Transcript Title of Presentation

Rethinking the Network With X-Series
Nathan Brady – Technical Marketing
Blue Coat Confidential
Typical Defense-in-Depth Strategy
High-speed edge
routers
Defense in depth:
Firewalls, IPS,
Antivirus, Content
and URL Filtering,
and other security
services
Layer 2 switches
for
interconnectivity
Application load
balancers for
scalability / flow
management
© Blue Coat Systems, Inc. 2012
Internet core
or distribution
layer routing
Blue Coat Confidential
2
Consolidating with Next-Generation
Firewalls
“Will the all-in-one features in
NGFW appliance satisfy my
security needs?”
Consolidate all of
these devices…
Next-Generation Firewall Benefits
• Fewer devices
• Less network complexity
• Reduced CAPEX and OPEX
• Increased availability
Next-generation firewalls
promise outstanding device
consolidation, but
raise
…onto
this new
pair
questions…
of NGFW devices.
“Will NGFW appliances meet
current and future performance
needs of my network?”
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
3
Can NGFW Appliances Keep Up?
Performance Impact of Security on NGFW Appliances
70
Throughput (Gbps)
60
Use realistic protocols
and traffic sizes
50
40
Enable LightDuty IPS
30
20
Great large packet
performance
10
Identify users and
applications
0
Security Features Enabled
Juniper SRX
Check Point
Palo Alto
Fortinet
…based on datasheet numbers* with optimal port configuration,
small policies, no redundancy, few IPS features, and no logging.
*As of March, 2012
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
4
A Constellation of Metrics
Vendor data sheets
list a few metrics, but
each independently.
Connections
per second
Application
Features
Enabled
Concurrent
Connections
Network
Performance
Packet
Sizes
Protocol
Mix
But what about other
metrics?
How does each of
these impact network
performance?
Security
Application
s Deployed
Security infrastructure should be able to adapt to
changing metrics and requirements.
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
5
5
Security is Processing Intensive
Performance
Performance/Security Trade-off
True for many services
• Firewall
Very little
inspection, large
packets
• Intrusion Prevention
• Data Loss Prevention
Realistic traffic
inspected
thoroughly
• Web, Database, and
Application firewalls
• Antivirus
Realism & Security Features
This effect is multiplied for Next Generation Firewall
devices performing multiple security functions.
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
6
Changing Network and Security
Landscape
Next Generation Firewall Performance
Security Requirements
Performance
LB
IPS
FW
Performance
Requirements
Security Features
© Blue Coat Systems, Inc. 2012
IPS
Blue Coat Confidential
7
LB
FW
10
20
FW
Gbps
Gbps
Strategies for Scaling Appliances
Still a complex mesh of several appliances.
NGFW appliances often create the same problem
they were intended to solve.
Physical Segmentation
Load Balancing
Advantages
Disadvantages
Advantages
Disadvantages
Scales linearly
Complex switching and
load balancing
Lower CAPEX
No scalability within
segments
Scaling does not affect
architecture
Difficult to troubleshoot
Easy to troubleshoot
Scaling changes network
architecture
Simplified routing tables
High capital costs
Simplified switching
Complex routing tables
High operational costs
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
High operational costs
8
The X-Series Strategy
X-Series creates a “Network in a Box”
•
•
•
Network Processor Modules
Application Processor Modules
Control Processing Modules
X-Series provides unprecedented consolidation and
scalability in a single chassis.
IPS
FW
L2
LB
LB
L2
LB
LB
Internet
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
9
Network Processing Module (NPM)
 Provides Switching Fabric for Data Plane
• Switching fabric connects all NPMS and APMs
• 9600 series provides 10 to 40Gb/s per module
• 8600 series provides 5 to 10Gb/s per module
• Up to 140Gbps of non-blocking backplane
 Flexible Physical Network Interfaces
• Multiple configurations available from 10xGbE to 16x10GbE
• All ports are hot-pluggable, standard SFP, SFP+, XFP form factor
NPM 9650
 Distributes Traffic Efficiently and Intelligently
• Scales by distributing traffic across APMs and processing cores
• Automatically redistributes load around failed resources
 Consolidates Network Infrastructure
• Virtualizes switches, load balancers, patch & power cords
• Eliminates common network devices found in security infrastructure
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
10
Application Processing Module (APM)
 Hosts Applications
•
Responsible for running the security application(s)
•
Can be pooled into a “Virtual Application Processor Group” (VAP Group)
•
Dynamically provisioned - no local configuration
 Scales Performance
•
Multiple APMs in a VAP Group share load to scale performance
•
APM 8650: 4 Core and 8 Core configurations, up to 16Gb RAM
•
APM 9600:12 Core configuration, up to 24Gb RAM
 Maintain Defense in Depth
•
Layer multiple VAP Groups with different security applications
•
NPM’s network virtualization provides connectivity between layers
APM-9600
 Provides Application Redundancy
© Blue Coat Systems, Inc. 2012
•
VAPs can run on any APM
•
APMs can be re-provisioned on-the-fly
•
Un-provisioned APMs automatically assume warm-standby role
Blue Coat Confidential
11
Control Processing Module (CPM)
 System Management
• Provides out of band management of chassis through dedicated
backplane and management ports.
