AN139 VortiQa Software for Enterprise SMB Residential Network

TM

Freescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009.

VortiQa Software for Enterprise / SMB / Residential Networking EquipmentSatish Swarnkar, Director of EngineeringPravin Kantak, Engineering ManagerSoftware Products Division, Networking and Multimedia Group

July 2009

TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009.

► VortiQa software:a new brand of Freescale software for networking equipment that helpsaccelerate product development and increase the pace of innovation

► Four new VortiQa product lines of production-ready software applications:• VortiQa software for service provider equipment• VortiQa software for enterprise network equipment• VortiQa software for small business gateways• VortiQa software for SOHO/Residential gateways

► A comprehensive solution-centric approach for networking applications in targeted vertical segments:

• Silicon – QorIQ™ and PowerQUICC® communications processors• Software – VortiQa software products• Expanded Ecosystem - hardware, OS, ISVs, system integrators

VortiQa Software – Announced on June 15, 2009

\vór · ti · ka\: A whirlwind of innovation

TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009. 3

Challenges for Network Equipment Vendors

► Complex networks need rich and comprehensive security solutions

• Threats on rise• Need unified threat management

solution with firewall, IPS, Anti-X and secure VPN and with fine-grained access control to:

Prevent attacksEnsure data confidentialityPrevent viruses and stop spam

► Performance• Threats from within the core (inside)

and from external world raise the bar on performance requirements with Gigabit speeds of traffic

► Complex multicore silicon needs highly optimized and tuned software solution in short time frame

• For faster time to market

► Potpourri of software stacks and products makes maintenance difficult

INTERNET

MALICIOUS HACKERS

VortiQa software offers:• Protection from external and internal attackers•Stateful Protocol Analysis with ability to detect and prevent the attacks

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential

CENTRAL SERVICES

FINANCE SUBNET

MARKETING SUBNET


Challenges for Network Equipment Vendors

► Complex networks need rich and comprehensive security solutions

• Threats on rise• Need unified threat management

solution with firewall, IPS, Anti-X and secure VPN and with fine-grained access control to:

Prevent attacksEnsure data confidentialityPrevent viruses and stop spam

► Performance• Threats from within the core (inside)

and from external world raise the bar on performance requirements with Gigabit speeds of traffic

► Complex multicore silicon needs highly optimized and tuned software solution in short time frame

• For faster time to market

► Potpourri of software stacks and products makes maintenance difficult

INTERNET

MALICIOUS HACKERS

VortiQa software offers:• Protection from external and internal attackers•Stateful Protocol Analysis with ability to detect and prevent the attacks

DoS Attacks

ApplicationAttacks

OS Finger Printing Attacks

Anti-NIDSAttacks

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential

CENTRAL SERVICES

FINANCE SUBNET

MARKETING SUBNET

Insider Attacks

Trojan Attack

Dishonest Employee

Application security hole:

Patch not applied

App security hole:Patch unavailable


VortiQa Software for Network Equipment

► VortiQa software for Enterprise, SMB and Residential network equipment

• Unified Threat Management system is defined as an integrated network security device implementing:

FirewallIntrusion PreventionNetwork Anti-VirusIPsec VPNTraffic Management (TM)

• High performance solution in a System

• Completely leveraging hardware featuresSEC, PME, Quick Engine etc.

• Field Proven Solution with ecosystem support

• Faster time to market

• Engineering Support teams supporting Customer’s engineering teams


VortiQa Software Products OverviewDelivers integrated networking and security functionality

Freescale Silicon

Example Applications

Key Features

Software for Service Provider Equipment

QorIQ™ processors(P4080)

Multi-service edge routers, Switches, Wireless infrastructure, security gateway

Networking protocolsL2 or L3 Stateful Packet Inspection Firewall, NATIPSec VPN + IKEv1 + IKEv2Stateful deep packet inspection:

• P2P filtering• Protocol Anomaly• Traffic Anomaly

QoS / Traffic Management

Software for Enterprise Equipment

PQIII® and QorIQ™processors(8377E, 8572E, P2020, P4080)

Enterprise UTM, security appliances, secured routers and switches

Networking protocolsL2 or L3 SPI Firewall support IPSec Enterprise VPN + IKEv + IKEv2Stateful deep packet inspection:

• P2P filtering• Protocol Anomaly• Traffic Anomaly

QoS / Traffic ManagementAnti-Virus and Anti-SpamHA Support

Software for Small Business Gateways

PQIII® and QorIQ™processors(8377E, P2020)

Multi-service business gateways

Networking protocolsAdvanced IPSec VPN + IKE supportsSPI Firewall + Advanced NAT features + Dual WAN with

