Enabling the High-Performance Next Generation Firewall

WHITE PAPER

V i r t u a l i z a t i o n .

C o n s o l i d a t i o n .

S i m p l i f i c a t i o n .

C h o i c e .

Enabling the

High-Performance

The Business Challenge

Large enterprises are increasingly engaging in network consolidation to eliminate redundant IT resources and minimize infrastructure complexity. Within these initiatives, enterprises are targeting their network security infrastructure as a natural focus for achieving both consolidation and governance goals.

In order to improve network security and support strategic business objectives, IT organizations are struggling to fi nd solutions that can offer the strongest protection against emerging threats and anticipate future threats, while guaranteeing application availability across the enterprise. This can most effectively be accomplished with “best-of-breed” security applications, state-of-the art vulnerability research, and a high-performance Next Generation Security Platform. In an ideal world, IT administrators would like to dynamically

add applications, provide seamless high-availability, and scale performance without having to add new boxes, virtually eliminating both planned and unplanned downtime. Until now, it has been impossible to fi nd a solution that incorporates all of these capabilities, supporting the required operational effi ciency and both short- and long-term cost reduction.

IT Security Challenges

Enterprise IT infrastructures are constantly under assault by cyber-criminals and hackers attempting to break into computer systems to steal classifi ed data and confi dential records, disrupt service, sabotage data and systems, and launch computer viruses and worms. Many of these attacks are actually “blended attacks.” A blended attack seeks to maximize the severity of damage and speed of contagion by combining methods, for example using characteristics of both viruses and worms, while also taking advantage of vulnerabilities in computers, networks, or other physical systems (see Figure 1: Multi-layer Threats That Target Enterprise IT Infrastructure). An attack using a blended approach might send a virus via an e-mail attachment, along with a Trojan horse embedded in an HTML fi le that will cause damage to the recipient computer. The Nimda, CodeRed, and Bugbear exploits were all examples of blended threats.

IT organizations no longer have a well-defi ned perimeter characterized by a handful of Internet connections and private Wide Area Network (WAN) links to their satellite offi ces and a few key partners. Instead, opportunities for increased revenue and operational effi ciency have driven much higher degrees of interconnectivity and in-depth access to their networked systems. Indeed, over the past few years, virtually all businesses have increased their support for online customer services,

business-to-business relationships, local access by guest users, telecommuting and employee mobility, and remote offi ce/branch offi ce computing services. Consequently, they now need comprehensive protection (from a functional perspective) not only at multiple

“perimeter” demarcation points, but also on their internal networks, at user endpoints, within their data centers, and at their branch offi ces.

Exposed via Partner UÊ1˜Ž˜œÜ˜Ê-iVÕÀˆÌÞÊ Êʜ˜ÌÀœÃ UÊ1˜ˆ˜Ìi˜Ìˆœ˜>Ê
VViÃÃ

Exposure of Financial Data UÊ1˜>Õ̅œÀˆâi`Ê
VViÃà UÊ>Ì>Ê/…ivÌ Inside Attacks UÊ1˜ˆ˜Ìi˜Ìˆœ˜> UÊ>ˆVˆœÕà Data Theft UÊ1˜>Õ̅œÀˆâi`Ê
VViÃà UÊ/Àœ>˜ÃÊÊÊÊÊUÊ-«ÞÜ>Ài Perimeter Attacks UÊ<iÀœÊ>ÞÊ
ÌÌ>VŽÃ UÊ"-Two-Way Protection UÊ*ÀœÌiVÌÊ
Õ̅œÀˆâi`Ê-ÞÃÌi“à UÊ œVŽÊ1˜>Õ̅œÀˆâi`Ê1ÃiÀà Business Partners Business Services Internal Users File Servers Remote Users Malicious Intruders *--܈ÌV… -܈ÌV… -܈ÌV… *-,œÕÌiÀ ˆÀiÜ> ˆÀiÜ> ,œÕÌiÀ 6* œ˜i˜ÌÀ>̜À *-  *-INTERNET

In order to address these threats and continuously improve infrastructure security, IT managers require high-performance multi-layered security solutions. Historically, there have been three common approaches:

• Security appliances: This has often been the initial solution to meet specifi c security requirements and to address emerging threats. However, many organizations have been unable to control “appliance sprawl.” This in turn has prompted consolidation initiatives to address highly-distributed and often stacked security software solutions that lack performance, but provide strong protection.

