Transcript Slide 1
Firewall Network Processor™:
Technical Concept and Business
Solutions
FNP™ – is a trademark of Fractel Inc.
December 2008
Columbus
.
Firewall Network Processor: core concept and solutions
Content
Introduction: business value and technology
trend
Seeking decision: concept of secure network
environment and intelligent “wire”
FNP as a patented capability to keeping
network infrastructure secure
technical aspects
functionality
business solution
Summary
2
Firewall Network Processor: core concept and solutions
Key issues
many companies :
spend millions of dollars each year investing in
business systems to make information available to
authorized persons and customers
seeing business value in access to Internet
information infrastructure to improve employee
performance
… and
seeking technology that can to give employees new
functionality without opening the door to attacks and
unauthorized access to securing sensitive business
data
3
Firewall Network Processor: core concept and solutions
Introduction
Basic Internet principal
and
security issue:
best-effort service (no internal QoS mechanism)
simple authentication model ( trust network environment)
Comments:
•To
enjoy Internet as a business media people must take control of traffic
content in the many forms (VLAN,VPN, VoIP,…) and channels (IP, P2P..)
•A
deep understanding of how employees use Internet recourses
requires effective security and management solution.
4
Firewall Network Processor: core concept and solutions
Network infrastructure: are any “right places” for
investment with low risks and expense?
Service
level
Low
Risk
“border”
Low
Expense
Packet processes
“border”
Set of
“intelligent”
nodes applications
Business in a form of
“applications” –
Benephisheries:
ASP, banks, electronic
commerce companies,
GRID computing, etc
Business in a form of
“packet traffic” , connectivity,
Network
access policy and bandwidth
Benephisheries:
communication hardware and software
suppliers, ISP, Telco, e-PTN
lines
Comments:
•business opportunity is close to service and access “border”
•customers will deploy the security solution that suits their existing environment.
5
Firewall Network Processor: core concept and solutions
Solution examples
Technology
added “value”
E-commerce
wide access
turnover up
VPN
remote office
outsourcing
Access Management
Single Sign-on
employee
Income
productivity
Comments:
the best investments - reduction of business expenses
The best innovations - reduction of technology risks
6
Firewall Network Processor: core concept and solutions
Internet as a service media:
User needs - Applications
Application
port/IP/MAC 1
ASP keeps Servers
Application
Port/MAC/IP n
ISP controls IP Routers
Application
IP/MAC 2
Telco provides wire grid
MAC/IP i
Intellectual services (DB, CAD, PDM, routing, switching,) belongs to
the network nodes;
Telco service measures - bandwidth and delay
Comment:
There is “Gap” in the network service space - no “intelligent ” service
processing on wire level
Is this gap” become the business opportunity?
7
Firewall Network Processor: core concept and solutions
“it_is_secure” wire infrastructure
Application network
IP/MAC 1
IP/MAC 2
IP logical space
MAC grid
MAC/IP n
MAC/IP i
“itiss” means :
Merge existing packet switching technology and
access management tools with innovative concept of
“intelligent wire” - IP node preprocessor
Find out the cost-effective decision to add intelligent
feature to the wire infrastructure
8
Firewall Network Processor: core concept and solutions
Fractel™ - Security Approach and Components
& know-how
Technical aspect:
provides multilevel packet processing which retains current
routing and access policies available in secure computer
networks
Decision & know how:
“stealth” firewall network processor (FNP) that provides
security functions “outside standard network nodes” (IPv4,
IPv6, IPX,...) on the “wire level”
Cost-effective platform for packet processing on MAC, IP,
TCP and application levels
9
Firewall Network Processor: core concept and solutions
Design Aspects:
Deliver hardware level performance to software
programmable device by:
Asynchrony packet flow processing– “one hop many
functions” (content and packet filtering)
Scalable filtering performance – “one transport protocol
many security applications” (web, ftp, sql, ..)
10
Aspect 1: Asynchrony traffic processing in
“intelligent” wire
Node m
Node l
router
IP1
IP2
IP3
Link l
Link l+1
process
process
process
p1
p2
pn
FNPi1
IP1
IP4
router
IP2
IP3
FNPin
IP4
Firewall Network Processor: core concept and solutions
Aspect 2: One control mechanism for many
applications content management
Application1, application2 ….”Grid” of applications…
… application n
TCP/UDP
TCP/UDP
physical link
packet
buffer
packet drops
p2p virtual connection
node 0
…
node x
node x+1
…
node M
12
Firewall Network Processor: core concept and solutions
Firewall NP (FNP) Design Principals
Two types of network interfaces
Filtering and Control functions
Cost-effective platform
Standard hardware and specific control software
Flexible and scalable Management
Industrial protocols (Active Directory, Open LDAP, WEB control interface)
Innovative design
Patented “address less” technology
13
Firewall Network Processor: core concept and solutions
FNP Architecture
incoming traffic
1
=F(1,2)
Filtering module
Stealth incoming
interface(s)
2
Control
interface
External
storage
Service
module
authorization,
UI daemon
outgoing traffic
Stealth outgoing
interface(s)
sockets
Sf=F(2)
SOpen
s=F(2)
source
…
…
…
OS
kernel
Cache
hierarchy
Local
storage
14
Firewall Network Processor: core concept and solutions
FNP Hardware Platform:
100/1000
Ethernet port
(control
interface)
100/1000
Ethernet ports
LAN, DMZ, WAN
(stealth mode)
interfaces
power
switch
15
Firewall Network Processor: core concept and solutions
Scenario 1: content switching
(single-box deployment)
Global Internet
ISP network
corporate
network
router
or backbone switch
Control Interface
Administrative
Segment with LDAP
and FNP
Logfiles DB
Content switching
FNP-1000/4
Web server
end-user
segment
ftp
servers
16
Firewall Network Processor: core concept and solutions
Scenario 2: Solution for Data Center
(protection environment for complex infrastructure)
Global Internet
switched network
infrastructure
1 2
3 4
Metro WDM
Ethernet switch
Scalability
FNP-1000/2 FNP-1000/2 FNP-1000/2 FNP-1000/2
Manageability
Distinct
VLAN
segment
Local Gigabit
VLAN switches
DC admin
monitor
Log DB
internal
network
sensor
Availability
FNP-100/4S
Local
admin
monitor
control
interfaces
protected network segment
stealth interfaces
17
public Internet
VLAN
segment
admin
and Log DB
FNP-1000/4
Switch
ta
Firewall Network Processor: core concept and solutions
Scenario 3: dynamic security control
(… and third-party integration)
fnp control interface
Switch
NAS-server
Storage domain
ftpserver
Firewall rules are
generated and dele
automatically after W
logon\logoff of the
end user
Windows
Domain
controller /
Active Directory
DNS
18
Firewall Network Processor: core concept and solutions
Summary - FNP advantages
:
Based on patented architecture
Delivers security appliance solutions for organizations of all types and
sizes
Support industrial standard and third-party integration within
existing network infrastructure.
Increase company’s productivity through the management of nonbusiness activities.
Decreased bandwidth costs by limiting noncritical network traffic
and blocking objectionable URLs and applications.
Compatible with nearly every available cost-effective hardware platform
19