/spam detection: Decorate subject, Send
notification to the sender (in case of SMTP), Decorate subject with
email body detached, Remove email without any notification to
sender or receiver.
– Block sender (SMTP), receiver (POP3) for configurable amount of
time upon anomaly based on throttling is detected.
Copyright © 1998-2006 Intoto Inc. All rights reserved. 29