Hillstone Technology Introduction - dl.arka.irdl.arka.ir/brochures/hillstone/Hillstone Technology Introduction.pdf · Network Behavior Collection ... vIOM • Public Cloud: Security

1www.hillstonenet.com

May. 2015

Hillstone Technology Introduction

Timothy Liu

2

2

Product Portfolio

Next-Gen Firewall

Intelligent

Next-Gen FirewallData Center Firewall

E Series

Analytics

on VM

Standalone

T - Series

X - Series

Centralized Security

Management

HSM - 200

HAS - 3/5/10

Virtual Firewall (vFW)Virtual Elastic Firewall

Architecture (vEFA)

3

2StoneOS

3T Series

4X Series

5Virtualization

1Hardware

4

4

The Hardware

4

5

New Generation of Hardware Architecture

G1 – x86 G2 – NP/ASIC G3 – Multi CPU & Multicore

2nd Gen - NP/ASIC No application layer

capability

Limited bandwidth between processor and ASIC/NP

1st Gen – x86 Insufficient

processing power

3rd Gen – MultiCore Multiple CPUs, each with

multiple cores

Dedicated application

acceleration hardware

Up to 960G switch fabric

X86Processor

RAM

HDD

NIC NIC

X86Processor

RAM

HDD

RAM

RAMNP / ASIC

PCI / PCI-E

6

6

Hillstone Innovation

• 2007-2008: First in industry with security appliance based on multicore CPU

• 2009: First in industry 10G Firewall

• 2010-2011: Distributed architecture based on multiple CPU, 100G Firewall

• 2013: New heterogeneous architecture for Intelligent NGFW

6

7

E Series – Single CPU

Multi-Core MIPS64 CPU (up to 32 cores)

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch Fabric

StorageStorageStorage

8

Multi-Core MIPS64 CPU

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch Fabric

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Multi-Core MIPS64 CPU

CPUCore 0

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

GE GE GE GEGE

10GE 10GE 10GE

StorageStorageStorage

X-Series - A Distributed and Parallel Architecture

9

Multi-Core MIPS64 CPU (up to 16 cores)

CPUCore 0

GE GE GE GE GE GE 10GE 10GEGE

CPUCore 1

CPUCore 2

CPUCore 3

CPUCore n

Switch fabric

StorageStorageStorage

T series

X86System

10

10

The Operating System

10

11

11

(High-Performance Integrated Solution)

Hillstone Integrated Defense for Businesses

Multi-core High-Performance Hardware platform

64-bit Concurrent OS

FW IPS AVURL Filter

IPsec VPN

& SSLVPN

QoSAttack Protect

-ion

APP & User Id

Centralized Security Management (HSM)

11

StoneOS

12

12

Advanced Full Parallel Architecture

Traditional Multi-core Architecture

Uses multi-core to handle packet forwarding

Only x86 can handle application processing

Same session cannot be distributed to all

cores.

Multi-core is cheap ASIC or NP replacement

only.

Hillstone’s Innovative Multi-core-

Plus Architecture

All application processing is distributed to

all cores evenly

One-pass processing without the CPU

bottleneck

12

13

13

Scalable Performance

0

500

1000

1500

2000

2500

3000

3500

0 2 4 6 8 10 12 14 16 18

Core #

64 Bytes Tput (Mbps)

13

14

14

Scalable Performance

0 2 4 6 8 10 12 14 16 18

Core #

Ramp Up (session/sec)

14

15

Cross Inspection

Deep Inspection

Cross Inspection: Combines Deep Inspection with a user’s application behavior for cross-analysis:

User state

Application state

Behavior state

Behavior stateApplication stateUser state

Stream Based Processing

16

16

Stream Engine

State

Information

Packet In Packet Out

• Stream Engine is a node in a pipeline that processes incoming packets en route.

• Can be as simple as a counter for packets or as complex as an AV signature matching or traffic optimization.

• Compared to a fully proxied solution, it offers a lower network latency, faster response time, and higher processing capacity

16

17

17

StoneOS Stream Engine

AV

Scanning

PE

DecoderGunzip

MIME

Decoder

HTTP

DecoderTCP Proxy

• Stream engines pipeline (a pipeline with branches)

• Different flows will have different pipeline of stream engines depending on the policy configuration and flow itself. For example, some flows will have URL filtering scanning while others will have AV scanning stream engine.

• Stream engine can be dynamically adjusted depending on processing state information. For example, a new pipeline involving gunzip stream engine will be added when content is detected to be a gzipped file.

