Presentation is loading. Please wait.

Presentation is loading. Please wait.

External perimeter of secure network public Internet SNMPdata transaction data control commands July 2003 Firewall Network Processor™: basic concept and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "External perimeter of secure network public Internet SNMPdata transaction data control commands July 2003 Firewall Network Processor™: basic concept and."— Presentation transcript:

1 external perimeter of secure network public Internet SNMPdata transaction data control commands July 2003 Firewall Network Processor™: basic concept and solutions ™ FNP – is a trademark of Fractel Incorporated

2 Firewall Network Processor: basic concept and solutions 2 Content Introduction Introduction Network Processor: common aspects Network Processor: common aspects Network Processor: FNP architecture “stealth” mode, performance, functionality Network Processor: FNP architecture “stealth” mode, performance, functionality Conclusion Conclusion

3 Firewall Network Processor: basic concept and solutions 3 Introduction: distributed network concept and security aspects Distributed Network: interconnected grid of paths without sharp boundaries between zones, Internet - superposition of the overlay networks without central and third-party control point Security aspects: all of them depend on the concept of trust: third-party of direct Where are the boundaries of the trust? Superposition of overlay layers and networks Appl n Appl i Appl 1 Appl 2

4 Firewall Network Processor: basic concept and solutions 4 Multilevel Network environment and security problems channel structure Physical nodes virtual grid Application processes Packet processes Virus attack Denial of service Intrusion Data corruption Hacking auth - u/a packets

5 Firewall Network Processor: basic concept and solutions 5 network environment node 0node xnode x+1node M … … direct virtual channel packet physical link bit speed buffer packet drops TCP protocol TCP application feedback virtual channel Transit - packets control Traffic- transport and app. control Network security aspects: transit security and traffic regulation

6 Firewall Network Processor: basic concept and solutions 6 Tasks, technology, products Tasks, technology, products Communication Share infoapps Remote access Internet presenceFiltering Tunnelling Authentication Encryption ManagementFirewall Anti-virus VPN PKI Security management

7 Firewall Network Processor: basic concept and solutions 7 Security concept and basic components Concept: Many layers packet processing which retains openness of Internet original design. Basic Components: administrative solution, including VLANs, Access Control Lists, MAC locks special network processor which separate data traffic, provide authentication and encryption

8 Firewall Network Processor: basic concept and solutions 8 Network Processor: common aspects Definition: NPs – programmable devices aimed generally at communication tasks and packet specific data set. Challenge : What are software architectures that are effective for network tasks? What are software architectures that are effective for network tasks? Why we need new functionality? Why we need new functionality? What do network processors do? What do network processors do? Prototypes: Intel IXP 1200:special chip which combine high-speed core with system bus and 6 programmable microengines. Interphase iNAV4000:PCI chip which offers unparalleled features including packet processing and switching.

9 Firewall Network Processor: basic concept and solutions 9 Basic types of hardware architecture GPP – general purpose processor CSI – common switch interface (packets) PHY – physical network interface (bytes) GPPRAM PHYCSI system bus NP Co-processor GPPRAM PHYCSI NP PHYCSI NP RAM DMAC GPPRAM system bus control plane data plane

10 Firewall Network Processor: basic concept and solutions 10 FNP core Filtering module Service module (logging, authorization, UI daemon) Local storage External storage … … … Cache hierarchy incoming trafficoutgoing traffic incoming interface(s) outgoing interface(s) 1 2 S s =F( 2 ) S f =F( 2 )  =F( 1, 2 )

11 Firewall Network Processor: basic concept and solutions 11 NP: basic characteristics manipulate packet specific data on Internet layers 2 -4 manipulate packet specific data on Internet layers 2 -4 based in open software interface based in open software interface performanceopennessprogrammability Target:Deliver hardware level performance of packet processing tasks to software programmable system

12 Firewall Network Processor: basic concept and solutions 12 Packet processing tasks parsemodifyforward resolvesearch Silicon design – limited flexibility – wire speed performance Program design – limited performance + new features can be added ?