• Devices re-purposed from a hardware fi rewall: This

approach provides high-performance and application availability, but may sacrifi ce multi-layered security. Often performance claims are solely based on Layer 4 Firewall inspection and not application-level inspected throughput performance.

• Single-source solutions: This approach provides simplicity, by purchasing network and security solutions from a single vendor, yet often lacks inspected throughput performance and required levels of security.

Figure 1: Multi-layer Threats

Often IT organizations have had no choice but to combine the fi rst two classes of solution for full enterprise coverage, which has led to increased cost and complexity in scaling, management, maintenance, fault-isolation, and training. Each of these solutions is costly to purchase, maintain, and scale, yet still does not provide an effective solution. (See Figure 2: Current Deployments are Complex, Costly, and Diffi cult to Manage and Maintain.)

For the typical large enterprise, administrators are faced with hundreds, if not thousands, of devices and policies to manage, and hundreds of applications to manage, patch, update, and support.

Routers L2

Switches BalancersLoad

IPS Anti-virus

Internet

Firewalls Load

Balancers BalancersLoad

Requirements

To achieve required levels of security, availability, regulatory compliance, and employee effi ciency, all while containing cost, security strategies and solutions must be able to evolve. Common requirements include:

• The ability to stack or layer security solutions logically. Network and application security approaches differ, in part because the attack vectors differ. Yet the most effective and effi cient solutions require them to work in conjunction to prevent downtime, data loss, and/or leakage.

• The minimization of disruption. IT organizations need a better way to scale performance and introduce new security applications, while minimizing planned downtime for upgrades, general management, and maintenance.

• Reduced OpEx. Despite the challenge of managing an

increasingly complex infrastructure, most IT managers are facing the reduction of operating expense budgets and hiring freezes. Those that are lucky are asked to simply hold their budgets steady year over year. They are forced to do more with less, while improving levels of security.

Figure 2: Current Deployments are Complex, Costly, and Diffi cult to Manage and Maintain

• Reduced CapEx. Most security budgets are strained to the point that any signifi cant purchases receive extensive scrutiny. Increased M&A activity increases the challenge by having to protect a growing number of local and remote physical locations with little additional budget.

Ideally, a multi-function security appliance would not require a trade-off between the quality of the individual security application and the performance of the overall system.

Crossbeam is the leader in high-performance virtualized Next Generation Security Platforms. The Crossbeam X-Series Next Generation Firewall solution delivers multi-layered protection from best-of-breed software vendors like Check Point, Sourcefi re, and Imperva, with class-defi ning performance and reliability to provide enterprises defense-in-depth security and robust network and application availability. The X-Series is the perfect consolidation solution, allowing virtualization of multiple instances of security applications.

The Role of Virtualization in Securing Enterprise Networks

Virtual services enable large distributed organizations to centralize security enforcement and equipment maintenance while retaining the option of either centralized IT or distributed management by division or other sub-entity. As security services are centralized, the organization can deliver fi rewall and IPS services to thousands of end-users with a single device and still offer each location or department independent policy management.

Next Generation Firewall

The Next Generation Firewall is a new class of solution that provides the foundation of enterprise security -- tightly coupled fi rewall and intrusion prevention (IPS) capabilities. Firewall and IPS provide complimentary protection and multi-layered defense, maintaining low latency while performing complex inspection and blocking. Simply having an IPS in the same appliance as the fi rewall does not constitute a Next Generation Firewall; both components need to leverage each others’ inspection capabilities, have intelligent traffi c handling, and work together to block attacks. Crossbeam provides the optimal solution by tightly coupling and certifying the leading fi rewall and IPS solutions. Crossbeam’s unique architecture and operating system, XOS™, allows serialized processing between Check Point VPN-1 Power and Sourcefi re’s IPS with Real-time Network Awareness™ technology (RNA), creating the most powerful Next Generation Firewall.