AV

Scanning

HTTP

DecoderTCP Proxy

PE

Decoder

AV

Scanning

Gunzip

MIME

Decoder

IPS

Scanning

17

18

18

Parallel Stream Engine Architecture

DecoderTCP Proxy Security

Processing

App

Processing

HTTP

Decoder

IPS

Scanning

AV

Scanning

URL

Filtering

Content

Filtering

PE

Decoder

...

SMTP

Decoder

gunzip

MIME

Decoder

...

Behavior

Control

ALG

…

Application

Proxy

Application

Tunneling

Application

Optimization

18

19

StoneOS – Parallel and Stream Based Inspection Engine

Parallel stream based inspection engine enables network visibility: Cross Inspection™ technology for network visibility

User, application and behavior data

Use stream based security inspection for low latency processing

Unified policy engine for all security functions

Different packets of the same flow can be distributed to all CPU cores for parallel processing.

VPN encap/decap, classification, protocol decoding, application identification, security processing, and flow control is done only once

20

20

Parallel Architecture Delivers High Performance

Multi-core and multi-CPU

architecture provides high

performance

Each core provides security

functions independently of

each other

Same-session can be handled

on all cores concurrently

Unified security engine

provides security processing

once, thereby reducing latency

20

21

2 Stage QoS

Ingress

1st Stage 2nd Stage

Egress

Root

Root

Default Default

RootSub

Sub

Sub

Sub

22

22

The T-Series iNGFW

22

23

23

Hardware Architecture of T-series

• Performance: Firewall performance is not impacted by the analytics computation

• Stability: Separate engines improve fault tolerance.

• Security: x86 engine for data mining and correlation analysis, enables intelligent security

• Visibility: Enhanced visibility for large amounts of historical data collected

23

Intelligent Multi-Vector Processor Architecture（i-MVP）

Management Engine(ME)

Big Data

Intelligent Engine(IE)

X86 Processor Multi- core Secure Processor

Network Engine(NE)

Security Engine(SE)

24

24

Two Detection Engines

Unknown Threats Detection Engine

Abnormal Behavior Detection Engine

Detects Advanced Malware and 0-day Detects Compromised Hosts and Malicious Insiders

Behavior Based, Detect Unknown Threats

24

25

25

Unknown Threats Detection Engine

Data Analytics on Behavior

Model 1 Model 2 Model nMalwareBehavior

Model

Known Malwares

25

26

26

Unknown Threats Detection Engine

Host Behavior Compromised Hosts

Malware Behavior Model

Unknown Threat Detection

26

27

27• Sample Collection: Malware collection, Sandbox analysis, Network Behavior Collection

• Big Data Analysis: Tens of thousands of new samples per day. Preprocess along predefined parametric and statistical dimensions.

• Machine Learning: Supervised and Unsupervised.

• Behavior Model Update: Appliance pull in updates to behavior models.

• Complete Cycle: Detection results can be uploaded with user consent. This global intelligence improves overall security.

Malware Analysis and Detection using Big Data

27

28

28

Abnormal Behavior Detection

App and Host Behavior Learning and Modeling

Detect Abnormal Behavior

28

29

29

Abnormal Behavior Detection Engine

Build Dynamic Modeling of

Applications and Hosts

Determine Attack Type

DOS/Scan Crawler

SPAM

Deviation of CurrentBehavior from Model

Data Leakage

29

30

30Abnormal Behavior Detection based on historical behavior

• Data Modeling: Multi-dimensional, L3-L7, application

• Adaptive Algorithm: Modeling real-time network behavior, with

consideration of behavior variation on multiple time periods, and

correlation between data dimensions.

• Early detection of anomaly: Compare to static threshold, it enables early

detection and intervention to behavior anomalies.

• Detection DDoS against servers, scanning, crawlers and data exfiltration.

