VortiQa Software for Enterprise / SMB / Residential Networking Equipment

Transcription

1 July 2009 VortiQa Software for Enterprise / SMB / Residential Networking Equipment Satish Swarnkar, Director of Engineering Pravin Kantak, Engineering Manager Software Products Division, Networking and Multimedia Group service names are the property of their respective owners. Freescale Semiconductor, Inc

2 VortiQa Software Announced on June 15, 2009 VortiQa software: a new brand of Freescale software for networking equipment that helps accelerate product development and increase the pace of innovation \vór ti ka\: A whirlwind of innovation Four new VortiQa product lines of production-ready software applications: VortiQa software for service provider equipment VortiQa software for enterprise network equipment VortiQa software for small business gateways VortiQa software for SOHO/Residential gateways A comprehensive solution-centric approach for networking applications in targeted vertical segments: Silicon QorIQ and PowerQUICC communications processors Software VortiQa software products Expanded Ecosystem - hardware, OS, ISVs, system integrators service names are the property of their respective owners. Freescale Semiconductor, Inc

3 Challenges for Network Equipment Vendors Complex networks need rich and comprehensive security solutions Threats on rise Need unified threat management solution with firewall, IPS, Anti-X and secure VPN and with fine-grained access control to: Prevent attacks Ensure data confidentiality Prevent viruses and stop spam INTERNET ENTERPRISE NETWORK Web Confidential MARKETING SUBNET Performance Threats from within the core (inside) and from external world raise the bar on performance requirements with Gigabit speeds of traffic MALICIOUS HACKERS App CENTRAL SERVICES FINANCE SUBNET Complex multicore silicon needs highly optimized and tuned software solution in short time frame For faster time to market Potpourri of software stacks and products makes maintenance difficult VortiQa software offers: Protection from external and internal attackers Stateful Protocol Analysis with ability to detect and prevent the attacks service names are the property of their respective owners. Freescale Semiconductor, Inc

4 Challenges for Network Equipment Vendors Complex networks need rich and comprehensive security solutions Threats on rise Need unified threat management solution with firewall, IPS, Anti-X and secure VPN and with fine-grained access control to: Prevent attacks Ensure data confidentiality Prevent viruses and stop spam INTERNET ENTERPRISE NETWORK Web Confidential App security hole: Patch unavailable MARKETING SUBNET Insider Attacks Performance Threats from within the core (inside) and from external world raise the bar on performance requirements with Gigabit speeds of traffic Complex multicore silicon needs highly optimized and tuned software solution in short time frame For faster time to market Potpourri of software stacks and products makes maintenance difficult MALICIOUS HACKERS DoS Attacks Application Attacks OS Finger Printing Attacks Anti-NIDS Attacks Application security hole: Patch not applied App CENTRAL SERVICES FINANCE SUBNET VortiQa software offers: Protection from external and internal attackers Stateful Protocol Analysis with ability to detect and prevent the attacks Dishonest Employee Trojan Attack service names are the property of their respective owners. Freescale Semiconductor, Inc

5 VortiQa Software for Network Equipment VortiQa software for Enterprise, SMB and Residential network equipment Unified Threat Management system is defined as an integrated network security device implementing: Firewall Intrusion Prevention Network Anti-Virus IPsec VPN Traffic Management () High performance solution in a System Completely leveraging hardware features SEC, PME, Quick Engine etc. Field Proven Solution with ecosystem support Faster time to market Engineering Support teams supporting Customer s engineering teams service names are the property of their respective owners. Freescale Semiconductor, Inc

6 Software for Service Provider Equipment Software for Enterprise Equipment Software for Small Business Gateways Software for SOHO / Residential Gateways Freescale Silicon QorIQ processors (P4080) PQIII and QorIQ processors (8377E, 8572E, P2020, P4080) PQIII and QorIQ processors (8377E, P2020) PQIII and QorIQ processors (8315E, 8314E, P1020) VortiQa Software Products Overview Delivers integrated networking and security functionality Example Applications Multi-service edge routers, Switches, Wireless infrastructure, security gateway Enterprise U, security appliances, secured routers and switches Multi-service business gateways xdsl, PON, FTTH, and other CPE devices Key Features Networking protocols L2 or L3 Stateful Packet Inspection Firewall, NAT IPSec VPN + IKEv1 + IKEv2 Stateful deep packet inspection: P2P filtering Protocol Anomaly Traffic Anomaly QoS / Traffic Management Networking protocols L2 or L3 SPI Firewall support IPSec Enterprise VPN + IKEv + IKEv2 Stateful deep packet inspection: P2P filtering Protocol Anomaly Traffic Anomaly QoS / Traffic Management Anti-Virus and Anti-Spam HA Support Networking protocols Advanced IPSec VPN + IKE supports SPI Firewall + Advanced NAT features + Dual WAN with Load balancing / Fail Over Optional service provider provisioning Networking protocols SPI Firewall + NAT + Residential Gateway IPSec VPN Optional service provider provisioning service names are the property of their respective owners. Freescale Semiconductor, Inc

