hillstone technology introduction - dl.arka.irdl.arka.ir/brochures/hillstone/hillstone technology...
TRANSCRIPT
1www.hillstonenet.com
May. 2015
Hillstone Technology Introduction
Timothy Liu
2
2
Product Portfolio
Next-Gen Firewall
Intelligent
Next-Gen FirewallData Center Firewall
E Series
Analytics
on VM
Standalone
T - Series
X - Series
Centralized Security
Management
HSM - 200
HAS - 3/5/10
Virtual Firewall (vFW)Virtual Elastic Firewall
Architecture (vEFA)
3
2StoneOS
3T Series
4X Series
5Virtualization
1Hardware
4
4
The Hardware
4
5
New Generation of Hardware Architecture
G1 – x86 G2 – NP/ASIC G3 – Multi CPU & Multicore
2nd Gen - NP/ASIC No application layer
capability
Limited bandwidth between processor and ASIC/NP
1st Gen – x86 Insufficient
processing power
3rd Gen – MultiCore Multiple CPUs, each with
multiple cores
Dedicated application
acceleration hardware
Up to 960G switch fabric
X86Processor
RAM
HDD
NIC NIC
X86Processor
RAM
HDD
RAM
RAMNP / ASIC
PCI / PCI-E
6
6
Hillstone Innovation
• 2007-2008: First in industry with security appliance based on multicore CPU
• 2009: First in industry 10G Firewall
• 2010-2011: Distributed architecture based on multiple CPU, 100G Firewall
• 2013: New heterogeneous architecture for Intelligent NGFW
6
7
E Series – Single CPU
Multi-Core MIPS64 CPU (up to 32 cores)
CPUCore 0
GE GE GE GE GE GE 10GE 10GEGE
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
Switch Fabric
StorageStorageStorage
8
Multi-Core MIPS64 CPU
CPUCore 0
GE GE GE GE GE GE 10GE 10GEGE
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
Switch Fabric
Multi-Core MIPS64 CPU
CPUCore 0
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
Multi-Core MIPS64 CPU
CPUCore 0
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
Multi-Core MIPS64 CPU
CPUCore 0
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
GE GE GE GEGE
10GE 10GE 10GE
StorageStorageStorage
X-Series - A Distributed and Parallel Architecture
9
Multi-Core MIPS64 CPU (up to 16 cores)
CPUCore 0
GE GE GE GE GE GE 10GE 10GEGE
CPUCore 1
CPUCore 2
CPUCore 3
CPUCore n
Switch fabric
StorageStorageStorage
T series
X86System
10
10
The Operating System
10
11
11
(High-Performance Integrated Solution)
Hillstone Integrated Defense for Businesses
Multi-core High-Performance Hardware platform
64-bit Concurrent OS
FW IPS AVURL Filter
IPsec VPN
& SSLVPN
QoSAttack Protect
-ion
APP & User Id
Centralized Security Management (HSM)
11
StoneOS
12
12
Advanced Full Parallel Architecture
Traditional Multi-core Architecture
Uses multi-core to handle packet forwarding
Only x86 can handle application processing
Same session cannot be distributed to all
cores.
Multi-core is cheap ASIC or NP replacement
only.
Hillstone’s Innovative Multi-core-
Plus Architecture
All application processing is distributed to
all cores evenly
One-pass processing without the CPU
bottleneck
12
13
13
Scalable Performance
0
500
1000
1500
2000
2500
3000
3500
0 2 4 6 8 10 12 14 16 18
Core #
64 Bytes Tput (Mbps)
13
14
14
Scalable Performance
0 2 4 6 8 10 12 14 16 18
Core #
Ramp Up (session/sec)
14
15
Cross Inspection
Deep Inspection
Cross Inspection: Combines Deep Inspection with a user’s application behavior for cross-analysis:
User state
Application state
Behavior state
Behavior stateApplication stateUser state
Stream Based Processing
16
16
Stream Engine
State
Information
Packet In Packet Out
• Stream Engine is a node in a pipeline that processes incoming packets en route.
• Can be as simple as a counter for packets or as complex as an AV signature matching or traffic optimization.
• Compared to a fully proxied solution, it offers a lower network latency, faster response time, and higher processing capacity
16
17
17
StoneOS Stream Engine
AV
Scanning
PE
DecoderGunzip
MIME
Decoder
HTTP
DecoderTCP Proxy
• Stream engines pipeline (a pipeline with branches)
• Different flows will have different pipeline of stream engines depending on the policy configuration and flow itself. For example, some flows will have URL filtering scanning while others will have AV scanning stream engine.
