Intrusion detection and prevention is now practical at wire-speed on 10Gig Ethernet, claimed Force10 Networks. The company has introduced a parallel processor capable of inspecting traffic and enforcing security rules at 20Gbit/s.
The new P-Series appliance uses Linux and the popular Snort open source software, which inspects traffic and compares it to a list of attack signatures. However, instead of using a single general-purpose processor and applying hundreds of rules to a packet in succession, the P-Series has up to 1000 processors in parallel, applying one rule each.
This enables the device to analyse two 10Gibit/s feeds simultaneously with a latency of just one microsecond, said Steve Garrison, Force10's marketing VP. That makes it practical to run it either on a 10Gig Ethernet LAN backbone, or on the 10Gig WAN uplinks which are increasingly being used in government and research networks.
If threat signatures are detected, the device can drop the packets, redirect the flows, or handle the incident in a number of other ways allowed in Snort.
The technology behind the P-Series comes from Metanetworks, a company acquired by Force10 last year. Garrison said that having turned that technology into a commercial product, Force10 has already shipped 25 units to existing users of its 10Gig switches, including the Amsterdam Internet Exchange and the US National Centre for Computational Sciences.
"With the P-Series, we can inspect and monitor traffic on our 10 Gbit/s links without impacting performance, making it possible to move data at line rate while still addressing security concerns," said NCCS senior network engineer Steven Carter.
"It's all in silicon, but it's FPGA [field-programmable gate aray] not ASIC [application-specific integrated circuit], so it's re-programmable not fixed," explained Garrison. "It's like the difference between ROM and EPROM."
It means that each of the 1000 processors can be programmed to detect a single specific attack signature, with the user choosing which of the 2000 signatures in the Snort library to apply - and also being free to add, remove or change signatures in real time.
"We can accommodate 1000 signatures, but customers today tend to select between 40 and 200 signatures depending in the application," Garrison said. "They're looking for different things and they want to avoid false-positives."
The P-Series comes in two flavours, both with two 1Gig logging ports - the P1 has two 1Gig sensing ports and costs $38,000 (around £22,000), while the P10 has two 10Gig sensing ports and is priced at $95,000 (just over £54,000).
They will compete with IDS/IPS devices from the likes of 3Com's TippingPoint group, Cisco, ISS and Radware. Garrison claimed that as these also cost around $100,000, but are slower, the P-Series can offer up to ten times better price/performance.
He added that the P-Series is an appliance today, but an IPS blade for Force10's 10Gig Ethernet switches is a possibility for the future. "I'm not announcing anything. We see the market splitting though, between those wanting an appliance and those wanting a blade - Cisco offers both, for example," he said.
"The industry is still in the first ten years of understanding how to package and build security. It'll be another five to 10 years before it matures."