7 How QorIQ Platforms and VortiQa Products Align QorIQ Platforms/Products QorIQ P5 QorIQ P4 PRODUCTS: P4080 QorIQ P3 QorIQ P2 PRODUCTS: P2020 P2010 QorIQ P1 PRODUCTS: P1020 P1010 P1011 VortiQa Software for Service Provider Metro Carrier Edge Router Equipment Unified Threat Management Service Provider Routers Converged Media Gateway Integrated Services Router VortiQa Software Products IMS Controller VortiQa Software for Enterprise Equipment VoIP Carrier-Class Media Gateway Network Admission Control SSL, IPSec, Firewall Network Attached Storage Radio Network Control VortiQa Software for Small/Medium Business Gateways Wireless Media Gateway Storage Networks Access Gateway Home Media Hub Serving Node Router (GSN) VortiQa Software for SOHO/ Residential Gateways Basestation service names are the property of their respective owners. Freescale Semiconductor, Inc

8 Architecture: VortiQa Software for Enterprise Network Equipment service names are the property of their respective owners. Freescale Semiconductor, Inc

9 Architecture: VortiQa Software for Enterprise Network Equipment SSLVPN Reverse Proxy Socks App Tunnel L2 Tunnel Portal CMS/Embedded Management: CLI, HTTP, LDSV, SYSLOG, , SNMP AV/AS SMTP/S Proxy POP3/s Proxy HTTP Proxy FTP Proxy AV DB AS DB IPS Manager IKEv1/v2 PKI (SCEP, OCSP, LDAP) XAUTH, EAP IRAC IRAS Authentication Services LDAP Client RADIUS Client Local User Space SPI Firewall Inline IPS IPSec VPN SSLVPN Anti-Virus Anti-Spam TCP/ IP Firewall Policy Mgmt Session Management and Packet processing Traffic Policing Transparent Proxy Support Application Level Gateway Drop-in Clustering Intrusion Detection/ Prevention Engine Ethernet, Bridging and WAN Protocols IPSec Packet Processing Traffic Shaping Kernel Space Routing QoS Transparent mode support High availability (active-backup) Hardware Layer Clustering (activeactive) Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration service names are the property of their respective owners. Freescale Semiconductor, Inc

10 Firewall Architecture Stateful inspection firewall Defense against DoS & DDoS attacks Access Policy enforcement Application level filtering & cookie filtering Event logging (SMTP client, syslog client) Comprehensive configuration Granular, user specific policies Traffic type, protocol/port, Source/ destination, time of the day, as well as authentication based access System-wide policies Comprehensive NAT w/ ALGs ALGs (application layer gateways) Enterprise Application SQL*Net Communications SIP, MSN Standard Protocols - FTP Administration Management Engine Syslog Support Export log Web Based Configuration CLI Event Log Network Access Statistics NAT with ALG Support Stateful Inspection Engine Weekly Activation Schedule Network Access Policy Manager Application Specific Content Filtering Network Access Policy Engine User Specific Access Policies System Wide Access Policies CyberDefense Engine Dynamic Remote User Access Ping of IP Spoofing Reassembly Attacks DoS Attacks Death Smurf WinNuke Land ICMP Redirects IP Source Routing service names are the property of their respective owners. Freescale Semiconductor, Inc

