securing the intelligent network...white paper securing the intelligent network securing the...
TRANSCRIPT
WHITE PAPERSecuring the Intelligent Network
Securing the Intelligent Network
Figure 1. Security in the network
WAN
ContentSecurity
WANOptimization
VPN
IDS / IPS
Firewall
WANOptimization
VPN
IDS / IPS
Firewall
WANOptimization
VPN
IDS / IPS
Firewall
WANOptimization
VPN
IDS / IPS
Firewall
ADC
Firewall
ADC
Firewall
BRANCH OFFICESBRANCH OFFICES
HOME OFFICEHOME OFFICE DATA CENTERDATA CENTER
CORPORATE NETWORKCORPORATE NETWORK
New Threats Demand New Strategies
The network is the door to your organization for both legitimate users and would-be attackers. For years, IT professionals have built barriers to prevent any unauthorized entry that could compromise the organization’s network. Figure 1 shows a typical security implementation designed to protect and connect multiple parts of a corporate network. What constitutes “network security” is constantly evolving, due to traffic growth,
usage trends and the ever changing threat landscape. For example, the widespread adoption of cloud computing, social networking and bring-your-own-device (BYOD) programs are introducing new challenges and threats to an already complex network. Despite this tumultuous environment, IT departments are tasked with architecting a network capable of securing against known threats, quickly deploying new services and scaling with changes in demand.
2
Figure 2. New malware reported by McAfee
According to published McAfee* reports, the overall number of malware signatures topped a staggering 100 million in the fall of 2012.1 Figure 2 visually depicts the number of new malware signatures identified by McAfee from 2010 through 2012. This report also highlights three additional trends currently transforming security. The type and sophistication level of modern malware is becoming increasingly diverse. The objectives of modern malware attacks are also changing, with goals ranging from industrial espionage, to ransom demands, to damaging infrastructure. Finally, the growth and accessibility of social networks facilitates easier exchange of this malware by would-be-attackers.
Q1’10 Q2’10 Q3’10 Q4’10 Q1’11 Q2’11 Q3’11 Q4’11 Q1’12 Q2’12 Q3’12
10,000,000
9,000,000
8,000,000
7,000,000
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
0
The combination of malware trends with the aforementioned IT challenges has triggered significant changes in the way network infrastructures are architected and secured. Networks have expanded in such a way that a hard network perimeter no longer exists. Unable to rely on a defense-only strategy, IT departments must architect their network security infrastructure under the assumption that an attack will penetrate the network. The resulting proactive security solution will facilitate near real-time intrusion detection.
Enabling Line-Rate Inspection
The first step in preventing an attack is to inspect incoming traffic before it enters the corporate network. This is accomplished by looking beyond the packet header into the contents of the packet. Once the layer 7 application data is reached, it can be matched against a defined pattern set, inspected for malicious signatures or used to extract pertinent metadata. This process is known as deep packet inspection, or DPI. In many cases, outbound traffic must also be analyzed to enable the detection of internal-based attacks as well as securing sensitive data and intellectual property. Therefore, it may be necessary to deploy DPI capabilities at both internal and external entry points to the network.
Implementing DPI-enabled protection can be challenging due to the extensive computational resources it requires. If the packets within a flow are not inspected quickly, application latency may increase resulting in significant network delays. DPI can be processed through the use of software running on existing platforms, or by offloading packets onto DPI-specific hardware. Intel believes software-based DPI to be the optimal choice for several reasons. Intel executes to a proven roadmap, and the tick-tock development strategy ensures delivery of processors with consistent performance increases at a predictable cadence. Coupled with recent advances in IA packet processing performance, an optimized software-based approach provides a cost-effective and scalable DPI solution that has the flexibility to evolve with any change in security requirements.
High Speed Content Inspection Software from Wind River*
Wind River now offers a comprehensive, optimized software platform that addresses the needs of network security infrastructures, with an increased focus on DPI workloads. Wind River Intelligent Network Platform (INP) contains a Content Inspection Engine and Flow Analysis Engine, optimized specifically for Intel® architecture
3
Figure 3. Intel architecture performance tracked against traffic growth
Platforms. Wind River* Content Inspection Engine provides a software pattern-matching solution scaling from 1Gbps to 160Gbps, depending on the number of processor cores used. Complementing this technology, Wind River* Flow Analysis Engine provides a decoding engine, protocol libraries and advanced metadata extraction to deliver real-time visibility of network traffic. Through the combination of exceptional packet processing, optimized DPI and enhanced metadata extraction, Wind River INP paired with Intel architecture platforms enables an optimized security solution that can perform content-aware flow classification and intrusion detection at line-rate speeds.
40G Packet Processing and Beyond
The last five years have seen staggering growth in network traffic. Looking forward, Intel expects that increased adoption of network attached mobile devices will further
accelerate this growth. Increased traffic puts tremendous stress on the underlying network infrastructure. Figure3 shows how Intel micro-architecture performance has outpaced business, mobile, internet and total traffic growth in the past four years. While today’s networks may consist of multiple architectures within a single infrastructure, it is becoming increasingly apparent that mixed architecture infrastructures are prohibitively expensive to optimize and maintain due to the expertise required for the various platform, operating system and unique vendor technologies. Intel’s 4:1 workload consolidation strategy enables the move from multiple hardware architectures onto a single architecture platform, like the Intel Communications Infrastructure Platform.