Abnormal Behavior Detection

30

31

31

The X-Series

31

32

Co

ntro

l Pla

ne

Service

Pla

ne

I/O P

lan

e

Interface module

Processing module

Processing module

Processing module

Processing module

Interface module

Interface module

Processing module

Interface module

Co

ntro

l Pla

ne

Data

Pla

ne

Processing module

Interface module

Co

ntro

l Pla

ne

Data

Pla

ne

Processing module

Interface module

Data

Pla

ne

Processing module

Interface module

Data

Pla

ne

Scales Up to Multiple CPU

33

33

Fully-Redundant Design Guarantees High Reliability

Co

ntro

l Plan

e

Service

Pla

ne

I/O P

lan

e

Interface module

Interface module

Interface module

Processing module

Co

ntro

l Plan

eProcessing module

Processing module

Processing module

• The system I/O is independent of the data processing hardware

• The software and hardware for the system control and data control are independent of each other

33

34

Fault Tolerant

Co

ntro

l Plan

e

Service

IO IOM IOM

SCM SCM SCM

Co

ntro

l Plan

e

5

1

2 3

4

6

7

35

SCM Scalability

Co

ntro

l Plan

e

ServiceI/O IOM IOM

SCM SCM SCM SCM

Co

ntro

l Plan

e

1

2

11

1

2

22

36

I/O Scalability

Co

ntro

l Plan

e

ServiceI/O IOM IOM IOM

SCM SCM SCM

Co

ntro

l Plan

e

1 2 3

37

Fully Distributed FW Processing

Slow Path

Slow Path

Fast PathSlow PathFast Path

SCM

IOM IOM IOM

SCM SCM SCM SCM SCM SCM SCM

IOM IOM IOM

38

38

Data Center Firewall: How to Distribute State Information

Conventional Distributed Processing Architecture

Shared Distributed ArchitectureReplication-based

Distributed Architecture

RTO is processed by a single moduleRTO is replicated by all the modules synchronously

Limited performance

Poor scalability

Single point of failure

High cost

38

39

39

Data Center Firewall: Innovative Elastic Firewall Architecture

• Up to 360 Gbps and 120 million concurrent connections

• Unique and patented resource management algorithm

• Scale performance linearly with increasing number of SSM modules.

• Ideal for virtualized cloud deployment

Distributed RTO processing through multiple SSM modules to eliminate performance bottlenecks

Elastic Firewall Architecture

Elastic architecture to offer greater scalability

39

40

40

Virtualization Technology

40

41

41

Hillstone Virtual Appliance & Solution

Virtual appliance - vEFA

Virtual appliance - vFW

X series

M series

Virtualization Form FactorHardware Form Factor

vFW

vSCM

vSSM

vIOM

• Public Cloud: Security managed by tenants, VPC, North-South

• Private Cloud: SMB, simple deployment

• Private Cloud: East-West security• Public Cloud: Security Infrastructure

North-South access control in VPC environment- Provide a vFW or vSYS for each tenant

East-West security protection in the data center- vEFA

41

42

42

FWaaS Solution 1: Hardware+ vSYS

Data CenterOrchestration

SDN

Servers Storages Network

X series

API (Networking, Security)

vsys1

vsys2

vsys3

42

43

43

FWaaS Solution 2：vFW

Data CenterOrchestration

SDN

Servers Storages Network

API (Networking, Security)

vFW1

vFW2

vFW3

43

44

44

VEFA – Virtual Elastic Firewall Architecture

• Virtual Firewall for the Data Center

• Performance and capacity scale with CPU

• Redundant and Fault Tolerant: HA & ISSU

Hillstone X7180 360G FWChassis

Cloud Orchestration

Cloud Orchestration

44

45

45

vEFA

Built on top of proven, distributed patent-pending firewall architecture

Control Plane• Global Session Mgr• Fully Redundant

Security Plane• Content Security• Elastic Scaling• Fully Redundant

Data Plane• Firewall • Elastic Scaling• Fully Redundant

vEFA Virtual Chassis

‐ NGFW functionality

‐ On-demand scalability

‐ Unified Management

‐ Openstack driver

‐ RESTful API for customized integration

‐ Support multi-tenant (VSYS)

45

46

46

Management Integration – OpenStack Certified

OpenStack DashboardVendor Feature Plugin

Nova Quantum

Nova Networking

Virtual Network Service

Vendor VNS driver

Compute, StorageInfrastructure

VendorProduct

FWaaS VPNaaSL2/L3Vendor

Feature Plugin

Network and SecurityInfrastructure

46

47

47

OpenStack Integration

HW FW + vSYS vFWSolution One vSYS for each tenant One vFW for each tenant

Resource Managed by HW FW Managed by Cloud Orchestration

Management UI vSYS UI vFW provide standard FW management

TenantSeparation

N/A Separate virtual machine for vFW

Performance Dedicated HW, performance guarantee

Depends on size of VM for the vFW

Tenant creates virtual gateway on OpenstackDashboard

Every virtual gateway can be a software vFW, or a vSYS in a hardware firewall

47

48

Thank you!