11 Freescale Inline IPS sensor Advanced detection techniques with stateful application intelligence Greater accuracy over traditional IPS Reduced false positives & High performance Protocol anomaly detection Embedded Manager Comprehensive configuration capabilities with support for rule editing Extensive Reporting Centralized signature updates Freescale produces IPS signature updates Provides centralized update capabilities IP Reassembly IPS Architecture Inline IPS Manager and Administration Management Cyber Defense Engine Session Classification Engine Rule Parsing Engine Stateful Application Engine POP3 Engine IMAP Engine SNMP Engine FTP Engine APC Engine NNTP Engine HTTP Engine SMTP Engine DNS Engine TCP Resequencing IP Layer Engine Content Search Engine Traffic Anomaly Transport Layer Engine (TCP,UDP, ICMP) service names are the property of their respective owners. Freescale Semiconductor, Inc

12 IPsec VPN Architecture Proven interoperability Time tested in the field VPN protocol support Layer 3: IPSec, IKEv1 and v2 Layer 2: PPTP and L2TP PKI and Certificates: Support for X.509v3 including SCEP, OCSP, PKCS 7,10 and LDAP client for CRL retrieval Advanced Features Granular policy management for specific protocols DPD(Dead peer detection), DPTD (Dead peer tunnel detection) NAT traversal Hardware encryption accelerator support RADIUS Client LDAP Client OCSP Client SECP Client XAuth NGM Mode Config IKE Policy Certificate IKE-IPSec Manager Manager APIs BSD Sockets ISecPDri IPsecDrv UDP Interface IP Layer ICMP Interface Public Key Crypto APIs Software Crypto Library Link Layer PKEP Driver Public Key Encryption Processor Physical Layer IKEv1 and V2 Engine IPSec APIs TPSec Engine SPD SAD MKMD AH/ESP Symmetric Key Crypto APIs SKEP Driver Software Crypto Library Symmetric Key Encryption Processor EAP Inline Accelerator Interface service names are the property of their respective owners. Freescale Semiconductor, Inc

13 Packet Tap Interface with Linux Packet Reception VortiQa software registers to pre-routing netfilter hook Hardware interrupt context, Packets queued to CPU specific queues at dev layer Hardware interrupts acked immediately Either Hardware Interrupt or Ksoftirqd executes RX_PACKET softirq routine TCP/IP, VortiQa software code are executed in the context of Hardware Interrupt Or ksoftirqd No blocking calls in VortiQa software code Local out packets are collected at Post-Route hook Packet Transmission VortiQa software utilizes Linux TCP/IP route lookups, interface related API VortiQa software invokes IP layer Transmit routine directly to send out packet on a given interface NetFilter Hooks TCP/IP Socket Layer Dev Layer VortiQa Software Ethernet / WAN Drivers Networking Hardware service names are the property of their respective owners. Freescale Semiconductor, Inc

14 Packet Processing Control Flow VortiQa software modules IPsec- VPN, IPS, Traffic Mgmt register with Firewall ecosystem VortiQa software Core Module Firewall captures packets from TCP/IP stack After firewall functionality (Policy Enforcement, Attack verifications) done, Firewall Eco-system dispatches packets to registered modules in priority basis IPsec-VPN, IPS may use their Hardware Eco-system interface to utilize Hardware Accelerator services Each module may consume or return packets to Firewall Eco-system Firewall Eco-system finally dispatches packets out SSLVPN Linux TCP/IP Stack AntiX Firewall with Eco-system Interface IPS IPsec VPN HW Accelerator Eco-System Glue Layer HW Accelerator Traffic Mgmt Accelerators IPsec/IKE: Crypto Accelerators Plain Crypto IHAPPI In-line PKI IPS: Pattern Matching Accelerators DFA service names are the property of their respective owners. Freescale Semiconductor, Inc

15 Packet Processing Control Flow (Cont ) Typical data packet processing flow: Traffic Policing* Firewall IPS* AV/AS * IPsec* Traffic Shaping* SSLVPN Firewall AV/AS IPS IPsec IKEv1/ IKEv2 Traffic Policing Traffic Shaping Ingress Egress Note: * Enabled through configuration Supported protocols: HTTP, SMTP & POP3 service names are the property of their respective owners. Freescale Semiconductor, Inc

16 Management Infrastructure All management applications use the same management APIs Kernel space modules make their management APIs available through pseudo-driver IOCTL/Command IDs. User land processes make their management APIs available through wrapper layer over loopback sockets IPC/Wrapper layer transports the configuration commands appropriately to kernel/user space modules As kernel space APIs may modify the data structures used by packet path, proper synchronization should be implemented On a SMP architecture, spinlocks are used to protect configuration changes CLI Web GUI Character Pseudo-driver Kernel Modules CMS LDSV SNMP Management APIs IPC/Wrapper Layer Loopback Sockets User land Modules service names are the property of their respective owners. Freescale Semiconductor, Inc

