Click here to load reader

1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano [email protected]

  • View
    213

  • Download
    0

Embed Size (px)

Text of 1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano dmont[email protected]

  • Slide 1
  • 1 Force10 Networks Security 2007 Denver April 11, 2007 Debbie Montano [email protected]
  • Slide 2
  • 2 Special Note Regarding Forward Looking Statements This presentation contains forward-looking statements that involve substantial risks and uncertainties, including but not limited to, statements relating to goals, plans, objectives and future events. All statements, other than statements of historical facts, included in this presentation regarding our strategy, future operations, future financial position, future revenues, projected costs, prospects and plans and objectives of management are forward-looking statements. The words anticipates, believes, estimates, expects, intends, may, plans, projects, will, would and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. Examples of such statements include statements relating to products and product features on our roadmap, the timing and commercial availability of such products and features, the performance of such products and product features, statements concerning expectations for our products and product features [and projections of revenue or other financial terms. These statements are based on the current estimates and assumptions of management of Force10 as of the date hereof and are subject to risks, uncertainties, changes in circumstances, assumptions and other factors that may cause the actual results to be materially different from those reflected in our forward looking statements. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. In addition, our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make. We do not assume any obligation to update any forward-looking statements. Any information contained in our product roadmap is intended to outline our general product direction and it should not be relied on in making purchasing decisions. The information on the roadmap is (i) for information purposes only, (ii) may not be incorporated into any contract and (iii) does not constitute a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release and timing of any features or functionality described for our products remains at our sole discretion.
  • Slide 3
  • 3 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap
  • Slide 4
  • 4 The Challenge of Security University Networks Highly skilled users (x,000 sys admins) Firewall policies difficult to match dynamic applications Diverse desktops plus wireless client that the university cannot easily control Traditional corporate threats (large scale credit card thefts, DDOS blackmailing, etc.) now faced by Universities
  • Slide 5
  • 5 Trends for High Speed Security and Monitoring in Universities Link speeds increasing faster than edge and campus security systems Increasing traffic and growing security threats create new requirements Full security that can protect 100% of traffic without impacting performance Flexibility to ensure more efficient response to unknown or malicious traffic
  • Slide 6
  • 6 Securing 10 GbE WANs do the following at 10 Gbps Deep packet inspection ("visibility") Attack detection (IDS) Packet filtering (fire walling) DoS and DDoS protection traffic (rate shaping and rate limiting) Much less so... VPNs and site to site encryption (most likely IPsec based) Bots and other large scale worms/viruses Honeypots / Honeynets Source port verification
  • Slide 7
  • 7 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap
  • Slide 8
  • 8 Force10 Pioneers in 10 GbE Switching & Routing Founded in 1999 First to ship line-rate 10 GbE switching & routing Pioneered new switch/router architecture providing best-in- class resiliency and density, simplifying network topologies Customer base spans academic/research, data center, enterprise and service provider
  • Slide 9
  • 9 Acquisition of P-Series Platform Force10 pioneered 10 GbE switching and routing Vision to become the next great networking company Applying high performance switching and routing innovation to network security Recommended to us by leading R&E and Govt customers
  • Slide 10
  • 10 E1200 1.68 Tbps Up to 1,260 GbE, 224 - 10 GbE E1200 1.68 Tbps Up to 1,260 GbE, 224 - 10 GbE E600 900 Gbps Up to 630 GbE, 112 - 10 GbE E600 900 Gbps Up to 630 GbE, 112 - 10 GbE E300 400 Gbps Up to 288 GbE, 48 - 10 GbE E300 400 Gbps Up to 288 GbE, 48 - 10 GbE Force10 Product Portfolio Industry Leading Density, Resiliency & Security 1/6 Rack 1/2 Rack 1/3 Rack Capacity to grow for 10+ years S50 48 GbE 2 x 10 GbE S50 48 GbE 2 x 10 GbE 1-RU S2410 24 x 10 GbE S2410 24 x 10 GbE P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS P1/P10 Line-rate Gbps & 10 Gbps IDS/IPS S50V 48 GbE PoE 4 x 10 GbE S50V 48 GbE PoE 4 x 10 GbE S25P 24 GbE 4 x 10 GbE S25P 24 GbE 4 x 10 GbE
  • Slide 11
  • 11 P-Series Development Originally funded by NSF grant Subsequent application funding by: USAF (Design of 10 GbE card) NSA (Surveillance inside IPV6 traffic)
  • Slide 12
  • 12 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap
  • Slide 13
  • 13 Network Security Evolution Performance 1995-19992000-20052006-2008 Custom hardware in an appliance Dynamic mapping of inspection policies into hardware Force10 P-Series, line-rate 10 GbE performance Software based Central CPU Slow, < 100 Mbps ASIC assist to central CPU Better filtering, active protection GbE up to 2 Gbps Designed for 20 80 Gbps 2007-2010 Custom hardware integrated into modular switches & routers Full security integration on every port all the time Designed for 336 672 Gbps
  • Slide 14
  • 14 Dynamic Parallel Inspection (DPI) Delivering High Speed Network Security Fundamentally new architecture at the core of the P-Series DPI delivers the highest deep packet inspection scalability and flexibility in the industry Apply thousands of signatures to every packet in parallel Open programmability at 10 GbE delivers leading flexibility Create signatures in hardware to speed processing Parallel processing ensures massive rule scalability under all traffic loads
  • Slide 15
  • 15 Inside the 10 GE linecard
  • Slide 16
  • 16 Open architecture to leverage open source software More robust, more flexible, promotes composability Hardware acceleration of important network applications Abstract hardware as a network interface from OS prospective Retain high-degree of programmability Extend to application beyond IDS/IPS New threat models (around the corner) Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path 1-10 Gbps Programmable Network Security
  • Slide 17
  • 17 Agenda University Security Challenges Force10 and P-Series Overview Key Technology Applications Platform Details and Roadmap
  • Slide 18
  • 18 Firewall IDS/IPS High Performance (> 330K cps; 20 Gbps) Unique level of programmability What is IN and what is OUT? Two organizations sharing each others services Insider attacks Can define stateful policies asymmetrically or symmetrically Hardcode part of the policies in hardware Keep software-like flexibility Can code specific policies directly into fast-path Layer-1 Invisible -- 1.5 s latency True-line rate (20 Gbps) Drops in and out with NO L2/3 reconfiguration
  • Slide 19
  • 19 10 GbE Inspection and Blocking: Needles & Haystacks Ability to define "internal" and "external" interfaces: Custom rules based on traditional firewall controls (Source, dest., mask, range, protocol, service & port, VLAN) Stateful: Allow internal holes to go out, but stop external traffic to come in. Parallel processing provides rules logic flexibility Rules can be ordered, summed, or written with explicit overrides (e.g. whitelisting)
  • Slide 20
  • 20 IPS Application Industrys first IPS to support line-rate 10 GbE inspection on every packet SNORT 2.0 rules compiler Expansion to any rules base: Govt customers utilizing Bro R&E customers utilizing PF firewall rules Growing list of SNORT-like variant (ACID, Bleeding Edge, etc.) Resilient system architecture Inspection ports are invisible to attackers System does not fail under high load conditions No active components (CPU, PCI bus) in data path Used inline, offline, or as pre-filter Mixed Inspection/capture clean/block policies Good Captured Traffic Monitoring Packet Capture Custom Rules Signature Detection Stateful Packet Firewall Intrusion Protection
  • Slide 21
  • 21 Over 1500 Signatures Supported Sample IDS/IPS Signatures Layer 3 IP Protocol Unknown IP Protocol RFC1918 address Ping Of Death TCP Netbios OOB Data Windows