Versatile Network Security Devices
Building Flexible, Multi-function Devices with Intel® Xeon® Processors
With the advent of the cloud computing era, network traffic is on the rise. A growing range of systems is coming online, including equipment in industrial, building automation, and energy management applications. Security threats are also on the rise, and according to the McAfee Threats Report Fourth Quarter 2010, the identification of new malware rose from 16,000 per day in 2007 to 60,000 per day in 2010. Given the growth in traffic, the rise of new applications, and the increasing volume and complexity of attacks, it’s easy to understand why traditional firewall and virtual private network (VPN) security solutions are not enough.
To deal with emerging threats, today’s organizations seek multi-function security solutions that consolidate a full suite of networking and security functions in a single, highly-integrated platform. They want high-performance solutions that can keep up with the increasing bandwidth generated by richer content, such as video. At the same time, these solutions need to be based on cost-effective open platforms to reduce capital expenditures and simplify purchasing, management, and maintenance. Standardized, open solutions are also required in order to easily migrate existing applications onto the new platform. Finally, these solutions must be highly reliable, and in many cases capable of operation in harsh environments.
The Foundation for a New Breed of Security Platform
For network security platforms, Intel® Xeon® processors offer many key advantages, starting with multi-core performance.
A security platform may host a combination of firewall, VPN, intrusion detection system (IDS) or intrusion prevention system (IPS), content filtering, network management, and other network security capabilities. By providing up to six cores within a single processor, Intel Xeon processors offer the performance needed to consolidate these disparate workloads onto a single platform. The multi-core performance of Intel Xeon processors is enhanced by Intel® Hyper-Threading Technology (Intel® HT), which enables a single core to run two threads simultaneously. This means eight threads can execute simultaneously on a quad-core processor, for example.
One key challenge associated with hosting multiple workloads on a single platform is the fact that these workloads may require different operating systems (OSs). This challenge can be addressed using virtualization. As shown in Figure 1, virtualization introduces a new software layer known as a hypervisor below the OS level. The hypervisor enables the operation of multiple virtual machines (VMs), each containing a guest OS and its associated applications, by presenting each guest OS with what appears to be a dedicated hardware platform.
Figure 1. Embedded hypervisors enable multiple OSs to run on the same hardware.
Intel® Virtualization Technology (Intel® VT)
To improve the performance of virtualized systems, Intel Xeon processors include Intel® Virtualization Technology (Intel® VT). By performing virtualization tasks in hardware, Intel VT significantly improves the performance and security of virtualized solutions. Key elements of Intel VT include:
- Processor virtualization – Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) speeds up the transfer of control between the hypervisor and the guest OSs. It uses hardware assist to trap and execute certain instructions for the guest OS. In addition to accelerating performance, Intel VT-x enables implementation of certain hypervisor security features.
- Memory and I/O virtualization – Intel® Virtualization Technology (Intel® VT) for Directed I/O (Intel® VT-d) enables the hypervisor to assign specific I/O devices to each guest OS. Each device is given a specific area in memory that is only accessible by the device and the designated guest OS. Once again, hardware assist accelerates performance, as the hypervisor no longer has to be involved in every I/O transaction.
In addition to enabling different OSs to run on the same platform, Intel VT can enable a higher degree of separation between security-critical software and less critical software by isolating the critical software in a separate VM. This separation provides greater protection against potential compromises.
Intel VT also has advantages for the migration of networking, communications and security applications. Many of these exiting applications use single-threaded code written for single-core processors. Reworking this code for multi-core execution is often impractical. Virtualization makes it possible to run a security solution and multiple instances of single-threaded software on the same processor, each within its own VM. This enables legacy software to rapidly leverage the multi-core performance of Intel Xeon processors.
Code migration can even be a challenge for symmetric multiprocessing (SMP) code because SMP techniques yield diminishing returns as the core count grows. For example, the performance curve for SMP packet processing software can flatten after only a few cores. Wind River Systems and 6WIND provide packet forwarding platforms that use Intel VT to solve this problem. Each of these companies offers a software platform that combines a control plane OS with a “bare-metal” executive for data plane acceleration, all under the control of an Intel VT-enabled hypervisor. By using a hypervisor instead of an SMP OS to distribute the load, these solutions enable the performance to scale with core counts, resulting in fast IP packet forwarding.
Software migration is also aided by the broad array of OS and security software solutions available for Intel Xeon processors. This excellent software support allows assembly of cost-effective, multi-function security appliances using best-in-class components.
A Versatile Network Security Platform
To address the needs of the current security market, Norco worked with Intel to develop a versatile network security platform. The result is the rack-mountable Norco FW-7911, a 2U network security platform designed for high-performance applications (Figure 2). The FW-7911 uses a quad-core, 2.66 GHz Intel® Xeon® processor X3450 with Intel HT Technology and Intel VT, providing significant performance headroom for multi-function security appliances.
Figure 2. The Norco FW-7911 is a versatile 12-port network security platform.
With 12 Gigabit Ethernet ports, the FW-7911 fits the bill for a variety of network security device applications. As shown in Figure 3, these include:
- SSL VPN
- Link load balancing
- Bandwidth manager
- Network access component (NAC)
- Network access control
- Web filter
- Antivirus wall
- Core switch
- Server load balancing
- Authentication authorization accounting (AAA) server
- Instant message (IM) filter
Figure 3. The Norco FW-7911 is suited to a wide range of network security and other LAN applications.
This rugged system includes a high-grade 2U industrial power supply and 4x DDR3 UDIMM dual-channel memory with ECC support. A unique “watchdog”+BYPASS design enables network traffic to continue flowing even In the event of a power failure, while also ensuring automatic reboot upon system failure (Figure 4). In addition to its Ethernet ports, the FW-7911’s rich I/O includes 2x SATA, 1x CompactFlash (CF), 2x USB, 1x RJ45, 1x Mini-PCIe, 1x PCI, and 1x LPT, enabling use with a wide range of external devices such as alarm, control light, telephone, and message communication devices.
Figure 4. In normal operation (top), the Norco FW-7911 Ethernet ports pass traffic to the onboard Ethernet controller. In bypass operation (bottom), pairs of Ethernet ports are coupled to form a piece of wire. Bypass mode can be triggered by power failure.
Innovating with Intel® Xeon® processors
The Norco FW-7911 provides an excellent example of a versatile multi-function security platform based on a cost-effective, high-performance Intel Xeon processor featuring Intel VT. With this platform, equipment developers can raise the bar for what’s achievable using COTS technology for the first line of network security control. How will you put this technology to use?
For more on securing connected devices, see intel.com/go/embedded-security
Norco is an Associate member of the Intel® Embedded Alliance. Norco is a leading manufacturer of embedded computing systems with operations in China, North American, Europe, and Southeast Asia. Norco’s products are widely used in digital signage, finance, traffic, network security, DVR, medical, and industrial automation applications.
This entry was posted on Friday, September 2nd, 2011 at 12:00 am and is filed under Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|More Featured Articles|