New Challenges in
the Network Security Market
Network Security Market Evolutions
As security became a serious IT market concern,
a myriad of dedicated security products started to be deployed to
counter potential threats from different sources:
| • |
Firewalls to
protect LANs from outside attacks |
| • |
Virtual Private
Networking (VPN) to secure communications over insecure networks
(e.g. the Internet) |
| • |
Intrusion Detection Systems (IDS) to monitor network communications
and identify suspicious traffic
|
| • |
Anti-virus, anti-spam… to protect
Internet applications |
As the market began to mature, a new class
of network security equipment appeared under the name of Unified
Threat Management (UTM) appliances. Embedding several security functions
in a single appliance, UTM appliances bring valuable end-customers
benefits:
| • |
Coherent multi-layered security
architecture compared to a collection of disparate point-products |
| • |
CAPEX reduction with fewer products
to purchase |
| • |
OPEX reduction with a central configuration and management
system
|
| • |
Deployment flexibility by using
any of the available features without needing new appliances |
At last, networking and security convergence
require to integrate UTM with networking features in Multi-Services
Security Gateways, a new generation of connected security equipment.
6WIND Value-Proposition
for Security Market
6WINDGate™ is an ideal solution
to make simple the integration of security and networking features
for a new generation of high performance Multi-Services Security
Gateways based on Multi-Core architectures:
| • |
6WINDGate™
Networking software provides a comprehensive and ready to use
set of L2/L3 networking features, including IPsec, each one
optimized between Fast Path and Slow Path. |
| • |
6WINDGate™
high-level APIs interface Multi-Core hardware crypto-engines
for maximal performance. |
| • |
6WINDGate™ Multi-Core specific software is fully integrated
with the Control Plane OS to provide a transparent solution
for applications and to maximize reuse of existing software.
Such integration hides complexities of Multi-Core for applications.
|
| • |
6WINDGate™
networking software is open for extension to ease the integration
of differentiating and value added features. Specific extensions
are provided to integrate security features. |
Scalable
and Modular Solution
6WINDGate™ is available in three different
versions (6WINDGate™ ADS, EDS and SDS) to fit with requirements
from Multi-Services Security Gateways providers and develop a range
of products.
6WINDGate™ scalable software suite to build a complete range
of Telecoms equipment
| • |
6WINDGate™
ADS is targeted for middle range appliances and equipment.
Control Plane and Data Plane are co-localized. For Muti-Core
architectures, a SMP Linux kernel with an optimized SMP kernel
networking stack is running on all the cores in order to process
many packets simultaneously. |
| • |
6WINDGate™
EDS is a solution based on a Fast Path architecture. This
Fast Path is implemented as a Linux kernel module between the
Linux networking stack and the interface drivers. So, it does
not require any specific Muti-CoreEE (Multi-Core Executive Environment).
Compared to a standard Linux architecture, forwarding is performed
at the driver level. Only packets that cannot be processed by
Fast Path are forwarded to the Linux Networking Stack (Slow
Path). 6WINDGate™ EDS architecture relies on Cache Manager
and Fast Path Manager modules to integrate and synchronise Fast
Path processing and Slow Path / Control Plane in a transparent
manner. 6WINDGate EDS™ delivers the best possible performance
in pure Linux environment. |
| • |
6WINDGate™
SDS is targeted for high end equipment. Similarly to 6WINDGate™
EDS, it is also based on a Fast Path architecture but Fast Path
is implemented in the Multi-Core Executive Environment. A certain
number of cores are dedicated to Fast Path; Fast Past modules
run in a dedicated execution space outside of Linux kernel.
Forwarding is performed at the Fast Path level. 6WINDGate™
SDS architecture relies on Cache Manager and Fast Path Manager
modules to integrate and synchronise Fast Path processing and
Slow Path / Control Plane in a transparent manner. 6WINDGate™
SDS delivers the highest possible performance Muti-Core architectures
can sustain. |
A comparison between 6WINDGate™ profiles
can be found here.
Security
Application: IPsec Concentrators
6WINDGate™ implements a full IPsec VPN
solution including IPsec at the Fast Path level using Multi-Core
built-in crypto engines for maximal performance. Fast Path IPsec
finds in the shared memory the necessary information including Security
Associations (SAs) to encrypt and decrypt traffic.
SAs are configured by 6WINDGate™ Control
Plane - Security module using IKE or IKEv2. When received, IKE traffic
(negotiation phases, key renewal…) is forwarded as an exception
through FPVI interface to the Control Plane to be processed. Then,
IKE updates SAs in shared memory through FPC interface. Reusing
a standard IKE using well known Linux APIs such as PF_KEY and Netlink
is straightforward and does not require any change at the Control
Plane level.
6WINDGate™ provides a complete and ready-to-use
IPsec acceleration solution including management tools (CLI, Web)
based on 6WINDGate™ XML-based management system.
IPsec Concentrator Architecture
Security
Application: Integration of 6WINDGate™ with UTM features
6WINDGate™ can also be used to integrate
networking and UTM features to develop Multi-Core-based Multi-Services
Security Gateways.
6WINDGate™ Fast Path integrates specific
hooks to divert flows to the right security software. These hooks
are developed in 6WINDGate™ VNB modular framework that provides
a way to easily integrate packet processing modules.
6WINDGate™ integration with UTM features
|
