Product Review: Corrent S3500 TurboCard
2. Features:
OK, so you're thinking your regular old Gigabit Ethernet
firewall can't handle all the throughput you need with Firewall-1/VPN-1? The
Corrent S3500 TurboCard offers several ways to accelerate firewall traffic
above and beyond what a normal Gigabit firewall can do.
In his demonstration at a
a recent
CPUG meeting, Jeff Douglass was able to push 1.3 Gb/s with small packets
(these were 64 byte packets, a particularly difficult test because of the
packet overhead) and 2 Gb/s on medium and large packets.
One of the themes you'll see in in these acceleration methods is
that the more work the NIC can handle, before (or instead of) sending it up to
the already-taxed Pentium 4 processor, the higher the potential throughput.
The goal is to "fastlane" some of the packets so they never have to leave the
NIC, cross the PCI bus, and add additional load to the main processor.
There's a lot of intelligence built-in on the board, and a lot of it is done in
purpose-built chips, which are much faster than a general purpose CPU.
Here are five secrets to TurboCard acceleration:
Acceleration #1: Copying The Connections Table To The NIC
One of the secrets to Firewall-1/VPN-1 performance is that once
a connection (a true TCP connection or a virtual UDP or ICMP connection) is
established and moved to the connections table, subsequent packets in that
connection don't have to be tested against the security policy; they can be
just "fastlaned" through. Few administrators are aware that
packets arriving at Firewall-1/VPN-1 are actually compared to the connections
table first before they are presented to the security policy.
With the TurboCard, the connection table is copied
down to the card itself, and most subsequent packets within existing,
already-approved connections can simply transit the card from NIC to NIC without
having to go up to the processor. Downloading a 1 GB ZIP file? All
packets after the first simply transit the NIC without seeing the Pentium.
Acceleration #2: Hardware VPN Acceleration
When DES was first developed in the early 1970's, it wasn't
optimized to run on a general-purpose processor. As a result, even with
modern CPU's it still creates a significant drain on processor resources,
particularly when supporting large VPN bandwidths.
The TurboCard has a purpose-built ASIC (Application Specific
Integrated Circuit), the Corrent CR7120 Security Processor, to offload these calculations from the CPU. This
processor handles all DES, 3DES, and AES-128 symmetric key encryption
computations; as well as all MD5 and SHA-1 hash calculations. The VPN
tunnel itself terminates right on the card, and doesn't have to go up to the
CPU.
With the TurboCard, Firewall-1/VPN-1 can sustain 2 Gb/s VPN
traffic and can support 40,000 simultaneous VPN ESP tunnels with their Security Associations
right on the card.
Acceleration #3: Packet Screening By Templates
With the TurboCard installed, Firewall-1/VPN-1 is able to create
templates for establishing new connections (knowing in advance what will be
allowed or disallowed) and these templates can be copied down to the card to
also allow these new connections to transit the card without being forwarded up to
the CPU.
Acceleration #4: Drop Acceleration:
Since the TurboCard has its own IBM NPU, it's easy to treat the
incoming NIC as a sort of simple external screening router by configuring simple
Access Control Lists (ACL's). Using the Linux command line interface, you
can configure simple drop lists, preventing certain attempted connections from
ever reaching the firewall itself.
Here's the description straight from Corrent:
"The Drop Acceleration feature of the Turbocard allows the user
to define a list to which all incoming packets are compared to, and consequently
dropped by the Turbocard if a match is found. Each entry in the list consists of
a Destination IP address, Destination Port number, and the Protocol type. The
logic of the feature is performed at the end of packet processing logic, and due
to this, the feature will only be applied to packets that do not currently match
an existing connection or template in the Turbocard."
Acceleration #5: Template Quotas:
Lastly, to protect hosts behind the firewall from certain types
of attacks, it's possible to set and enforce
quotas right on the NIC's, again by using the Linux CLI. While it's true
Check Point's FloodGate-1 is a traffic-shaping product, it's reputation as a
processor hog reduces its value with Gigabit throughput; better to do
this sort of high-speed protective traffic-shaping in hardware.
Here's Corrent's description:
"The feature is designed to protect elements behind the FW and
the FW itself from different types of attacks and works by allowing the user to
define, in a configuration file, [...] parameters that combine to limit the
number of template based connections that the FW will allow through."
Improving Throughput During A DoS Attack:
Corrent emphasizes that not only can the card accelerate
throughput by speeding packet flow, but by being particularly fast and efficient
at dropping packets, the card can help keep good traffic flowing during a
DoS attack.
What Can't Be Accelerated?
Any type of traffic that must go up to the host processor can't
be accelerated with the TurboCard. This includes packets that need to be
inspected by SmartDefense and any traffic that needs Network Address
Translation, although Corrent is working with Check Point to include
acceleration of packets needing NAT in a future release.
How Does It Bolt On To Firewall-1/VPN-1?
Firewall-1/VPN-1 provides an API (Application Programming
Interface) called SecureXL, which is the protocol through which the
TurboCard connects to the firewall. Check Point also provides a
software version of this accelerator, called PerformancePack, which
connects in the same way. You can't run the TurboCard and PerformancePack
simultaneously. In fact, when the TurboCard driver loads, it shuts down
the Performance Pack daemon and renames it. The TurboCard driver simply
attaches to the SecureXL API and begins exchanging information with the INSPECT
engine.
<< 1. Photos
3. Licensing >> |