4
High Performance Network Security Appliances April 2010 A quick brief on how a new approach to network security appliance development can lead to significant performance gains without breaking the bank! By combining the latest generation of standard PC servers with Intelligent Real-Time Network Analysis adapters, OEM appliance manufacturers can reduce cost, risk and time-to-market, while also improving the performance of 1 Gbps and 10 Gbps network security appliances. In particular, Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Security Information and Event Management (SIEM) appliance vendors can use this approach to meet the challenges of securing 10 Gbps networks, while also re-focusing their efforts on application and presentation software features that provide competitive advantage.

DN-0368 High Performance Network Security Appliances

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: DN-0368 High Performance Network Security Appliances

High Performance Network Security Appliances

April 2010

A quick brief on how a new approach to network security appliance development can lead to significant performance gains without breaking the bank!

By combining the latest generation of standard PC servers with Intelligent Real-Time Network Analysis adapters, OEM appliance manufacturers can reduce cost, risk and time-to-market, while also improving the performance of 1 Gbps and 10 Gbps network security appliances.

In particular, Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Security Information and Event Management (SIEM) appliance vendors can use this approach to meet the challenges of securing 10 Gbps networks, while also re-focusing their efforts on application and presentation software features that provide competitive advantage.

Page 2: DN-0368 High Performance Network Security Appliances

WHITE PAPER

2

High Performance Network Security Appliances

Network security appliances are an essential part of any enter-

prise’s network security strategy. Firewalls, Intrusion Detection

& Prevention Systems (IDS/IPS) and Security Information and

Event Management systems ensure that threats are stopped

before they reach clients and otherwise wreak havoc on enter-

prise networks.

Demands on network security appliances are increasing as we

move to even faster Ethernet and IP networks, such as 10 Gbps

networks. More and more services are moving to IP, which is

driving the need for more bandwidth, but also increases the

pressure on network security appliances to keep up. Real-time

services, such as VoIP, IP video streaming, teleconferencing and

many cloud computing services cannot tolerate packet loss or

latency. At 10 Gbps, making sure that network security applianc-

es will not impact these services is critical.

For example, at two times 10 Gbps (two ports on an 10GbE

in-line device) up to 30 million packets per second need to be

captured, analyzed in real-time and, in the case of in-line

appliances, re-transmitted if there are no issues. That’s a packet

every 33ns! Needless to say, this is a significant challenge and

throughput (how many packets or bits can be processed by

the network security appliances at a time) is a key benchmark.

According to Frost & Sullivan, there is a strong correlation

between throughput and the price of a network security

appliance:

Figure 1: PRICE PER THROUGHPUT COMPARISON FOR IDS/IPSTotal IDS/IPS Market: Network IDS/IPS Appliance Average of Throughput per Price Band (World), 2006. Note: All figures are rounded: the base year is 2006. Source: Frost & Sullivan.

In other words, the more you can process, the more value your

network security appliance provides. As the data infers, not

all network security appliances can provide full throughput.

The challenge can be broken down into two key elements:

• Getting data in and out of the appliance as efficiently as

possible

• Harnessing as much processing power as possible to

process data

Systems exist that can meet these demands, but they are often

based on proprietary hardware designs and can be expensive to

develop and maintain. There is another way, which can provide

the same performance (or even better) with lower development

cost, maintenance, risk and time-to-market.

DN-0368 Rev. 3

0

20.000

40.000

60.000

80.000

100.000

120.000

140.000

160.000

Price in USD

5+Gps

2 Gps1 Gps600Mps

400Mps

100Mps

1G to 5G =USD 80,000

50Mps

10Mps

Page 3: DN-0368 High Performance Network Security Appliances

3

The answer is to adopt a Universal Network Appliance approach.

A Universal Network Appliance uses standard, off-the-shelf

commercial products to provide a generic network appliance

platform that can be applied to a number of applications,

including the network security applications listed above.

The key components are:

• A standard PC server based on the latest generation of

processing chips

• An intelligent real-time network analysis adapter for fast

and efficient data input/output

Dell, HP, Intel, IBM and Cisco and others provide very powerful

standard servers today often based on AMD or Intel chipsets

(e.g. Intel Nehalem multi-CPU core chip architecture) . These

servers, which can be obtained for a few thousand dollars,

provide unprecedented processing power and efficient memory

architectures. In addition, investment in these servers and

chip architectures is driven by a much larger market ensuring

continuous innovation and lower prices relative to performance.

However, the key to unlocking this potential is an efficient data

input/output mechanism that will ensure that:

• All received packets can be captured, analyzed and re-

transmitted in real-time

• No packets are lost

• No processing power is used by the server in handling data

input/output

• An efficient transfer mechanism is in place that makes

optimal use of multiple CPUs

Network Interface Cards (NIC), which are normally used by

standard servers for data input/output, struggle to meet

these requirements. This is because these server NICs are

normally used for communicating between two peers and not

for examining all packets. It should be noted that the basic

design principles that NICs are based upon are also the basis

for many data input/output designs in existing proprietary

network security appliances, which also suffer from some of

the same issues.