17 Performance Consideration service names are the property of their respective owners. Freescale Semiconductor, Inc

18 Performance & Requirements Requirement Perimeter threats emerging from public Internet Core threats emerging from internal protected networks Gigabit Ethernet ports connecting to desktops and servers L3 switches providing security Performance issues Deep packet / data inspection and protocol inspection Traditional specialized ASIC providing data path solution are not sufficient Critical performance metrics: Throughput, Latency and Session rate service names are the property of their respective owners. Freescale Semiconductor, Inc

19 Symmetric Multiprocessing in Multicore Silicon Symmetric Multi-Processing (SMP) Usage Improve performance using Linux SMP architecture Multiple processor usage by VortiQa software for enterprise Linux Kernel components Multiple pthreads in user level process Load Distribution CPU affinity Receive Side Scaling Processor 3 Processor 2 Processor 1 VortiQa Processor 0 Software VortiQa Software VortiQa Software VortiQa Software Linux Interrupt Scheduler Network Controller Network Controller Network Controller Network Controller service names are the property of their respective owners. Freescale Semiconductor, Inc

20 Hardware Accelerators Accelerators Usage Improve performance with offloading repetitive CPU intensive tasks VPN: Crypto accelerators Plain Crypto Accelerators IHAPPI Inline PKI Accelerators Firewall: Data path accelerator Table Look up Quick Engine IPS: Regular expression pattern match accelerators. IPS: Providing pre-screening capabilities in the data path Firewall IPS IPsec VPN HW Accelerator Eco-System Glue Layer HW Accelerator service names are the property of their respective owners. Freescale Semiconductor, Inc

21 Software Optimization Techniques Data structure design for search operations Session Search Hash lists Number of buckets tunable Linked list and binary tree for collision elements Instance search Index based ( No linked list or array searches) Rule categorization (In IPS) is based on transport, application protocol and protocol stages No buffer copy epoll (instead of poll/select) usage in socket based applications State machine oriented Multiple sessions in one thread Avoids memory allocations in the data path Efficient code and data cache usage SMP Minimum number of SMP locks in data path around granular code. Session Parallelization Only one processor at any time processes firewall, IPS or VPN sessions. Packets are queued to backlog queue of each session by other processors during this time. No binding of processor to the sessions. Runs most of packet processing in softirq context to reduce the context switches. service names are the property of their respective owners. Freescale Semiconductor, Inc

22 Comprehensive VortiQa Software Solution and Deployment Scenarios service names are the property of their respective owners. Freescale Semiconductor, Inc

23 Enterprise Deployment ENTERPRISE NETWORK Logging Console Admin Console Domain 4 Other Internal Users MARKETING SUBNET Marketing Users Internet Domain 2 MALICIOUS HACKERS VortiQa Software BRANCH OFFICE DoS Attacks Access Control Lists Domain 1 Confidential Data Domain 3 Finance Users HOMEOFFICE App EDI Web Confidential Data FINANCE SUBNET Trojan Attack TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data service names are the property of their respective owners. Freescale Semiconductor, Inc

24 MPC8572E Up to 1500MHz Dual- e500 core; 1MB L2, 800 Mhz DDR2/3, PCI-Express, 4xGbE, USB SRIO, Logging Console Admin Console Enterprise Deployment ENTERPRISE NETWORK Domain 4 Other Internal Users MARKETING SUBNET Marketing Users Internet Domain 2 MALICIOUS HACKERS VortiQa Software BRANCH OFFICE DoS Attacks Access Control Lists Domain 1 Confidential Data Domain 3 Finance Users HOMEOFFICE App EDI Web Confidential Data FINANCE SUBNET Trojan Attack TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data service names are the property of their respective owners. Freescale Semiconductor, Inc

25 P4080E Up to 1500MHz 8 Cores; 1 MB L2, DDR2/3, PCI-Express, 10G/GbE, USB DPAA, Logging Console Admin Console Enterprise Deployment ENTERPRISE NETWORK Domain 4 Other Internal Users MARKETING SUBNET Marketing Users Internet Domain 2 MALICIOUS HACKERS VortiQa Software BRANCH OFFICE DoS Attacks Access Control Lists Domain 1 Confidential Data Domain 3 Finance Users HOMEOFFICE App EDI Web Confidential Data FINANCE SUBNET Trojan Attack TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data service names are the property of their respective owners. Freescale Semiconductor, Inc

