Top Banner
1 www.hillstonenet.com May. 2015 Hillstone Technology Introduction Timothy Liu
48

Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

Jun 24, 2018

Download

Documents

truongdan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

1www.hillstonenet.com

May. 2015

Hillstone Technology Introduction

Timothy Liu

Page 2: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

2

2

Product Portfolio

Next-Gen Firewall

Intelligent

Next-Gen FirewallData Center Firewall

E Series

Analytics

on VM

Standalone

T - Series

X - Series

Centralized Security

Management

HSM - 200

HAS - 3/5/10

Virtual Firewall (vFW)Virtual Elastic Firewall

Architecture (vEFA)

Page 3: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

3

2StoneOS

3T Series

4X Series

5Virtualization

1Hardware

Page 4: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

4

4

The Hardware

4

Page 5: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

5

New Generation of Hardware Architecture

G1 – x86 G2 – NP/ASIC G3 – Multi CPU & Multicore

2nd Gen - NP/ASIC No application layer

capability

Limited bandwidth between processor and ASIC/NP

1st Gen – x86 Insufficient

processing power

3rd Gen – MultiCore Multiple CPUs, each with

multiple cores

Dedicated application

acceleration hardware

Up to 960G switch fabric

X86Processor

RAM

HDD

NIC NIC

X86Processor

RAM

HDD

RAM

RAMNP / ASIC

PCI / PCI-E

Page 6: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

6

6

Hillstone Innovation

• 2007-2008: First in industry with security appliance based on multicore CPU

• 2009: First in industry 10G Firewall

• 2010-2011: Distributed architecture based on multiple CPU, 100G Firewall

• 2013: New heterogeneous architecture for Intelligent NGFW

6

Page 7: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

7

E Series – Single CPU

Multi-Core MIPS64 CPU (up to 32 cores)

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch Fabric

StorageStorageStorage

Page 8: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

8

Multi-Core MIPS64 CPU

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch Fabric

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

GE GE GE GEGE

10GE 10GE 10GE

StorageStorageStorage

X-Series - A Distributed and Parallel Architecture

Page 9: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

9

Multi-Core MIPS64 CPU (up to 16 cores)

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch fabric

StorageStorageStorage

T series

X86System

Page 10: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

10

10

The Operating System

10

Page 11: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

11

11

(High-Performance Integrated Solution)

Hillstone Integrated Defense for Businesses

Multi-core High-Performance Hardware platform

64-bit Concurrent OS

FW IPS AVURL Filter

IPsec VPN

& SSLVPN

QoSAttack Protect

-ion

APP & User Id

Centralized Security Management (HSM)

11

StoneOS

Page 12: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

12

12

Advanced Full Parallel Architecture

Traditional Multi-core Architecture

Uses multi-core to handle packet forwarding

Only x86 can handle application processing

Same session cannot be distributed to all

cores.

Multi-core is cheap ASIC or NP replacement

only.

Hillstone’s Innovative Multi-core-

Plus Architecture

All application processing is distributed to

all cores evenly

One-pass processing without the CPU

bottleneck

12

Page 13: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

13

13

Scalable Performance

0

500

1000

1500

2000

2500

3000

3500

0 2 4 6 8 10 12 14 16 18

Core #

64 Bytes Tput (Mbps)

13

Page 14: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

14

14

Scalable Performance

0 2 4 6 8 10 12 14 16 18

Core #

Ramp Up (session/sec)

14

Page 15: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

15

Cross Inspection

Deep Inspection

Cross Inspection: Combines Deep Inspection with a user’s application behavior for cross-analysis:

User state

Application state

Behavior state

Behavior stateApplication stateUser state

Stream Based Processing

Page 16: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

16

16

Stream Engine

State

Information

Packet In Packet Out

• Stream Engine is a node in a pipeline that processes incoming packets en route.

• Can be as simple as a counter for packets or as complex as an AV signature matching or traffic optimization.

• Compared to a fully proxied solution, it offers a lower network latency, faster response time, and higher processing capacity

16

Page 17: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

17

17

StoneOS Stream Engine

AV

Scanning

PE

DecoderGunzip

MIME

Decoder

HTTP

DecoderTCP Proxy

• Stream engines pipeline (a pipeline with branches)

• Different flows will have different pipeline of stream engines depending on the policy configuration and flow itself. For example, some flows will have URL filtering scanning while others will have AV scanning stream engine.

• Stream engine can be dynamically adjusted depending on processing state information. For example, a new pipeline involving gunzip stream engine will be added when content is detected to be a gzipped file.