• Stream engine can be dynamically adjusted depending on processing state information. For example, a new pipeline involving gunzip stream engine will be added when content is detected to be a gzipped file.
AV
Scanning
HTTP
DecoderTCP Proxy
PE
Decoder
AV
Scanning
Gunzip
MIME
Decoder
IPS
Scanning
17
18
18
Parallel Stream Engine Architecture
DecoderTCP Proxy Security
Processing
App
Processing
HTTP
Decoder
IPS
Scanning
AV
Scanning
URL
Filtering
Content
Filtering
PE
Decoder
...
SMTP
Decoder
gunzip
MIME
Decoder
...
Behavior
Control
ALG
…
Application
Proxy
Application
Tunneling
Application
Optimization
18
19
StoneOS – Parallel and Stream Based Inspection Engine
Parallel stream based inspection engine enables network visibility: Cross Inspection™ technology for network visibility
User, application and behavior data
Use stream based security inspection for low latency processing
Unified policy engine for all security functions
Different packets of the same flow can be distributed to all CPU cores for parallel processing.
VPN encap/decap, classification, protocol decoding, application identification, security processing, and flow control is done only once
20
20
Parallel Architecture Delivers High Performance
Multi-core and multi-CPU
architecture provides high
performance
Each core provides security
functions independently of
each other
Same-session can be handled
on all cores concurrently
Unified security engine
provides security processing
once, thereby reducing latency
20
21
2 Stage QoS
Ingress
1st Stage 2nd Stage
Egress
Root
Root
Default Default
RootSub
Sub
Sub
Sub
22
22
The T-Series iNGFW
22
23
23
Hardware Architecture of T-series
• Performance: Firewall performance is not impacted by the analytics computation
• Stability: Separate engines improve fault tolerance.
• Security: x86 engine for data mining and correlation analysis, enables intelligent security
• Visibility: Enhanced visibility for large amounts of historical data collected
23
Intelligent Multi-Vector Processor Architecture(i-MVP)
Management Engine(ME)
Big Data
Intelligent Engine(IE)
X86 Processor Multi- core Secure Processor
Network Engine(NE)
Security Engine(SE)
24
24
Two Detection Engines
Unknown Threats Detection Engine
Abnormal Behavior Detection Engine
Detects Advanced Malware and 0-day Detects Compromised Hosts and Malicious Insiders
Behavior Based, Detect Unknown Threats
24
25
25
Unknown Threats Detection Engine
Data Analytics on Behavior
Model 1 Model 2 Model nMalwareBehavior
Model
Known Malwares
25
26
26
Unknown Threats Detection Engine
Host Behavior Compromised Hosts
Malware Behavior Model
Unknown Threat Detection
26
27
27• Sample Collection: Malware collection, Sandbox analysis, Network Behavior Collection
• Big Data Analysis: Tens of thousands of new samples per day. Preprocess along predefined parametric and statistical dimensions.
• Machine Learning: Supervised and Unsupervised.
• Behavior Model Update: Appliance pull in updates to behavior models.
• Complete Cycle: Detection results can be uploaded with user consent. This global intelligence improves overall security.
Malware Analysis and Detection using Big Data
27
28
28
Abnormal Behavior Detection
App and Host Behavior Learning and Modeling
Detect Abnormal Behavior
28
29
29
Abnormal Behavior Detection Engine
Build Dynamic Modeling of
Applications and Hosts
Determine Attack Type
DOS/Scan Crawler
SPAM
Deviation of CurrentBehavior from Model
Data Leakage
29
30
30Abnormal Behavior Detection based on historical behavior
• Data Modeling: Multi-dimensional, L3-L7, application
• Adaptive Algorithm: Modeling real-time network behavior, with
consideration of behavior variation on multiple time periods, and
correlation between data dimensions.
• Early detection of anomaly: Compare to static threshold, it enables early
detection and intervention to behavior anomalies.
• Detection DDoS against servers, scanning, crawlers and data exfiltration.
