IPS device checks 10Gbit/s traffic
Force10's latest intrusion-prevention system (IPS) appliance is designed for 10GbE throughput.
Switch vendor Force10 Networks last week introduced the P10, which it described as an intrusion-prevention system (IPS) appliance that inspects, monitors, captures and blocks traffic at line-rate 10 Gigabit Ethernet (10GbE) speeds.
Force10 marketing vice-president Steve Garrison said, “We see our devices being deployed as 10Gbit/s firewalls or as core IDS/IPS traffic inspection tools. Both require a high-speed, low-latency device to prevent a network bottleneck.”
The P10 has two, line-rate 10GbE ports, for an aggregate inspection throughput of 20Gbit/s. The firm also released a lower-end IPS appliance, the P1, for line-rate gigabit speeds. Both appliances run a hardened Linux platform and can be deployed inline or passively to inspect traffic and have two 10/ 100Mbit/s management ports and an RJ-45 console port. These 1U P-series appliances run patented Dynamic Parallel Inspection (DPI) for high-speed traffic capture; and their deep-packet inspection capability can scale up.
DPI uses multiple hardware engines to simultaneously process thousands of rules on a single packet. The security rules and signatures are hardware-embedded to guarantee line-rate performance.
“The rules and signatures are directly written on field programmable gate arrays [FPGAs]. Since the chips are programmable, IT managers can update, delete or add rules and signatures in real time,” added Garrison.
Force10 said the ability to write new signatures directly to hardware in real time gives IT managers predictable performance regardless of traffic conditions.
The P-Series appliances also support open-source network security apps, such as SourceFire’s Snort IPS/IDS technology, enabling users to specify policies from public domain signatures or standard network monitoring libraries.
The appliance rules and signatures are administered through a simple text-based screen, enabling network staff to manage runtime parameters such as packet truncation, flow length and timeouts. They can also turn specific rules on or off and set capture/ignore and block/ forward policies for each rule. The P10 costs about £56,000 + VAT while the P1 costs about £21,000 + VAT.