“Load balancing / Fail Over”Optional service provider provisioning

Software for SOHO / Residential Gateways

PQIII® and QorIQ™processors(8315E, 8314E, P1020)

xDSL, PON, FTTH, and other CPE devices

Networking protocolsSPI Firewall + NAT + Residential GatewayIPSec VPNOptional service provider provisioning


QorIQ P4PRODUCTS:P4080

QorIQ P3

QorIQ P2PRODUCTS:P2020P2010

QorIQ P1PRODUCTS:P1020P1010P1011

How QorIQ Platforms and VortiQa Products Align

QorIQ P5

Radio Network Control

Serving Node Router (GSN)

Metro Carrier Edge Router

IMS Controller

Access GatewaySSL, IPSec, Firewall

Converged Media Gateway

Unified ThreatManagement

BasestationWireless MediaGateway

VoIP Carrier-Class Media Gateway

Home MediaHub

NetworkAttached Storage

Integrated Services Router

Service ProviderRouters

NetworkAdmission Control

StorageNetworks

VortiQa Software

for ServiceProvider

Equipment VortiQa Software

for Enterprise Equipment

VortiQa Software for

Small/MediumBusiness Gateways

VortiQa Software for

SOHO/Residential Gateways

VortiQa™Software ProductsQorIQ Platforms/Products


Architecture: VortiQa Software for Enterprise Network Equipment


Architecture: VortiQa Software for Enterprise Network Equipment

•SPI Firewall

•Inline IPS

•IPSec VPN

•SSLVPN

•Anti-Virus

•Anti-Spam

•Routing

•QoS

•Transparent mode support

•High availability (active-backup)

•Clustering (active-active)

Ethernet, Bridging and WAN Protocols

Session Management and Packet processing

IPSec Packet Processing

Traffic Policing Traffic ShapingTraffic Shaping

Firewall Policy Mgmt

Transparent Proxy

Support

Application Level

Gateway

Intrusion Detection/ Prevention

EngineTCP/ IP

Drop-in Clustering

Kernel Space

Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration

Hardware Layer

SSLVPN

Reverse Proxy

Socks App Tunnel

L2 Tunnel

Portal

AV/AS

SMTP/S Proxy

POP3/s Proxy

HTTP Proxy

FTP Proxy

AV DB

AS DB

IKEv1/v2

PKI (SCEP, OCSP, LDAP)

XAUTH, EAP

IRAC

IRAS

AuthenticationServices

LDAP Client

RADIUS Client

Local

IPS Manager

CMS/Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP

User Space


Firewall Architecture

► Stateful inspection firewall • Defense against DoS & DDoS

attacks• Security Access Policy enforcement• Application level filtering & cookie

filtering• Event logging (SMTP client, syslog

client)► Comprehensive configuration

• Granular, user specific policiesTraffic type, protocol/port, Source/ destination, time of the day, as well as authentication based access

• System-wide policies► Comprehensive NAT w/ ALGs

• ALGs (application layer gateways)Enterprise Application – SQL*NetCommunications – SIP, MSNStandard Protocols - FTP

Administration Management Engine

Syslog Support Email Export log Web Based Configuration CLI

Event Log Network Access Policy Manager

Smurf

Ping of Death

Reassembly AttacksIP Spoofing

WinNuke Land ICMP Redirects IP Source Routing

DoS Attacks

Network Access Statistics Application Specific Content Filtering

NAT withALG

Support

Network Access Policy Engine

User Specific Access Policies

System –Wide Access Policies

DynamicRemote

User Access

Weekly ActivationSchedule

Stateful Inspection Engine

CyberDefense Engine ™


IPS Architecture► Freescale Inline IPS sensor

• Advanced detection techniques with stateful application intelligence

Greater accuracy over traditional IPSReduced false positives & High performance

• Protocol anomaly detection► Embedded Manager

• Comprehensive configuration capabilities with support for rule editing

• Extensive Reporting► Centralized signature updates

• Freescale produces IPS signature updates

• Provides centralized update capabilities

Inline IPS Manager and Administration Management

Rule Parsing Engine

Stateful Application Engine

POP3 Engine IMAP Engine SNMP Engine

NNTP EngineAPC EngineFTP Engine

HTTP Engine SMTP Engine DNS Engine

TCP Resequencing Traffic Anomaly

IP Layer EngineTransport Layer Engine

(TCP,UDP, ICMP)