Crossbeam’s Next Generation Firewall offers a high-speed, multi-policy security solution designed for large enterprises that require the strongest and fastest layered Firewall and IPS solution. By consolidating multiple security domains on a single platform, Crossbeam can reduce licensing, maintenance, complexity, and cost while offering the industry’s most intelligent, adaptive network, and application inspection technology. The Next Generation Firewall running on Crossbeam’s platform replaces complex network topologies consisting of routers, switches, load balancers, fi rewall/VPN gateways, and network intrusion prevention systems. It allows multiple networks to be protected, while connected to shared resources such as the Internet and DMZs, but also to interact with each other safely. It does all this while providing simplifi ed and unifi ed management through Crossbeam’s SecureShore™ Network Management System (NMS). SecureShore NMS can also leverage Check Point’s SMART management solutions SmartCenter and Provider-1 and Sourcefi re’s Management. Crossbeam solutions provide the highest hardware scaling and high availability solutions for Check Point VPN-1 POWER and Sourcefi re IPS deployments.

Large enterprises can fi nally discover the same benefi ts for their security infrastructure that are being currently accomplished with virtualized server deployments. Instead of having to upgrade and patch a myriad of distributed fi rewall and IPS systems, a single Crossbeam Next Generation Firewall deployment can mean patching and upgrading a single system. This is especially useful in large campus or skyscraper deployments where fi rewall and IPS services can easily be aggregated in the data center. Many Crossbeam customers are able to consolidate tens or even hundreds of fi rewalls, IDS sensors, and IPS devices onto a handful Crossbeam chassis, drastically improving operational aspects of the network with a high-performance, high-availability, and best-of-breed multi-layer virtualized solution. With less hardware, software, and accompanying licenses to procure and manage, Crossbeam customers are able to achieve signifi cant capital and operational cost savings.

Check Point’s Best-of-Breed Firewall/VPN Features

Crossbeam System’s X-Series has incorporated the world’s best fi rewall/ VPN software – Check Point Technologies VPN-1 Power – onto its Crossbeam security services switches. Along with Sourcefi re, these solutions integrated on Crossbeam’s platforms eliminate the need for tens of load balancers, switches, and separate high availability licenses required to make current fi rewall/VPN appliances scale.

The integrated Crossbeam and Check Point VPN-1 Power functionality is state-of-the-art, providing the industry’s most complete and high-performance stateful inspection engine, full VPN capability, multiple NAT options, proxying, and support for the latest technologies such as VoIP, SIP, fi xed wireless, and 802.11x wireless networks.

With support for more than 200 predefi ned applications and protocols out-of-the-box, VPN-1 Power provides the broadest application support in the industry.

VPN-1 Power provides NAT to conceal internal network addresses and support different networking scenarios integrated with stateful inspection technology. VPN-1 Power automatically generates static and dynamic NAT rules based on network topology information. Because organizations are dealing with increasingly complex virtual private networks, VPN-1 Power contains a comprehensive set of technologies to build remote access and site-to-site VPNs that simplify confi guration while still maintaining fl exibility for different deployment scenarios. With Check Point VPN-1/FireWall-1, security rules are applied to VPN traffi c to guarantee complete integrity of network security. Crossbeam offers the perfect platform for easily migrating older FireWall-1 installations to the latest VPN-1 Power version, which includes Firewall-1.

Sourcefi re’s Best-of-Breed IPS Features

Built on the legacy of the open source Snort® _{rules-based detection}

engine, Sourcefi re uses a powerful combination of signature-, protocol-, and anomaly-based inspection methods to achieve the maximum attack detection and prevention capability. Flexibility in the rules language and numerous confi guration options allow users to easily defi ne new ways to identify and address threats and enforce policies specifi c to their environment.

Sourcefi re RNA technology provides the most comprehensive view of security events and the ideal basis for the most effective network defense using a revolutionary combination of passive network

discovery, behavioral profi ling, and integrated vulnerability management technologies. RNA continuously monitors all network assets (servers, routers, PCs, fi rewalls, and wireless access points), presenting a real-time view and highly-detailed profi les of all network assets including their confi guration, behavior, potential vulnerabilities, and associated changes. The degree of insight and intelligence that RNA provides not only allows organizations to protect their networks with more confi dence, it greatly reduces the ongoing cost associated with responding to network threats. The Sourcefi re Defense Center tightly integrates and correlates

the threat information provided by Sourcefi re IPS with the network intelligence provided by Sourcefi re RNA, easily prioritizing millions of security events to determine the most critical events to the business and takes the appropriate actions according to Sourcefi re’s ABCs of Defense – Alert, Block, and Correct.