AV

Scanning

HTTP

DecoderTCP Proxy

PE

Decoder

AV

Scanning

Gunzip

MIME

Decoder

IPS

Scanning

17

Page 18: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

18

18

Parallel Stream Engine Architecture

DecoderTCP Proxy Security

Processing

App

Processing

HTTP

Decoder

IPS

Scanning

AV

Scanning

URL

Filtering

Content

Filtering

PE

Decoder

...

SMTP

Decoder

gunzip

MIME

Decoder

...

Behavior

Control

ALG

Application

Proxy

Application

Tunneling

Application

Optimization

18

Page 19: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

19

StoneOS – Parallel and Stream Based Inspection Engine

Parallel stream based inspection engine enables network visibility: Cross Inspection™ technology for network visibility

User, application and behavior data

Use stream based security inspection for low latency processing

Unified policy engine for all security functions

Different packets of the same flow can be distributed to all CPU cores for parallel processing.

VPN encap/decap, classification, protocol decoding, application identification, security processing, and flow control is done only once

Page 20: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

20

20

Parallel Architecture Delivers High Performance

Multi-core and multi-CPU

architecture provides high

performance

Each core provides security

functions independently of

each other

Same-session can be handled

on all cores concurrently

Unified security engine

provides security processing

once, thereby reducing latency

20

Page 21: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

21

2 Stage QoS

Ingress

1st Stage 2nd Stage

Egress

Root

Root

Default Default

RootSub

Sub

Sub

Sub

Page 22: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

22

22

The T-Series iNGFW

22

Page 23: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

23

23

Hardware Architecture of T-series

• Performance: Firewall performance is not impacted by the analytics computation

• Stability: Separate engines improve fault tolerance.

• Security: x86 engine for data mining and correlation analysis, enables intelligent security

• Visibility: Enhanced visibility for large amounts of historical data collected

23

Intelligent Multi-Vector Processor Architecture(i-MVP)

Management Engine(ME)

Big Data

Intelligent Engine(IE)

X86 Processor Multi- core Secure Processor

Network Engine(NE)

Security Engine(SE)

Page 24: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

24

24

Two Detection Engines

Unknown Threats Detection Engine

Abnormal Behavior Detection Engine

Detects Advanced Malware and 0-day Detects Compromised Hosts and Malicious Insiders

Behavior Based, Detect Unknown Threats

24

Page 25: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

25

25

Unknown Threats Detection Engine

Data Analytics on Behavior

Model 1 Model 2 Model nMalwareBehavior

Model

Known Malwares

25

Page 26: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

26

26

Unknown Threats Detection Engine

Host Behavior Compromised Hosts

Malware Behavior Model

Unknown Threat Detection

26

Page 27: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

27

27• Sample Collection: Malware collection, Sandbox analysis, Network Behavior Collection

• Big Data Analysis: Tens of thousands of new samples per day. Preprocess along predefined parametric and statistical dimensions.

• Machine Learning: Supervised and Unsupervised.

• Behavior Model Update: Appliance pull in updates to behavior models.

• Complete Cycle: Detection results can be uploaded with user consent. This global intelligence improves overall security.

Malware Analysis and Detection using Big Data

27

Page 28: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

28

28

Abnormal Behavior Detection

App and Host Behavior Learning and Modeling

Detect Abnormal Behavior

28

Page 29: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

29

29

Abnormal Behavior Detection Engine

Build Dynamic Modeling of

Applications and Hosts

Determine Attack Type

DOS/Scan Crawler

SPAM

Deviation of CurrentBehavior from Model

Data Leakage

29

Page 30: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

30

30Abnormal Behavior Detection based on historical behavior

• Data Modeling: Multi-dimensional, L3-L7, application

• Adaptive Algorithm: Modeling real-time network behavior, with

consideration of behavior variation on multiple time periods, and

correlation between data dimensions.

• Early detection of anomaly: Compare to static threshold, it enables early

detection and intervention to behavior anomalies.

• Detection DDoS against servers, scanning, crawlers and data exfiltration.

Abnormal Behavior Detection

30

Page 31: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

31

31

The X-Series

31

Page 32: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

32

Co

ntro

l Pla

ne

Service

Pla

ne

I/O P

lan

e

Interface module

Processing module

Processing module

Processing module

Processing module

Interface module

Interface module

Processing module

Interface module

Co

ntro

l Pla

ne

Data

Pla

ne

Processing module

Interface module

Co

ntro

l Pla

ne

Data

Pla

ne

Processing module

Interface module

Data

Pla

ne

Processing module

Interface module

Data

Pla

ne

Scales Up to Multiple CPU

Page 33: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

33

33

Fully-Redundant Design Guarantees High Reliability

Co

ntro

l Plan

e

Service

Pla

ne

I/O P

lan

e

Interface module

Interface module

Interface module

Processing module

Co

ntro

l Plan

eProcessing module

Processing module

Processing module

• The system I/O is independent of the data processing hardware

• The software and hardware for the system control and data control are independent of each other

