Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Rethinking the Network With X-Series Nathan Brady – Technical Marketing Blue Coat Confidential Typical Defense-in-Depth Strategy High-speed edge routers Defense in depth: Firewalls, IPS, Antivirus, Content and URL Filtering, and other security services Layer 2 switches for interconnectivity Application load balancers for scalability / flow management © Blue Coat Systems, Inc. 2012 Internet core or distribution layer routing Blue Coat Confidential 2 Consolidating with Next-Generation Firewalls “Will the all-in-one features in NGFW appliance satisfy my security needs?” Consolidate all of these devices… Next-Generation Firewall Benefits • Fewer devices • Less network complexity • Reduced CAPEX and OPEX • Increased availability Next-generation firewalls promise outstanding device consolidation, but raise …onto this new pair questions… of NGFW devices. “Will NGFW appliances meet current and future performance needs of my network?” © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 3 Can NGFW Appliances Keep Up? Performance Impact of Security on NGFW Appliances 70 Throughput (Gbps) 60 Use realistic protocols and traffic sizes 50 40 Enable LightDuty IPS 30 20 Great large packet performance 10 Identify users and applications 0 Security Features Enabled Juniper SRX Check Point Palo Alto Fortinet …based on datasheet numbers* with optimal port configuration, small policies, no redundancy, few IPS features, and no logging. *As of March, 2012 © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 4 A Constellation of Metrics Vendor data sheets list a few metrics, but each independently. Connections per second Application Features Enabled Concurrent Connections Network Performance Packet Sizes Protocol Mix But what about other metrics? How does each of these impact network performance? Security Application s Deployed Security infrastructure should be able to adapt to changing metrics and requirements. © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 5 5 Security is Processing Intensive Performance Performance/Security Trade-off True for many services • Firewall Very little inspection, large packets • Intrusion Prevention • Data Loss Prevention Realistic traffic inspected thoroughly • Web, Database, and Application firewalls • Antivirus Realism & Security Features This effect is multiplied for Next Generation Firewall devices performing multiple security functions. © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 6 Changing Network and Security Landscape Next Generation Firewall Performance Security Requirements Performance LB IPS FW Performance Requirements Security Features © Blue Coat Systems, Inc. 2012 IPS Blue Coat Confidential 7 LB FW 10 20 FW Gbps Gbps Strategies for Scaling Appliances Still a complex mesh of several appliances. NGFW appliances often create the same problem they were intended to solve. Physical Segmentation Load Balancing Advantages Disadvantages Advantages Disadvantages Scales linearly Complex switching and load balancing Lower CAPEX No scalability within segments Scaling does not affect architecture Difficult to troubleshoot Easy to troubleshoot Scaling changes network architecture Simplified routing tables High capital costs Simplified switching Complex routing tables High operational costs © Blue Coat Systems, Inc. 2012 Blue Coat Confidential High operational costs 8 The X-Series Strategy X-Series creates a “Network in a Box” • • • Network Processor Modules Application Processor Modules Control Processing Modules X-Series provides unprecedented consolidation and scalability in a single chassis. IPS FW L2 LB LB L2 LB LB Internet © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 9 Network Processing Module (NPM) Provides Switching Fabric for Data Plane • Switching fabric connects all NPMS and APMs • 9600 series provides 10 to 40Gb/s per module • 8600 series provides 5 to 10Gb/s per module • Up to 140Gbps of non-blocking backplane Flexible Physical Network Interfaces • Multiple configurations available from 10xGbE to 16x10GbE • All ports are hot-pluggable, standard SFP, SFP+, XFP form factor NPM 9650 Distributes Traffic Efficiently and Intelligently • Scales by distributing traffic across APMs and processing cores • Automatically redistributes load around failed resources Consolidates Network Infrastructure • Virtualizes switches, load balancers, patch & power cords • Eliminates common network devices found in security infrastructure © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 10 Application Processing Module (APM) Hosts Applications • Responsible for running the security application(s) • Can be pooled into a “Virtual Application Processor Group” (VAP Group) • Dynamically provisioned - no local configuration Scales Performance • Multiple APMs in a VAP Group share load to scale performance • APM 8650: 4 Core and 8 Core configurations, up to 16Gb RAM • APM 9600:12 Core configuration, up to 24Gb RAM Maintain Defense in Depth • Layer multiple VAP Groups with different security applications • NPM’s network virtualization provides connectivity between layers APM-9600 Provides Application Redundancy © Blue Coat