The Crossbeam X-Series Next Generation Security Platform

Product Family

The Crossbeam X-Series products provide the foundation for the Next Generation Firewall solution. The X-Series product family includes the X40, the X45, and the X80 chassis. All of the products share the same basic architecture, but each has unique characteristics to suit specifi c deployments. The X45 is a 7-slot 8 RU chassis. The X40 and the X80 are 14-slot 14 RU chassis. All three are high performance, high availability, easy-to-manage security switches designed to secure medium and large enterprise data centers.

The X-Series system decouples network and security service processing to allow customers to effectively take advantage of price/performance improvements and innovation curves within each technology

independently. The system offers massive consolidation of security equipment while preserving security policies, resulting in a safer and simpler network.

Chassis Architecture

The X-Series is a modular chassis architecture consisting of 7–14 slots in an 8 or 14 RU carrier-class enclosure (See Figure 3: Crossbeam X-Series Platforms). There are three major types of modules used in the system: Network Processor Modules (NPMs), Application Processor Modules (APMs), and Control Processor Modules (CPMs). The different chassis allow differing combinations of modules.

The backplane supports 40+ Gbps of data traffi c, allowing the chassis to scale as the power of the APMs or NPMs are increased in line with technology improvements. Each NPM has a 10 Gbps full duplex point to point connection to all APMs and CPMs, and the second NPM. Each

APM can receive up to 12 Gbps of traffi c. The signaling information (heart beat, health poll, fl ow states, etc.) goes through a dedicated 1Gbps control path.

The X-Series architecture also delivers the industry’s fi rst system capable of either single-box or dual-box High Availability (HA). Every component and blade within the Crossbeam X-Series is fully redundant and is designed to meet stringent carrier-class requirements. In addition, in single-box HA, Crossbeam has the unique capability of supporting a dynamic standby application module. If any application module becomes unavailable, the standby module can dynamically take on the capabilities of any application. Therefore, a standby blade does not have to be confi gured for a specifi c application and allows for seamless failover for multiple applications using a single blade.

The X-Series carrier-class architecture was designed and built by the same team that built the frame relay switches at the core of MCI’s HyperStream global data network (see Figure 4: X-Series Carrier Class Architecture). Unlike expensive telecommunications products, however, the X-Series achieves its high capacity capabilities at prices equivalent to existing enterprise fi rewall solutions.

Control Plane

40 Gbps Network/Data Path 160 Gbps Switch Fabric Backplane

Firewall IPS

WAF

Dynamic Standby

Crossbeam’s Virtualized Network Operating System

XOS™ Software

X-Series is powered by a custom-hardened version of Linux, the X operating system (XOS Software), a software architecture which has been optimized for the secure processing of network fl ows. Highly adaptive, XOS software can quickly add support for new applications, thereby integrating existing security technologies while remaining “future proofed” against constantly changing security requirements (see Figure 5: XOS Software and the System Architecture).

More specifi cally, this software architecture is founded on a Symmetrical Multi-Processor (SMP) Linux kernel operating system. This assures

Figure 4: X-Series Carrier Class Architecture

Linux systems and guarantees the benefi ts of the evolution of these capabilities in step with the progress of the Linux community. Existing or future best-of-breed applications written for Linux can run on the X-Series architecture and rely on the complete set of available and evolving Linux features and utilities.

Crossbeam Systems provides specifi c support for applications developed by best-of-breed security application vendors working with Crossbeam as strategic partners.