• Centralized configuration for all elements in the system
 Provision Applications Easily
• Define VAP groups and install applications centrally
• Automatically provisions the right resources for the application
• Hosts a dedicated file system for each Application Processor
CPM-9600
 Health Monitoring
• Continuously checks health and collects statistics on of all modules
(available through SNMP or web interface)
• Dynamically provisions new resources to replace failed resources
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
12
System Architecture
APM
CPM
Linux Application
CPUs &
Memory
Non-Linux
Application
Provisioning
Management Storage
KVM VM
CPUs &
Memory
XOS Linux
XOS Linux
High-Performance
Network Flow Distribution Interface
Flow Classification
XOS Linux
Flow Distribution
FPGAs
Network
Processor
NPM
Control I/O
1GE
Local I/O
Control
Switch ASIC
Management
1GE & 10GE Network Interfaces
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
13
X-Series Flexibility
X-Series System Performance
Security Requirements
15
30
IPS
Gbps
Gbps
Performance
FW
Performance
Requirements
Security Features
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
14
14
System Specs At-a-Glance
NPM Version
NPM 8620
NPM 8650
NPM 9600
Network Throughput
5 Gbps
10 Gbps
40 Gbps
Packet Forwarding Rate (PPS)
7 Mpps
12 Mpps
40 Mpps
Maximum Connections
8 Million / 40 Million (8G)
8 Million / 40 Million (8G)
18 Million / 100 Million
Connection Setup Rate
65,000 CPS
130,000 CPS
130,000 CPS
APM Version
APM 8650 4 Core
APM 8650 8 Core
APM 9600
# Processing Cores
4 CPU Cores per Module
8 CPU Cores per Module
12 CPU Cores per
Module
IP Forwarding Packet Rate (PPS)
1.7 Mpps
2.2 Mpps
7.0 Mpps
Fabric Connection Speed
12.8 Gbps
12.8 Gbps
20 Gbps
Memory
4GB Standard
(Upgradable to 16 GB)
8GB Standard
(Upgradable to 16 GB)
12GB Standard
(Upgradable to 24 GB
Hard Drive
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
Diskless Design
Optional up to 2 HDD‘s available with RAID
15
Architecture Redundancy X60 / X80-S
Crossbeam’s Virtual
Infrastructure has created
a design with no single
points of failure
Backplane trace
redundancy
CPM (Control)
redundancy
NPM (Network) redundancy
APM (Application)
redundancy
Fan redundancy
Power
redundancy
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
16
Self-healing with Hot Standby
Original
Configuration
The Stand-by
APM
One4 Firewall
APM
Firewall takes
APMs the
automatically
3
IPS
APMs
experiences a problem
Firewall
APM’sAPM
profile
1 Stand-by
“No more emergency wake-up
calls at 3AM to replace
appliances”
Firewalls
IPS
Stand-by
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
17
Self-healing via Prioritization
A IPS APM
Original
Configuration
automatically
One Firewall
takes
APMthe
4 Firewall APMs
experiences
Firewall
APM’s
a problem
profile
4 IPS APMs
based on priority
“Automate self-healing to fit your
business”
Firewalls (Priority 1)
IPS (Priority 2)
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
18
Greenlight Element Manager
Application and system
software information
Chassis utilization and
usage statistics
Power supply and fan
status
Efficiency and capacity
planning statistics
A visual, information-rich interface to your X-Series.
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
19
Modular Chassis
X60
X80-S
32 Ten Gigabit / Gigabit Ethernet
64 Ten Gigabit / Gigabit Ethernet
Network Throughput
68 Gbps
140 Gbps
Packet Rate (PPS)
21 Million
54 Million
Concurrent Connections
40 Million
100 Million
Connection Setup Rate (CPS)
180,000
320,000
Check Point R75 FW+IPS Throughput
68 Gbps
135 Gbps
Network Connectivity (Maximum)
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
20
Flexible Chassis
X20
X30
X50
10 Gigabit Ethernet
10 Gigabit + 2 10Gb Ethernet
16 Ten Gigabit / Gigabit Ethernet
5Gbps
10Gbps
17.5Gbps
4.4 Million
4.4 Million
11 Million
Concurrent Connections
8 Million
8 Million
18 Million
Connection Setup Rate (CPS)
110,000
110,000
115,000
5Gbps
10Gbps
17Gbps
Network Connectivity (Maximum)
Network Throughput
Packet Rate (PPS)
Check Point R75 FW+IPS Throughput
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
21
X-Series Key Values
Consolidation
House multiple security applications in a single chassis.
Scale each application to meet performance demands.
Adaptability
Add, remove, or change applications on a common hardware platform.
Provision resources where and when they are needed.
Availability
Self healing architecture.
5-9’s high availability in a single chassis, 7-9’s with dual chassis.
Operational Efficiency
Dramatically reduce maintenance time and effort.
Manage and monitor the security environment from a common interface.
© Blue Coat Systems, Inc. 2012
Blue Coat Confidential
22
Please provide feedback on
this webcast to:
[email protected]
Webcast replay and
slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts
(requires BTO login)
Blue Coat Confidential – Internal Use Only