33

Page 34: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

34

Fault Tolerant

Co

ntro

l Plan

e

Service

IO IOM IOM

SCM SCM SCM

Co

ntro

l Plan

e

5

1

2 3

4

6

7

Page 35: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

35

SCM Scalability

Co

ntro

l Plan

e

ServiceI/O IOM IOM

SCM SCM SCM SCM

Co

ntro

l Plan

e

1

2

11

1

2

22

Page 36: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

36

I/O Scalability

Co

ntro

l Plan

e

ServiceI/O IOM IOM IOM

SCM SCM SCM

Co

ntro

l Plan

e

1 2 3

Page 37: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

37

Fully Distributed FW Processing

Slow Path

Slow Path

Fast PathSlow PathFast Path

SCM

IOM IOM IOM

SCM SCM SCM SCM SCM SCM SCM

IOM IOM IOM

Page 38: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

38

38

Data Center Firewall: How to Distribute State Information

Conventional Distributed Processing Architecture

Shared Distributed ArchitectureReplication-based

Distributed Architecture

RTO is processed by a single moduleRTO is replicated by all the modules synchronously

Limited performance

Poor scalability

Single point of failure

High cost

38

Page 39: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

39

39

Data Center Firewall: Innovative Elastic Firewall Architecture

• Up to 360 Gbps and 120 million concurrent connections

• Unique and patented resource management algorithm

• Scale performance linearly with increasing number of SSM modules.

• Ideal for virtualized cloud deployment

Distributed RTO processing through multiple SSM modules to eliminate performance bottlenecks

Elastic Firewall Architecture

Elastic architecture to offer greater scalability

39

Page 40: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

40

40

Virtualization Technology

40

Page 41: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

41

41

Hillstone Virtual Appliance & Solution

Virtual appliance - vEFA

Virtual appliance - vFW

X series

M series

Virtualization Form FactorHardware Form Factor

vFW

vSCM

vSSM

vIOM

• Public Cloud: Security managed by tenants, VPC, North-South

• Private Cloud: SMB, simple deployment

• Private Cloud: East-West security• Public Cloud: Security Infrastructure

North-South access control in VPC environment- Provide a vFW or vSYS for each tenant

East-West security protection in the data center- vEFA

41

Page 42: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

42

42

FWaaS Solution 1: Hardware+ vSYS

Data CenterOrchestration

SDN

Servers Storages Network

X series

API (Networking, Security)

vsys1

vsys2

vsys3

42

Page 43: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

43

43

FWaaS Solution 2:vFW

Data CenterOrchestration

SDN

Servers Storages Network

API (Networking, Security)

vFW1

vFW2

vFW3

43

Page 44: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

44

44

VEFA – Virtual Elastic Firewall Architecture

• Virtual Firewall for the Data Center

• Performance and capacity scale with CPU

• Redundant and Fault Tolerant: HA & ISSU

Hillstone X7180 360G FWChassis

Cloud Orchestration

Cloud Orchestration

44

Page 45: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

45

45

vEFA

Built on top of proven, distributed patent-pending firewall architecture

Control Plane• Global Session Mgr• Fully Redundant

Security Plane• Content Security• Elastic Scaling• Fully Redundant

Data Plane• Firewall • Elastic Scaling• Fully Redundant

vEFA Virtual Chassis

‐ NGFW functionality

‐ On-demand scalability

‐ Unified Management

‐ Openstack driver

‐ RESTful API for customized integration

‐ Support multi-tenant (VSYS)

45

Page 46: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

46

46

Management Integration – OpenStack Certified

OpenStack DashboardVendor Feature Plugin

Nova Quantum

Nova Networking

Virtual Network Service

Vendor VNS driver

Compute, StorageInfrastructure

VendorProduct

FWaaS VPNaaSL2/L3Vendor

Feature Plugin

Network and SecurityInfrastructure

46

Page 47: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

47

47

OpenStack Integration

HW FW + vSYS vFWSolution One vSYS for each tenant One vFW for each tenant

Resource Managed by HW FW Managed by Cloud Orchestration

Management UI vSYS UI vFW provide standard FW management

TenantSeparation

N/A Separate virtual machine for vFW

Performance Dedicated HW, performance guarantee

Depends on size of VM for the vFW

Tenant creates virtual gateway on OpenstackDashboard

Every virtual gateway can be a software vFW, or a vSYS in a hardware firewall

47

Page 48: Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

48

Thank you!