Content Search Engine

Session Classification

EngineIP

Reassembly

Cyber DefenseEngine


IPsec VPN Architecture

►Proven interoperability • Time tested in the field

►VPN protocol support• Layer 3: IPSec, IKEv1 and v2• Layer 2: PPTP and L2TP• PKI and Certificates: Support

for X.509v3 including SCEP, OCSP, PKCS 7,10 and LDAP client for CRL retrieval

►Advanced Features• Granular policy management

for specific protocols• DPD(Dead peer detection),

DPTD (Dead peer tunnel detection)

• NAT traversal• Hardware encryption

accelerator support

Physical Layer

RADIUSClient

LDAPClient

OCSPClient

SECPClient

XAuth NGM Mode ConfigIKE Policy Manager

Certificate Manager

IKE-IPSec APIs

EAP

BSD Sockets ISecPDri IPsecDrv

TPSec Engine

SPDSAD

MKMDAH/ESP

IP Layer

UDP Interface ICMP Interface

Public Key Crypto APIs Symmetric Key Crypto APIs

SKEP Driver

Software Crypto Library

Public KeyEncryption Processor

Symmetric Key Encryption ProcessorLink Layer

Inline A

ccelerator Interface

IPSec APIs

IKEv1 and V2 Engine

Software CryptoLibrary

PKEP Driver

Physical Layer


Packet Tap – Interface with Linux®

►Packet Reception• VortiQa software registers to pre-routing

netfilter hook• Hardware interrupt context, Packets

queued to CPU specific queues at dev layer

• Hardware interrupts acked immediately• Either Hardware Interrupt or Ksoftirqd

executes RX_PACKET softirq routine• TCP/IP, VortiQa software code are

executed in the context of Hardware Interrupt Or ksoftirqd

• No blocking calls in VortiQa software code• Local out packets are collected at

Post-Route hook►Packet Transmission

• VortiQa software utilizes Linux TCP/IP route lookups, interface related API

• VortiQa software invokes IP layer Transmit routine directly to send out packet on a given interface

VortiQaSoftware

TCP/IP

NetFilterHooks

Socket Layer

Dev Layer

Ethernet / WAN Drivers

Networking Hardware


Packet Processing Control Flow

► VortiQa software modules IPsec-VPN, IPS, Traffic Mgmt register with Firewall ecosystem

► VortiQa software Core Security Module – Firewall captures packets from TCP/IP stack

► After firewall functionality (Policy Enforcement, Attack verifications) done, Firewall Eco-system dispatches packets to registered modules in priority basis

► IPsec-VPN, IPS may use their Hardware Eco-system interface to utilize Hardware Accelerator services

► Each module may consume or return packets to Firewall Eco-system

► Firewall Eco-system finally dispatches packets out

SSLVPN AntiX

Linux® TCP/IP Stack

Firewall with Eco-system Interface

TrafficMgmt

IPS IPsec VPN

HW Accelerator Eco-System

Glue Layer

HW Accelerator

► Accelerators• IPsec/IKE: Crypto Accelerators

Plain CryptoIHAPPIIn-linePKI

• IPS: Pattern Matching AcceleratorsDFA


Packet Processing Control Flow (Cont…)

►Typical data packet processing flow:

• Traffic Policing*• Firewall• IPS*• AV/AS *‡• IPsec*• Traffic Shaping*

Note:* Enabled through configuration‡ Supported protocols: HTTP, SMTP & POP3

Ingress Egress

TrafficPolicing

Firewall IPsec

TrafficShaping

IKEv1/IKEv2

AV/AS

SSLVPN

IPS


Management Infrastructure

Management APIs

CLI WebGUI CMS LDSV SNMP

Character Pseudo-driver Loopback SocketsIPC/Wrapper Layer

KernelModules

User landModules

• All management applications use the same management APIs

• Kernel space modules make their management APIs available through pseudo-driver IOCTL/Command IDs.

• User land processes make their management APIs available through wrapper layer over loopback sockets

• IPC/Wrapper layer transports the configuration commands appropriately to kernel/user space modules

• As kernel space APIs may modify the data structures used by packet path, proper synchronization should be implemented

• On a SMP architecture, spinlocks are used to protect configuration changes


Performance Consideration


Performance & Security Requirements

►Requirement• Perimeter – threats emerging from public Internet• Core – threats emerging from internal protected networks

Gigabit Ethernet ports connecting to desktops and servers• L3 switches providing security

►Performance issues• Deep packet / data inspection and protocol inspection• Traditional specialized ASIC providing data path solution are not

sufficient• Critical performance metrics: Throughput, Latency and Session rate


Symmetric Multiprocessing in Multicore Silicon

►Symmetric Multi-Processing (SMP) Usage

• Improve performance using Linux® SMP architecture

• Multiple processor usage by VortiQa™ software for enterprise Linux Kernel components

• Multiple pthreads in user level process

• Load DistributionCPU affinityReceive Side Scaling

Linux Interrupt Scheduler

NetworkControllerNetwork

ControllerNetworkControllerNetwork

Controller

VortiQa™Software

Processor 3

VortiQa™Software

Processor 2

VortiQa™Software

Processor 1

VortiQa™Software

Processor 0


Hardware Accelerators

►Accelerators Usage• Improve performance with offloading

repetitive CPU intensive tasks• VPN: Crypto accelerators

Plain Crypto AcceleratorsIHAPPIInlinePKI Accelerators

• Firewall: Data path acceleratorTable Look upQuick Engine

• IPS: Regular expression pattern match accelerators.

