|
The Check Point Open Performance Architecture: Delivering Application-layer Security at Data Center Performance Levels
Companies have always faced a tradeoff with network security. Do they lock down the network and face performance issues? Or do they focus on a high level of performance at the expense of preventing possible attacks? Today, these decisions are even harder. Application-layer threats are increasingly the vector of choice of hackers. These attacks – disguised as legitimate traffic – require a deeper level of inspection that needs more processing power and performance.
Check Point designed its Open Performance Architecture with these two challenges in mind – raising throughput while simultaneously raising security levels. Rather than make companies choose between performance and security, the Open Performance Architecture provides the ability to deliver both in the same platform by providing several layers of patented acceleration technologies. These layers work together with advanced technologies, such as Intel multi-core
CPUs, to deliver on the promise of application-layer security at high performance levels.
A delicate balance: Performance and security
Securing a network is a constant tradeoff. The network is an information access enabler – people want and expect instant access to data, to systems, or to other people in the case of Voice over Internet Protocol (VoIP). On the other hand, security is about limiting the amount of access people have.
Complicating matters is the fact that as security controls are increased, the security tools themselves come under a higher workload, therefore reducing performance and indirectly affecting access levels. To protect against today’s risks of highly advanced attacks and information leakage there is a requirement for a higher level of inspection as information passes through the perimeter gateway. As more security checks are enabled, the security tools themselves will face a greater processing load to implement the security policy - effectively slowing down security inspection.
This problem of balancing information access, the advanced nature of application attacks, and the performance required to support emerging applications is creating a paradigm shift. The firewall must be able to do more, and to accomplish this, the solution must be extensible to stop the most disruptive attacks that are exploiting vulnerabilities inherent in the applications that we all use each day. Check Point’s open performance architecture delivers this extensibility.
What is the difference between open and closed performance architectures?
Last April, Network World reported that attacks across instant messaging, chat, and peer-to-peer applications had grown an astonishing 700 percent compared to the previous year. This information quantifies what was already known – attacks are now disguised as legitimate application-layer traffic.
The reasoning behind these attacks is that traditional firewall-based security focuses on network-layer access. Modern attacks mean that a supposedly trusted user is disguising the traffic so that it passes the firewall. From a security inspection viewpoint, the answer is to implement a deeper level of inspection on the firewall to detect application-layer threats. However, every additional security screening that is done decreases the ability for the firewall to efficiently process the traffic, slowing down its predictable performance.
The traditional method of dealing with increased security performance requirements has been to develop a closed architecture based on application-specific integrated circuits (ASICs) or other specialized hardware. These purpose-built devices are designed to efficiently handle specific tasks much faster than general purpose processors. For some security tasks, such as network address translation (NAT) or basic packet filtering, these closed systems provide a simple way to accelerate security performance.
The problem with closed systems is that application-layer threats are not static - they are dynamic - and closed systems are not designed to respond adequately to these types of threats. After their initial configuration, ASIC-based systems cannot be reprogrammed to address new attacks. To combat these new attacks, closed systems include a general-purpose processor that is field programmable but does not include the acceleration technology found in ASICs. The general purpose processor creates major issues for closed systems; specifically a loss of performance value when inspecting against application layer threats.
The Open Performance Architecture Solution
The Check Point Open Performance Architecture changes the security performance equation. Rather than making people choose between having good performance and good security, it provides a framework for companies to
have both. With top throughputs reaching 12 Gbps on a single open server, VPN-1®
enables network administrators to gain the security of deep inspection in high performance environments through SmartDefense™ intrusion prevention.
The key to achieving these numbers is the combination of open system innovation and patented Check Point acceleration technologies. Operating on Moore’s Law, the assertion of Gordon Moore that computing power will double every 18 months, new open processors are increasing the computing power available to open security solutions at a brisk rate - especially when coupled with other innovations, such as increased bus speeds and improved motherboard architectures.
To take advantage of these hardware innovations requires software innovations to match. The Open Performance Architecture consists of three patented technologies:
- CoreXL™ Multicore Acceleration - CoreXL multicore acceleration is the first security technology designed to fully leverage multicore processors. It does this by sharing security inspection duties throughout all cores
- SecureXL™ Security Acceleration - SecureXL security acceleration accelerates security inspection by removing the latency introduced as network traffic passes through a security device
- ClusterXL™ Smart Load Balancing - ClusterXL enables near-linear performance increases by clustering together multiple systems running VPN-1
These three technologies work together to fully accelerate security inspection along a unified path that ensures both high performance and high security.
The Check Point Acceleration Technologies
Although there are many factors that go into performance such as hardware improvements and optimized code, the Check Point Open Performance Architecture concentrates on three technologies: ClusterXL. SecureXL, and CoreXL. These three technologies work together to maximize performance across a wide set of open servers and appliances.
ClusterXL: Smart load balancing
ClusterXL provides a method for high traffic volumes to be intelligently spread across multiple gateways. This provides near-linear scalability, as well as greatly increasing reliability. This gateway cluster can be physically located in a single location or separated and connected via an internal backbone, further increasing the redundancy needed for business continuity.
SecureXL: Security acceleration
A technology patented by Check Point, SecureXL is a software package with an API for the acceleration for multiple, intensive security operations, including operations that are carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module - the “SecureXL device,” which can be either a third-party, dedicated hardware component or a performance-optimized software module.
CoreXL: Multicore acceleration
CoreXL introduces advanced load balancing to increase throughput for the deep inspection required to achieve intrusion prevention on the firewall by leveraging general-purpose multicore processors. This ultimately provides increased performance for security functions that have previously been unaccelerated, such as intrusion prevention. CoreXL is designed to allow networks to have high performance as well as a high level of security.
When VPN-1 with CoreXL technology is activated, it immediately assigns a core to act as a director for traffic. For example, if an appliance contains two quad-core processors, one core will act as the director while the other seven will run VPN-1. The core acting as a director has two main functions. First, it makes the initial security decisions whether this traffic can be accelerated by SecureXL. Second, it assigns traffic to a core to handle full security inspection.
By balancing the load across multiple cores, VPN-1 gains a higher level of efficiency than previous multithreaded security applications. These earlier security applications could take advantage of multiple cores by running multiple instances of an application on every core, but could not balance the load equally between them. CoreXL enables a more efficient distribution of security duties across multiple cores by intelligently load balancing across them.
Conclusion
The shift from network-layer attacks to dynamically changing application-layer threats has dramatically increased security performance needs. To address them requires an architecture that can quickly evolve to guarantee performance yet maintain a high level of security. While closed, ASIC-based architectures have not been able to make an efficient shift to protecting against application-layer threats. The Check Point Open Performance Architecture provides the foundation needed by large campuses and data centers to gain high performance while maintaining a high level of security.
With three patented technologies integrated within it Cluster XL, Secure XL, and Core XL, the architecture enables companies to defend against evolving application-layer threats and maintain a predictable level of performance. It also provides an avenue to the future where organizations will be able to quickly adopt new hardware innovations, such as additional multicore breakthroughs and see immediate performance gains. With this open architecture, organizations can deploy security that delivers on the promise of application level security without fearing the loss of performance.
 |