Firewall VPN

Intrusion

Protection DynamicCapacity Web/DBFirewall GatewayContent

SSL Remote Access Crossbeam Next Generation Security Platform

XOS™ Secure Flow Processing

Unsecured Traffic Secured Traffic

Crossbeam’s Virtual Application Processing

A signifi cant software construct within XOS is the Virtual Application Processor (VAP) group (see Figure 5: XOS Software and the System Architecture). Applications running on the APMs can exchange user traffi c with external ports and with other applications running on either the same module or any other module in the chassis. One APM can run on one application, or alternatively, one application or a set of applications can run on multiple APMs, allowing effective multiplication of computing capacity to the application processing needs, while still being seen as one virtual application by the traffi c coming into the chassis. This type of variability and fl exibility is enabled by the VAP group’s capabilities. An APM is mapped to a VAP because there is no association of an APM with the physical slot in the chassis and no association of a physical module with the applications. A group of APMs is called a VAP group. The security administrator just needs to defi ne the number of VAPs in a VAP group and the exact number of APMs needed for this VAP group. That means that a confi guration can be done for fi ve fi rewall modules where at the beginning only two APMs might be loaded in the chassis, for cost effi ciency reasons. When traffi c grows new APMs can be added with just one command line interface (CLI) command to adjust the max-load-count.

Figure 5: XOS Software and the System Architecture

Benefi ts of the X-Series Platform

The X-Series was designed to create order of magnitude

improvements in the operational effi ciency of running data center security infrastructures. Signifi cant benefi ts include:

Strategic

• Reduces the risk of technology investments. The rate of security threats and new security software development is accelerating, so enterprises want to preserve the ability to switch to new vendors quickly as needs change

• Allows for core installation in “lights out” environments, scaling multiple, complementary applications, and multiple software instances all in a 99.999% uptime platform

Operational

• Requires signifi cantly fewer personnel to manage existing fi rewalls

• Uses signifi cantly less power and rack space than traditional server-based solutions

• At 8 Gbps of stateful fi rewalling capacity per APM-8600, the platform offers signifi cant price/performance improvements over competitive products

Modular Options for Additional Functionality and Growth

• Provides a modular network and application blade-based approach, so that users can always take advantage of the latest technology without disrupting existing confi gurations and run-time operations

• Offers APM hard drive options for applications that require local disk space (IDS and anti-virus)

• Offers APM memory upgrades – up to 4 GB to keep pace with application requirements

Other Operational Features and Benefi ts

• Consumes less than 600W (during normal operation) with a fully loaded chassis compared to 610 watts consumed by a single SUN 220R enterprise server

• Only 14 RUs for the equivalent of two load balancers, 10 servers, and the associated switches, cables, and management consoles

• All modules in the system are fully hot-swappable, reducing down-time for upgrades and replacement of failed components

Fully Secure and Available

• Completely isolated management plane ensures that system management can not be reached from the data plane

• SSL-based Graphical User Interface (GUI) access and SSH-based CLI access

• No single point of failure in the entire box – dual fan trays, four power supplies, multiple redundant interfaces, 18-layer backplane with data network traces on separate layers, control network traces on separate layers and redundant traces to each card

Consolidating Security Infrastructure

Case Study: CheckFree Corporation

Founded in 1981, CheckFree Corporation (Nasdaq: CKFR) provides fi nancial electronic commerce services and products to organizations around the world. With three divisions – CheckFree Electronic Commerce, CheckFree Investment Services and CheckFree

Software – CheckFree employs more than 3,500 people worldwide, in 18 locations with an annual revenue of $879.4 million in fi scal year 2006.

The Challenge

CheckFree’s worldwide network handles more than one billion sensitive fi nancial transactions per year – each needing to be transported, stored and retrieved in a timely, secure fashion at any time, for any authorized user. With the increasing popularity of electronic billing and payment, CheckFree’s security architecture had become more complex as additional security layers were strategically added.

Perimeter security throughout CheckFree’s expansive global network consisted of load balancers, redundant fi rewalls, and multiple IDS devices. Added to this complexity was an expansive switching

architecture for data fl ow, application sequencing, and failover, making troubleshooting and log auditing more challenging. With an increasing number of appliances in the network, overlaying security was growing more complex with each transaction.