Systems, Inc. 2012 • VAPs can run on any APM • APMs can be re-provisioned on-the-fly • Un-provisioned APMs automatically assume warm-standby role Blue Coat Confidential 11 Control Processing Module (CPM) System Management • Provides out of band management of chassis through dedicated backplane and management ports. • Centralized configuration for all elements in the system Provision Applications Easily • Define VAP groups and install applications centrally • Automatically provisions the right resources for the application • Hosts a dedicated file system for each Application Processor CPM-9600 Health Monitoring • Continuously checks health and collects statistics on of all modules (available through SNMP or web interface) • Dynamically provisions new resources to replace failed resources © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 12 System Architecture APM CPM Linux Application CPUs & Memory Non-Linux Application Provisioning Management Storage KVM VM CPUs & Memory XOS Linux XOS Linux High-Performance Network Flow Distribution Interface Flow Classification XOS Linux Flow Distribution FPGAs Network Processor NPM Control I/O 1GE Local I/O Control Switch ASIC Management 1GE & 10GE Network Interfaces © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 13 X-Series Flexibility X-Series System Performance Security Requirements 15 30 IPS Gbps Gbps Performance FW Performance Requirements Security Features © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 14 14 System Specs At-a-Glance NPM Version NPM 8620 NPM 8650 NPM 9600 Network Throughput 5 Gbps 10 Gbps 40 Gbps Packet Forwarding Rate (PPS) 7 Mpps 12 Mpps 40 Mpps Maximum Connections 8 Million / 40 Million (8G) 8 Million / 40 Million (8G) 18 Million / 100 Million Connection Setup Rate 65,000 CPS 130,000 CPS 130,000 CPS APM Version APM 8650 4 Core APM 8650 8 Core APM 9600 # Processing Cores 4 CPU Cores per Module 8 CPU Cores per Module 12 CPU Cores per Module IP Forwarding Packet Rate (PPS) 1.7 Mpps 2.2 Mpps 7.0 Mpps Fabric Connection Speed 12.8 Gbps 12.8 Gbps 20 Gbps Memory 4GB Standard (Upgradable to 16 GB) 8GB Standard (Upgradable to 16 GB) 12GB Standard (Upgradable to 24 GB Hard Drive © Blue Coat Systems, Inc. 2012 Blue Coat Confidential Diskless Design Optional up to 2 HDD‘s available with RAID 15 Architecture Redundancy X60 / X80-S Crossbeam’s Virtual Infrastructure has created a design with no single points of failure Backplane trace redundancy CPM (Control) redundancy NPM (Network) redundancy APM (Application) redundancy Fan redundancy Power redundancy © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 16 Self-healing with Hot Standby Original Configuration The Stand-by APM One4 Firewall APM Firewall takes APMs the automatically 3 IPS APMs experiences a problem Firewall APM’sAPM profile 1 Stand-by “No more emergency wake-up calls at 3AM to replace appliances” Firewalls IPS Stand-by © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 17 Self-healing via Prioritization A IPS APM Original Configuration automatically One Firewall takes APMthe 4 Firewall APMs experiences Firewall APM’s a problem profile 4 IPS APMs based on priority “Automate self-healing to fit your business” Firewalls (Priority 1) IPS (Priority 2) © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 18 Greenlight Element Manager Application and system software information Chassis utilization and usage statistics Power supply and fan status Efficiency and capacity planning statistics A visual, information-rich interface to your X-Series. © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 19 Modular Chassis X60 X80-S 32 Ten Gigabit / Gigabit Ethernet 64 Ten Gigabit / Gigabit Ethernet Network Throughput 68 Gbps 140 Gbps Packet Rate (PPS) 21 Million 54 Million Concurrent Connections 40 Million 100 Million Connection Setup Rate (CPS) 180,000 320,000 Check Point R75 FW+IPS Throughput 68 Gbps 135 Gbps Network Connectivity (Maximum) © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 20 Flexible Chassis X20 X30 X50 10 Gigabit Ethernet 10 Gigabit + 2 10Gb Ethernet 16 Ten Gigabit / Gigabit Ethernet 5Gbps 10Gbps 17.5Gbps 4.4 Million 4.4 Million 11 Million Concurrent Connections 8 Million 8 Million 18 Million Connection Setup Rate (CPS) 110,000 110,000 115,000 5Gbps 10Gbps 17Gbps Network Connectivity (Maximum) Network Throughput Packet Rate (PPS) Check Point R75 FW+IPS Throughput © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 21 X-Series Key Values Consolidation House multiple security applications in a single chassis. Scale each application to meet performance demands. Adaptability Add, remove, or change applications on a common hardware platform. Provision resources where and when they are needed. Availability Self healing architecture. 5-9’s high availability in a single chassis, 7-9’s with dual chassis. Operational Efficiency Dramatically reduce maintenance time and effort. Manage and monitor the security environment from a common interface. © Blue Coat Systems, Inc. 2012 Blue Coat Confidential 22 Please provide feedback on this webcast to: [email protected] Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login) Blue Coat Confidential – Internal Use Only