Product Brief Top-of-Rack Switch + Firewall

Product Brief
Top-of-Rack Switch + Firewall
B1 + Brocade ® vRouter Firewall
Top of Rack Security Switch Firewall Features 60+ Gig throughput •
Stateful Inspection Firewall •
Zone-­‐based Firewall •
Intel® DPDK Support •
ICMP Type Firewall Switch Features •
480 Gbps switch fabric •
24 10G ports •
4 40G uplink ports •
80 Gbps data path between server/switch environments Additional Functionality
•
Network Address Translation •
3DES, AES Encryption •
MD5 and SHA-­‐1 authentication •
RSA, D iffie-­‐Helman Key Management •
NAT Traversal •
Role-­‐Based Access Control (RBAC) The B1 is a unique device that combines a Top-of-Rack switch with a high-end
compute environment. In the Security Switch configuration, the compute
environment is running the Brocade vRouter Firewall.
Thus, in the same 1U that is currently occupied by only a switch, you can now also
host rack level Firewall security.
The B1 provides:
• Twice the density
• In one-half the rack space
• At about two thirds the hardware cost
Figure 1 below shows the block diagram for the B1. The device has a commercial
grade switch environment in the front and a high-end computer environment in
the back.
Tunneling/VPN Functionality
•
SSL-­‐based OpenVPN •
Site to Site (IPSec) •
Layer 2 Bridging over GRE •
Remote VPN (L2TP, IPSec) •
Layer 2 Bridging over OpenVPN •
Dynamic Multipoint VPN Compute Environment
Network Environment
24x 1G/10G & 4x 40G
•
20G
SR'IOV
10/40G#
Fabric#with#
Packet#
Filtering
80#
Gbps
20G
SR'IOV
20G
SR'IOV
40
G
40
G
40
G
40
G
Intel Xeon
EP
20G
SR'IOV
Intel Xeon
EP
8#Core#
x86#
Control#
Processo
r
Figure 1: B1 Diagram of Network and Compute Environments
The front panel of the B1 has 24 x 10Gig ports and 4 x 40Gig ports. The network
and compute environments are connected with an 80Gig link (8 x 10Gig ports).
This is a total non-blocking switching capacity of 480Gig.
LineRateOF | PRODUCT BRIEF Full Featured Switch
Firewall Environment
The networking environment is a fully featured
switch/router. OpenArchitect switch management
software provides the management functionality
and the Linux Networking API for protocol
support. The Quagga L3 Protocol Suite includes all
the major RFCs (RIP, OSPF, BGP, LACP, etc.).
In the Top-of-Rack Security Switch configuration,
the compute environment of the B1 hosts the
Brocade 5600 vRouter Firewall software with
Brocade vPlane technology. vPlane utilizes the Intel
Data Plane Development Kit (DPDK) technology to
deliver breakthrough performance levels of 60+
Gig Firewall throughput.
In addition, Packer Filtering software included
with OpenArchitect provides the ability to
selectively control flows prior to the standard L2,
L3 processing in the switch silicon. Packet Filtering
is a key technology in managing which flows have
to pass through the firewall and which can get
directly switched to the server in the rack.
The B1 plus vRouter set new price/performance
standards that enable deploying firewall security at
the top of every rack.
Threats from everywhere
Not too long ago security threats were viewed as an external problem that was address via a firewall at the perimeter.
Now the concept of the “perimeter” is not clear. The East-West traffic with the data center is risky just like the
external North-South traffic.
The New Security Model
A new security strategy is needed.
One that moves the security closer to
the compute resources. One that
provides Firewall security at the top of
every rack.
2 LineRateOF | PRODUCT BRIEF Enforcement Point at the top of every rack
A new, and effective strategy, is to divide the
enterprise network infrastructure into isolated
segments with a security “enforcement point”
at every intersection. A natural segmentation in
the data center is the rack. Data flows to and
from all the servers within the rack through the
top-of-rack switch. Adding a firewall
Enforcement Point at the top-of-rack moves a
critical security technology next to the servers in
the rack.
It also creates a security architecture that is
scalable. As the data center grows each new
rack has the same configuration: servers in the
rack, top-of-rack switch, and a top-of-rack
security Enforcement Point.
Figure 2 shows the B1 with a vRouter Firewall
installed on the computer section as a top-ofFigure 2: Top of Rack Firewall
rack Enforcement Point. Flow coming into the
rack can be routed to the Firewall or directly switched to the servers.
Processing Trusted Vs. At-Risk Flows
In the most common configuration of the B1 Security Switch, the uplink
capabilities will be configured as two 80 Gig trunks—one active and one standby.
The Firewall capabilities are in the 60+ Gig range. This means that full line rate
into the chassis will exceed the Firewall throughput.
The solution to this issue is to treat some flows as “trusted” and have these
forwarded directly to the down rack servers by the network section of the B1. The
other flows will be treated as “Risky” and therefore have to be processed by the
vRouter Firewall.
As shown in Figure 2 above, the B1 Network section determines how flows
traverse from ingress to the switch to the target server (or VM). Some flows are
directly routed by the Network switch in the B1 to the target sever (VM). The
other flows have to pass through the vRouter Firewall to gain access to the down
rack server (VM). 3 LineRateOF | PRODUCT BRIEF Using ToR Enforcement Points to Address Attack Vectors
Figure 3: Security Enforcement Points at the top of every rack shows a data center with the standard firewall at the
connection to the Internet. It also shows a B1 Security Switch at the top of each server rack. This strategy provides
multiple layers of security. The number on the Figure 1 correspond to a Threat Vector addressed by the B1 Security
Switches. These Threat Vectors are defined in Table 1: Example Attack Vectors and Enforcement Point Mitigation.
Attack Vector Description Enforcement 1 Insider and Malware The most damaging attacks happen from the inside,
not under the scrutiny of the security gateway. The
highest profile data comprises have occurred from
employees accessing unauthorized data or
accidently allowing malware on the internal network.
Enforcement points allow for segmenting and
individually provisioning data and services so
malicious activity can occur. Malware and insiders
are limited in which segments they are authorized
to use.
2 Compromised Server Servers within the datacenter need the ability to
handle different types of traffic and some must
accept connections from the outside world to deliver
their services (ex. http or email traffic). This leaves
segments open to access across the east to west
plane of a datacenter.
By deploying Enforcement points at each
datacenter segment, the security services enabled
can be customized to the type of traffic and
services on that segment. A compromised server
on one segment cannot provide access to a server
on another segment limiting the attack.
3 Exploit Exploits in network equipment operating systems
can allow access to the device from across the
internet using discovery processes in protocols.
Once inside the gateway, the client running the
network operating system can access non-protected
areas of the datacenter
By provisioning each individual segment
enforcement point, unauthorized access can be
limited to the network infrastructure and not the
servers/clients in each protected segment
4 Outsider Both malware or misconfiguration (ex: ports open) of
the main security gateway can allow an outside
attacker access. Once an access methodology is
established, a malicious user can access different
segments of the network
Enforcement Points provide a second layer of
security for each leaf segment of the network,
stopping malicious users from accessing segments
that are not allowed.
Brocade and 5 600 vRouter are trademarks of Brocade. 4