Each system required patching, upgrading, and log fi le review, and some devices required management and administrative tools, which in turn required additional training. Staff and maintenance costs were increasing. To plan the next level of quality for this complex network, CheckFree set out to re-engineer the fi rewall and IDS infrastructure to improve availability and meet future growth projections. They sought to deploy a consolidated fi rewall and IDS platform that was highly

As the number of

transactions that

CheckFree handles

continues to grow, our

security architecture as

well as our transaction

operations must be able

to scale effi ciently. Our

priorities are protecting

customer data and

ensuring that our security

solutions integrate to

create an exemplary

security architecture.

available, cost effective, and easy to manage – all with the goal of increasing network capacity and scalability while decreasing operational cost and complexity.

The Solution

CheckFree embarked on an extensive search for a multi-layered security platform that could consolidate and tightly couple intrusion detection (IDS) and fi rewall functions. The company conducted extensive testing of hardware platforms from leading vendors, and found that the Crossbeam X-Series security switch outperformed the closest competitor by 87%. According to Isenberg, Crossbeam was the only vendor that offered a security-focused blade server that aggregated security applications in a scalable, highly available perimeter device with multi-gigabit scalability. “To add horsepower or additional security applications, all we have to do is add another blade to the chassis,” said Isenberg.

Crossbeam X-Series is delivered in three blade-based chassis that offer various rack space and port density options. The models can be deployed either in single-box high availability mode (SBHA) or multi-box high availability mode (MBHA) depending on security policies. SBHA is made possible by a system architecture that includes full redundancy across all elements from power and fan to interface, blade, and application layers. The system enables transparent insertion into and protection of networks from vendors such as Cisco, Juniper, Foundry, and Extreme. CheckFree was able to consolidate 20 IDS devices, 20 switches, and 26 fi rewalls onto seven Crossbeam chassis, drastically simplifying its network with a high-performance, high-availability, and best-of-breed multi-layer virtualized architecture.

Despite traffi c doubling every year since 2003, CheckFree has not had to add any new staff to manage the environment, and achieved double the ROI after three years.

Summary

The traditional practice of deploying an ever-increasing number of appliances and applications to combat increasing security risks creates an infrastructure that is too complex, costly, and slow to react to new threats. Today, enterprises managers want to move to a new kind of virtualized security architecture that supports the requirements of a Next Generation Firewall, but also consolidates deployments, reduces cost, and delivers much faster threat response.

Crossbeam Systems, working closely with Check Point and Sourcefi re, has developed a tightly coupled, high-performance, scalable, and reliable

ground up to offer the best protection and performance for detecting and eliminating multiple levels of threats that target mission critical IT infrastructure and data.

The Crossbeam Next Generation Firewall running on the X-Series platforms replaces complex network topologies consisting of routers, switches, load-balancers, Firewall/VPN gateways, and Intrusion Detection/Prevention System sensors and appliances. It allows multiple networks to be protected and connected to enable shared resources within various departments, corporate sites, the Internet, and DMZs, while enabling them interact with each other safely. It does all this while providing simplifi ed and unifi ed management using well-known applications. The end result is a high performance, scalable virtual security service delivery platform that provides both capital and operational cost reduction at deployment and over time.

Crossbeam Systems protects many of the largest enterprises in the world in industries such as fi nance, high tech manufacturing, and telecommunications, where the deployment of Crossbeam Systems security switches is at the core of the network and in mission-critical ingress and egress points.

About Crossbeam Systems

Crossbeam Systems, Inc. transforms the way enterprises, service providers and government agencies architect and deliver security services. The basis of Crossbeam’s solution is its Next Generation Security Platform, a highly scalable hardware platform that facilitates the consolidation, virtualization and simplifi cation of security services delivery, while preserving the customers’ choice of best-of-breed security applications. Crossbeam offers the only security platform that delivers unparalleled network performance, scalability, adaptability and resiliency. Customers choose Crossbeam to intelligently manage risk, accelerate and maintain compliance, and protect their businesses from evolving threats. Crossbeam is headquartered in Boxborough, Mass., and has offi ces in Europe and Asia Pacifi c. More information is available at: www.crossbeamsystems.com

Corporate Headquarters

Crossbeam Systems, Inc. 80 Central Street

Boxborough, MA 01719 Tel: +1 (978) 318 7500 Fax: +1 (978) 287 4210