The Intel® Data Plane Development Kit (Intel DPDK) has been a key ingredient to unlocking the packet processing performance required to make workload consolidation on IA a reality. Intel DPDK provides a comprehensive set of
2009 2010 2011 2012Internet Traffic / Month
Total Traffic / Month
14.0X
13.0X
12.0X
11.0X
10.0X
9.0X
8.0X
7.0X
6.0X
5.0X
4.0X
3.0X
2.0X
1.0X
0.0X
Business Traffic / Month
Intel® Architecture (L3 Fwd)
Mobile Traffic / Month
4
software libraries and example code that optimize packet processing on Intel architecture. The Intel DPDK libraries provide direct, optimized access to data plane functionality, by-passing costly context switches, and significantly improving performance. In fact, the performance enabled by these libraries has transformed the perception of what workloads general purpose processors are capable of processing. Where they were once relegated to only application and control workloads, Intel® processors now have the ability to process packets at line rate performance.
Driving Security to the Hardware Level
To further optimize performance and increase security, Intel® platforms also include several complementary security technologies built into multiple platform components, including the processor, chipset, and network interface controllers (NICs). These technologies provide low-level building blocks upon which a secure and high performing network infrastructure can be sustained. These technologies include Intel® Virtualization Technology, Intel® Trusted Execution Technology and Intel® QuickAssist Technology.
Virtual Appliances
With a focus on energy conservation and cost control, enterprises continue to virtualize an increasing number of servers as well as their data center infrastructure. This trend has a ripple effect on security appliances. An appliance that previously secured multiple physical servers must now secure one server running increasing numbers of virtual machines (VMs). Simply put, physical appliances were not designed with the ability to inspect traffic streaming through a hypervisor running multiple virtualized servers. Additionally, whereas server workloads can handle a certain amount of latency, security appliances can never be a bottle-neck in the network infrastructure.
A key premise for virtualized environments is that each virtual machine behaves as though it were a physical machine, with control over its physical and logical resources. Each VM acts as though it is protected from other VMs. In reality multiple VMs reside on one physical appliance, accessing shared resources with only a layer of software protecting the content of one VM from another. Intel Virtualization Technology (Intel VT) increases the security of virtual appliances through hardware “hooks” that enable the separation of VMs/workloads on shared platforms. This moves the security burden off the software layer and into the hardware. Intel VT also has the ability to provide applications direct access to hardware resources, without incurring the latency penalties associated with moving through a hypervisor layer. By separating VM access in hardware, Intel VT allows the hypervisor to be bypassed without increasing the risk of rogue software manipulating any VMs. The ability to by-pass the hypervisor, in certain cases, provides increased throughput without sacrificing the value-added hypervisor features.
Making Secure Clouds a Reality
Analysts project that IT spending will increase slightly in 2013. This increase in investment is largely attributed to cloud computing. Over half of IT organizations plan to increase their spending on cloud computing to improve flexible and efficient use of their IT resources.2
Intel Trusted Execution Technology (Intel TXT) is specifically designed to harden platforms against hypervisor, firmware, BIOS, and system level attacks in virtual and cloud environments. It does so by providing a mechanism that enforces integrity checks on these pieces of software at launch time. This ensures the software has not been altered from its known state. Intel TXT also provides the platform level trust information that higher level security applications require to enforce role-based security policies. Intel TXT enforces control through measurement, memory locking and sealing secrets,
5
resulting in an isolated launch time environment. It works cooperatively with Intel Virtualization Technology (Intel VT).
Figure 4. Intel TXT with Intel VT enables secure virtualization
VM1 VM2
Hypervisor Layer
Intel® VTIntel® TXT
Meeting the Security Needs of the Intelligent Network
In today’s networks, security threats are constantly evolving, often resulting in loss of data, time and money. While new technologies and applications can provide significant business benefits, they also increase the ways in which malicious code can enter the network. IT departments are tasked with outpacing these threats by architecting a secure network capable of quickly deploying new services that can easily scale with changes in demand.
A new generation of security appliances is emerging. These devices perform cryptography, inspect packet content, extract metadata, and analyze traffic flows. These appliances are transitioning away from purpose built architectures onto general purpose processors. Today’s security appliances are built on Intel architecture.
To further optimize performance and increase security, Intel platforms also integrate several complementary security technologies like Intel Virtualization Technology and Intel Trusted Execution Technology. These technologies are designed to harden platforms against hypervisor, firmware, BIOS, and system level attacks in virtual and cloud environments. These technologies will continue to evolve, ensuring Intel platforms continue to provide unique value that enhances the user experience.
Additional Resources
Wind River INPhttp://www.windriver.com/whitepapers/deep-packet-inspection/Content_Inspection_Engine_WP.pdf
Intel Data Plane Development Kitwww.intel.com/go/dpdk
Intel Virtualization Technologywww.intel.com/go/virtualization
Intel Trusted Execution Technologywww.intel.com/txt
Intel Platform for Communications Infrastructurewww.intel.com/go/commsinfrastructure
For more information on Enterprise security solutions please visit www.intel.com/go/commsinfrastructure
6
1 McAfee Threats Report: Third Quarter 2012. http://www.mcafee.com/2 ComputerWeekly.com: 2012-2013 IT Budget Benchmark. http://www.computerweekly.com
Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel® products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel® products, visit Intel® Performance Benchmark Limitations: www.Intel®.com/performance/resources/benchmark_limitations.htm.Contact your local Intel® sales office or your distributor to obtain the latest specifications and before placing your product order.* Other names and brands may be claimed as the property of others.Copyright © 2013, Intel® Corporation. All rights reserved.
Printed in USA MS/VC/0213 Order No. 328647-001US