13 Firewall Network Processor: basic concept and solutions 13 Firewall Network Processor (FNP) Processing tasks: identifying a packet based on headers characteristics (address, VC, protocol, etc) identifying a packet based on headers characteristics (address, VC, protocol, etc) forwarding or discard a packet to the appropriate interface(s) (security police rules) forwarding or discard a packet to the appropriate interface(s) (security police rules) Specific tasks: (“stealth” mode) no modification (no updating fields in the packet header) no modification (no updating fields in the packet header) no scheduling (no queuing for specific application) no scheduling (no queuing for specific application) provide speed improvement through provide speed improvement through parallel processing (cluster) parallel processing (cluster) pipeline processing (conveyor) pipeline processing (conveyor)

14 Firewall Network Processor: basic concept and solutions 14 FNP specific design “stealth” mode for packet processing (no MAC, IP address on PHY s interfaces) “stealth” mode for packet processing (no MAC, IP address on PHY s interfaces) “orthogonal” address spaces for control and data interfaces “orthogonal” address spaces for control and data interfaces cluster architectures cluster architectures specific structure of buffer and cache memory (depends on fractal nature of network traffic) specific structure of buffer and cache memory (depends on fractal nature of network traffic) multi protocol IP/IPX scalable firewall solution multi protocol IP/IPX scalable firewall solution

15 Firewall Network Processor: basic concept and solutions 15 Architecture for secure corporate network Open Network Segment VPN Segment Web database portals DNS, servers Confidential catalogues and data

16 Firewall Network Processor: basic concept and solutions 16 FNP-100 Security Platform 10/100 Ethernet port (control interface) 10/100 Ethernet ports LAN, DMZ, WAN (stealth mode) interfaces power switch

17 Firewall Network Processor: basic concept and solutions 17 corporate network Global Internet Stealth and Control interfaces ISP network corporate router or backbone switch DMZ Web server application servers protected network segment admin WS modem dial-up access or terminal access LAN access FNP-100/4 private IP address control interface (RS232 or Ethernet stealth interfaces (no MAC and IP addresses)

18 Firewall Network Processor: basic concept and solutions 18 redundant domain FNP-100/2 control VPN or trusted distinct network segment FNP redundancy mode ISP network protected servers and hosts backbone switches c o r p o r a t e s e g m e n t s access segment NAS or IDS primary domain FNP-100/2 control or admin WS stealth interfaces stealth interfaces synchronization processes via control interfaces router or LAN backbone switches

19 Firewall Network Processor: basic concept and solutions 19 FNP-1000 Cluster Platform switched network infrastructure G l o b a l I n t e r n e t cluster of the security appliances WDM access ( 1,..., 4 modes) MUX or multi Gigabit VLAN Ethernet splitter FNP-1000/2 1 2 3 4 stealth Gigabit Ethernet interfaces access Gigabit VLAN switches control interfaces internal network sensor internal Ethernet 100BT switched infrastructure control distinct network admin WS NAS or IDS FNP-100/4S protected network segment stealth interfaces

20 Firewall Network Processor: basic concept and solutions 20 Multi layers Security conveyor external perimeter of secure network public Internet SNMPdata transaction data control commands inner perimeter of secure network corporate segments and users firewalls VPN-server router common network elements Ethernet switch switch DNS Web server admin WS info security server computing cluster/ IDS system FNP-100/4 public Internet NAS-server network storage secure segment of corporate network transaction data control commands SNMP data FNP-100/2 external perimeter of secure network

21 Firewall Network Processor: basic concept and solutions 21 Performance characteristics Performance characteristics throughput (Mbps) vs packet size (byte) throughput (Mbps) vs number of rules 120 100 80 60 40 20 0 0 500 1000 15002000 Mbps packet size, byte 120 100 80 60 40 20 0 0 500 1000 15002000 Mbps number of rules FNP PC FNP PC

22 Firewall Network Processor: basic concept and solutions 22 Conclusion Network Processor (NP) - a new type of programmable device for network specific applications Network Processor (NP) - a new type of programmable device for network specific applications FNP or Firewall NP - scalable network device based on open source OS, standard PCI platform and “stealth” interfaces FNP or Firewall NP - scalable network device based on open source OS, standard PCI platform and “stealth” interfaces FNP can be viewed as a platform for broad types of network appliances which based on clusters architecture and many layers packets processing FNP can be viewed as a platform for broad types of network appliances which based on clusters architecture and many layers packets processing

Download ppt "External perimeter of secure network public Internet SNMPdata transaction data control commands July 2003 Firewall Network Processor™: basic concept and."

Similar presentations

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
M2M Gateway Features Jari Lahti, CTO www.violasystems.com.

M2M Gateway Features Jari Lahti, CTO
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
ITGS Networks Based on the textbook “Information Technology in a Global Society for the IB Diploma” by Stuart Gray.

ITGS Networks Based on the textbook “Information Technology in a Global Society for the IB Diploma” by Stuart Gray.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Module 3: Planning and Troubleshooting Routing and Switching.

Module 3: Planning and Troubleshooting Routing and Switching.
Chapter 6 High-Speed LANs Chapter 6 High-Speed LANs.

Chapter 6 High-Speed LANs Chapter 6 High-Speed LANs.
NW Security and Firewalls Network Security

NW Security and Firewalls Network Security

Similar presentations

Ads by Google