Abnormal Behavior Detection
30
31
31
The X-Series
31
32
Co
ntro
l Pla
ne
Service
Pla
ne
I/O P
lan
e
Interface module
Processing module
Processing module
Processing module
Processing module
Interface module
Interface module
Processing module
Interface module
Co
ntro
l Pla
ne
Data
Pla
ne
Processing module
Interface module
Co
ntro
l Pla
ne
Data
Pla
ne
Processing module
Interface module
Data
Pla
ne
Processing module
Interface module
Data
Pla
ne
Scales Up to Multiple CPU
33
33
Fully-Redundant Design Guarantees High Reliability
Co
ntro
l Plan
e
Service
Pla
ne
I/O P
lan
e
Interface module
Interface module
Interface module
Processing module
Co
ntro
l Plan
eProcessing module
Processing module
Processing module
• The system I/O is independent of the data processing hardware
• The software and hardware for the system control and data control are independent of each other
33
34
Fault Tolerant
Co
ntro
l Plan
e
Service
IO IOM IOM
SCM SCM SCM
Co
ntro
l Plan
e
5
1
2 3
4
6
7
35
SCM Scalability
Co
ntro
l Plan
e
ServiceI/O IOM IOM
SCM SCM SCM SCM
Co
ntro
l Plan
e
1
2
11
1
2
22
36
I/O Scalability
Co
ntro
l Plan
e
ServiceI/O IOM IOM IOM
SCM SCM SCM
Co
ntro
l Plan
e
1 2 3
37
Fully Distributed FW Processing
Slow Path
Slow Path
Fast PathSlow PathFast Path
SCM
IOM IOM IOM
SCM SCM SCM SCM SCM SCM SCM
IOM IOM IOM
38
38
Data Center Firewall: How to Distribute State Information
Conventional Distributed Processing Architecture
Shared Distributed ArchitectureReplication-based
Distributed Architecture
RTO is processed by a single moduleRTO is replicated by all the modules synchronously
Limited performance
Poor scalability
Single point of failure
High cost
38
39
39
Data Center Firewall: Innovative Elastic Firewall Architecture
• Up to 360 Gbps and 120 million concurrent connections
• Unique and patented resource management algorithm
• Scale performance linearly with increasing number of SSM modules.
• Ideal for virtualized cloud deployment
Distributed RTO processing through multiple SSM modules to eliminate performance bottlenecks
Elastic Firewall Architecture
Elastic architecture to offer greater scalability
39
40
40
Virtualization Technology
40
41
41
Hillstone Virtual Appliance & Solution
Virtual appliance - vEFA
Virtual appliance - vFW
X series
M series
Virtualization Form FactorHardware Form Factor
vFW
vSCM
vSSM
vIOM
• Public Cloud: Security managed by tenants, VPC, North-South
• Private Cloud: SMB, simple deployment
• Private Cloud: East-West security• Public Cloud: Security Infrastructure
North-South access control in VPC environment- Provide a vFW or vSYS for each tenant
East-West security protection in the data center- vEFA
41
42
42
FWaaS Solution 1: Hardware+ vSYS
Data CenterOrchestration
SDN
Servers Storages Network
X series
API (Networking, Security)
vsys1
vsys2
vsys3
42
43
43
FWaaS Solution 2:vFW
Data CenterOrchestration
SDN
Servers Storages Network
API (Networking, Security)
vFW1
vFW2
vFW3
43
44
44
VEFA – Virtual Elastic Firewall Architecture
• Virtual Firewall for the Data Center
• Performance and capacity scale with CPU
• Redundant and Fault Tolerant: HA & ISSU
Hillstone X7180 360G FWChassis
Cloud Orchestration
Cloud Orchestration
44
45
45
vEFA
Built on top of proven, distributed patent-pending firewall architecture
Control Plane• Global Session Mgr• Fully Redundant
Security Plane• Content Security• Elastic Scaling• Fully Redundant
Data Plane• Firewall • Elastic Scaling• Fully Redundant
vEFA Virtual Chassis
‐ NGFW functionality
‐ On-demand scalability
‐ Unified Management
‐ Openstack driver
‐ RESTful API for customized integration
‐ Support multi-tenant (VSYS)
45
46
46
Management Integration – OpenStack Certified
OpenStack DashboardVendor Feature Plugin
Nova Quantum
Nova Networking
Virtual Network Service
Vendor VNS driver
Compute, StorageInfrastructure
VendorProduct
FWaaS VPNaaSL2/L3Vendor
Feature Plugin
Network and SecurityInfrastructure
46
47
47
OpenStack Integration
HW FW + vSYS vFWSolution One vSYS for each tenant One vFW for each tenant
Resource Managed by HW FW Managed by Cloud Orchestration
Management UI vSYS UI vFW provide standard FW management
TenantSeparation
N/A Separate virtual machine for vFW
Performance Dedicated HW, performance guarantee
Depends on size of VM for the vFW
Tenant creates virtual gateway on OpenstackDashboard
Every virtual gateway can be a software vFW, or a vSYS in a hardware firewall
47
48
Thank you!