26 Enterprise Deployment ENTERPRISE NETWORK Logging Console Admin Console Domain 4 Other Internal Users MARKETING SUBNET Marketing Users Internet Domain 2 MALICIOUS HACKERS VortiQa Software BRANCH OFFICE DoS Attacks Access Control Lists Domain 1 Confidential Data HOMEOFFICE App EDI Domain 3 Finance Users MPC8548 FINANCE SUBNET Web Up Confidential to 1500MHz Single Core; 512KB L2, Data DDR2/3, PCI-Express, 4xGbE, USB SRIO, Trojan Attack TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data service names are the property of their respective owners. Freescale Semiconductor, Inc

27 Enterprise Deployment ENTERPRISE NETWORK Internet Logging Console Admin Console Domain 4 MPC8315 MARKETING SUBNET Marketing Users Other Internal Users 400MHz 2 x GigE (SGMII) PCI, PCI-Exp USB, DDR1/2, Domain 2 400MHz MALICIOUS HACKERS VortiQa Software BRANCH OFFICE DoS Attacks Access Control Lists Domain 1 Confidential Data Domain 3 Finance Users HOMEOFFICE App EDI Web Confidential Data FINANCE SUBNET Trojan Attack TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data service names are the property of their respective owners. Freescale Semiconductor, Inc

28 Datacenter Deployment Farm Aggregation Switches With VortiQa Software Core Switches With VortiQa Software Internet service names are the property of their respective owners. Freescale Semiconductor, Inc

29 Datacenter Deployment Farm Aggregation Switches With VortiQa Software Core Switches With VortiQa Software P4080E Up to 1500MHz 8 Cores; 1 MB L2, DDR2/3, PCI-Express, 10G/GbE, USB DPAA, Internet service names are the property of their respective owners. Freescale Semiconductor, Inc

30 Datacenter Deployment Farm Aggregation Switches With VortiQa Software Core Switches With VortiQa Software MPC8572E Up to 1500MHz Dual- e500 core; 1MB L2, 800 Mhz DDR2/3, PCI-Express, 4xGbE, USB SRIO, Internet service names are the property of their respective owners. Freescale Semiconductor, Inc

31 Datacenter Deployment Farm Aggregation Switches With VortiQa Software Core Switches With VortiQa Software Internet service names are the property of their respective owners. Freescale Semiconductor, Inc

32 SMB Deployment Branch Office VortiQa Software for Enterprise Networks VPN Tunnel Internet SMB Network Telecommuters & Road Warriors service names are the property of their respective owners. Freescale Semiconductor, Inc

33 SMB Deployment Branch Office VortiQa Software for Enterprise Networks VPN Tunnel Internet MPC8378E MPC8377E SMB Network MHz 2 x GigE (SGMII) PCI, PCI-Exp USB, DDR1/2,, SATA 667MHz Telecommuters & Road Warriors service names are the property of their respective owners. Freescale Semiconductor, Inc

34 SMB Deployment Branch Office VortiQa Software for Enterprise Networks VPN Tunnel Internet P2020 Dual e500 Core, MHz 512 KB L2 Cache SMB Network Telecommuters & Road Warriors service names are the property of their respective owners. Freescale Semiconductor, Inc

35 SMB Deployment Branch Office VortiQa Software for Enterprise Networks VPN Tunnel Internet SMB Network Telecommuters & Road Warriors service names are the property of their respective owners. Freescale Semiconductor, Inc

36 Summary and Q&A service names are the property of their respective owners. Freescale Semiconductor, Inc

37 VortiQa software on QorIQ and PowerQUICC processors Summary Answer to challenges faced by the network equipment vendors Guard against elevated and sophisticated threats. Highly optimized & performance tuned solution to get the most out of silicon & its capabilities Accelerate time to market with a comprehensive system solution not just silicon or software Support from the developers who have experience with silicon and software Expanded ecosystem working with independent vendors service names are the property of their respective owners. Freescale Semiconductor, Inc

38 Q&A Thank you for attending this presentation. We ll now take a few moments for the audience s questions and then we ll begin the question and answer session. service names are the property of their respective owners. Freescale Semiconductor, Inc

39