• IPS: Providing pre-screening capabilities in the data path

IPS IPsec VPN

HW Accelerator Eco-System

Glue Layer

HW Accelerator

Firewall


Software Optimization Techniques► Data structure design for search operations

• Session SearchHash listsNumber of buckets tunableLinked list and binary tree for collision elements

• Instance searchIndex based ( No linked list or array searches)

• Rule categorization (In IPS) is based on transport, application protocol and protocol stages► No buffer copy► ePoll (instead of poll/select) usage in socket based applications

• State machine oriented – Multiple sessions in one thread► Avoids memory allocations in the data path► Efficient code and data cache usage► SMP

• Minimum number of SMP locks in data path around granular code.• Session Parallelization

Only one processor at any time processes firewall, IPS or VPN sessions.Packets are queued to backlog queue of each session by other processors during this time.

• No binding of processor to the sessions. • Runs most of packet processing in softirq context to reduce the context switches.


Comprehensive VortiQa Software Solution and Deployment Scenarios


Enterprise Deployment

MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server

Other Internal Users

MARKETING SUBNETMarketing Users

Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQa™ Software

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE

Policies for individual security domainsPolicies for Individual usersPolicies for user groups

•Allow remote access•Allow access to web server•Deny access to finance server•Deny access to confidential data

Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet



MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server



Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQa™ Software

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE



Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet

MPC8572E

Up to 1500MHz Dual- e500 core; 1MB L2, 800 Mhz DDR2/3, PCI-Express, 4xGbE, USB

SRIO, Security



MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server



Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQa™ Software

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE



Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet

P4080E

Up to 1500MHz 8 Cores; 1 MB L2, DDR2/3, PCI-Express, 10G/GbE, USB

DPAA, Security



MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server



Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQa™ Software

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE



Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet

MPC8548

Up to 1500MHz Single Core; 512KB L2, DDR2/3, PCI-Express, 4xGbE, USB

SRIO, Security



MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server



Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQa™ Software

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE



Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet

MPC8315

400MHz2 x GigE (SGMII)

PCI, PCI-ExpUSB, DDR1/2,

Security<2.0W @ 400MHz


Datacenter Deployment

Server Farm

Aggregation SwitchesWith VortiQa Software Core Switches

With VortiQa™ Software

Internet



Server Farm



Internet

P4080E

Up to 1500MHz 8 Cores; 1 MB L2, DDR2/3, PCI-Express, 10G/GbE, USB

DPAA, Security



Server Farm



Internet

MPC8572E

Up to 1500MHz Dual- e500 core; 1MB L2, 800 Mhz DDR2/3, PCI-Express, 4xGbE, USB

SRIO, Security



Server Farm



Internet


SMB Deployment

Internet

SMB Network

Branch Office

VPN Tunnel

Telecommuters & Road Warriors

VortiQa Software for Enterprise Networks


SMB Deployment

Internet

SMB Network

Branch Office

VPN Tunnel



MPC8378E MPC8377E

400-667MHz2 x GigE (SGMII)

PCI , PCI-ExpUSB, DDR1/2,

Security, SATA<5.0W @ 667MHz


SMB Deployment

Internet

SMB Network

Branch Office

VPN Tunnel



P2020

Dual e500 Core, 800 - 1200 MHz512 KB L2 Cache


SMB Deployment

Internet

SMB Network

Branch Office

VPN Tunnel




Summary and Q&A


Summary

►VortiQa software on QorIQ™ and PowerQUICC® processors

• Answer to challenges faced by the network equipment vendorsGuard against elevated and sophisticated threats.Highly optimized & performance tuned solution to get the most out of silicon & its capabilitiesAccelerate time to market with a comprehensive system solution – not just silicon or softwareSupport from the developers who have experience with silicon and software

• Expanded ecosystem working with independent vendors


Q&A

►Thank you for attending this presentation. We’ll now take a few moments for the audience’s questions and then we’ll begin the question and answer session.

TM

AN139 VortiQa Software for Enterprise SMB Residential Network

Documents