What is required is a network interface card that is designed

for network monitoring and analysis, yet is compatible with

standard servers. Intelligent real-time network analysis adapters,

such as Napatech’s network adapters, provide such a solution.

To understand the difference, take a look at the performance

graphs below:

Figure 2: ZERO LOSS THROUGHPUT FOR DIFFERENT FRAME SIZES (IN BYTES) 10 Gbps throughput performance of server NIC and real-time network analysis adapters.

As can be seen in the graph, the Ethernet inter-frame overhead

of the Inter-Frame Gap (IFG) and preamble naturally reduces

the effective amount of data that can be processed in real-time.

This effect increases as the Ethernet frame size gets smaller.

Napatech network adapters can operate at the theoretical

maximum effective throughput when taking inter-frame overhead

into account, while standard server NICs struggle to provide even

a fraction of this throughput. The simple reason is that these

adapters cannot handle the up to 15 million packets (or 30 mil-

lion in duplex operation) that need to be processed on the port.

At the same time, the normal operation of NICs relies on the

server CPU and operating system to assist in transferring data

from the adapter to the application. At 10 Gbps, this can lead to

up to 70% of a single CPU just being used for transferring data:

Figure 3: CPU LOAD AT MAX THROUGHPUT FOR DIFFERENT FRAME SIZES (IN BYTES)CPU load for transferring data to the application

Napatech NT20E

Typical Server NIC

0

10

20

30

40

50

60

70

80

64 128 256 512 1024 1518

CPU Load

Signalling rate including Ethernet Inter-Frame Overhead

Napatech NT20E (operating at max. theoretical throughput)

Typical Server NIC

64 128 256 512 1024 1518

Max ThroughputGbps

0

2

4

6

8

10

12

Ethernet Inter-Frame

Overhead

Page 4: DN-0368 High Performance Network Security Appliances

Europe, Middle Eastand AfricaNapatech A/STobaksvejen 23 A, 1DK-2860 SoeborgDenmark

Tel. +45 4596 1500Fax +45 6980 [email protected]

AmericasNapatech, Inc.One Tech DriveSuite 110Andover, MA 01810US

Tel. +1 888 318 8288Fax +1 978 824 [email protected]

APACNapatech1/F Place Canada7-3-37 Akasaka Minato-ku107-0052 TokyoJapan

Tel. +81 3 6894 7678Fax +81 3 6894 [email protected]

Disclaimer: This document is intended for informational purposes only. Any information herein is believed to be reliable. However, Napatech assumes no responsibility for the accuracy of the information. Napatech reserves the right to change the document and the products described without notice. Napatech and the authors disclaim any and all liabilities. Napatech is a trademark used under license by Napatech A/S. All other logos, trademarks and service marks are the property of the respective third parties. Copyright © Napatech A/S 2011. All rights reserved.

4

Napatech network adapters process all data on the network

adapter itself and use an efficient Direct Memory Access (DMA)

process to move data directly into the memory of the application

without involving the operating system or consuming CPU

resources. This ensures that maximum CPU processing power

is provided to the application.

Finally, Napatech network adapters provide the intelligence to

decode the packet information received and using this informa-

tion to define flows. Flows indicate data that is related based

on source/destination, protocol type, tunnel identifier, etc. The

user can then direct these flows to up to 32 different CPUs.

This allows specific flows to be processed according to their

needs by individual applications running in parallel increasing

the efficiency and throughput of the system many-fold.

The net result of these intelligent real-time network analysis

features are that a significant performance improvement can

be achieved. As shown in the following graph, an intelligent real-

time network analysis can provide a 2-3 times performance im-

provement for network security appliance applications:

Figure 4: Relative performance of server NIC versus intelligent real-time network analysis adapter

For example, Napatech has helped IPS vendors to provide over

9 Gbps throughput performance using a single Napatech in-line

adapter combined with the latest generation standard server,

which is significant when compared to Frost & Sullivan’s price

analysis in Figure 1. More throughput means more value for

customers and better price positioning for IPS vendors.

The combination of a standard server and intelligent real-time

network analysis adapter thus provides a powerful platform for

developing a high-performance network security appliance:

• at a much lower cost (as no proprietary hardware needs to

be developed)

• at a much lower risk (the platform is off-the-shelf, tested

and verified in the field)

• faster (as development can be focused on application

development and not hardware)

ABOUT NAPATECH

Napatech is the leading OEM supplier of 1 GbE to 40 GbE intel-

ligent adapters for real-time network analysis. Napatech net-

work adapters provide real-time packet capture and transmis-

sion with full line rate throughput and zero packet loss no

matter the packet size. Intelligent features enable off-load of

data traffic processing and packet analysis normally performed

in the CPU. This results in more processing power for the net-

work monitoring, analysis, management, test, measurement,

security or optimization application being supported. Napatech

has sales, marketing and R&D offices in Mountain View (CA),

Andover (MA), Washington D.C., Tokyo (Japan), and Copenhagen

(Denmark).

0

50

100

150

200

250

300

350

400

Capture SNORT IPS

Index (%)

Napatech NT20E

Server NIC