If you’ve flown on a commercial airplane since September 2006, you experienced firsthand some of the principles of network security. In the old days, airport screeners checked passenger IDs and moved people through quickly—a process that went rather smoothly most of the time. Today, however, the process is much slower. Because the United States Transportation Security Administration enforces rules that require passengers to take off their shoes, take laptops out of their cases, and limit liquids to as many three-ounce bottles as can fit in a one-quart clear plastic bag, the screening process takes longer than ever, as more inspection is done.
This tortuous set of procedures is a perfect metaphor for the challenge IT security administrators face every day. In a test environment where few rules are turned on and a single type of traffic floods a device, a gateway’s performance can soar. However, in the real world, where traffic is complex and many rules are needed to protect assets, performance at the network perimeter is slower, sometimes taking two or three times as long as preferred. From this evidence, you would think that the harder a security device scrutinizes traffic, the less efficient it will be in a real-world environment. That was the case for a while. It’s not true anymore.
Open processors aren't perfect. Performance improvement itself is not efficient enough, due to imbalancing among cores.
The old way
Until recently, a great many security gateway devices were designed
with a special type of semiconductor chip—application-specific
integrated circuits (ASICs). The advantage of ASICs is that they are
custom designed to perform a particular function very well. As chip
feature sizes have shrunk and semiconductor design tools have improved, the maximum complexity—and hence functionality—possible
in an ASIC has grown from 5,000 gates to more than 100 million.
Practically speaking, this makes these circuits great for taking a
static job and doing it fast. Back in 2001, when the biggest threats to
a network were distributed denial of service attacks, this approach to
security worked great.
Nowadays, however, the static nature of ASIC-based systems does not work. Because ASICs cannot be reprogrammed, new threats such as worms and discovered vulnerabilities that change on a daily basis render them completely ineffective. Put another way, the moment that an ASIC-based security device is designed and sent to manufacturing, it’s out of date. This means that investing in an ASIC-based security device is like investing in the old method of airport security—the moment traffic gets complicated, performance suffers. No wonder so many system administrators use old security boxes as doorstops.
The next generation
Luckily, for network
administrators, there’s an alternative to ASICs. Desperately seeking an
approach designed to last, newer security devices have turned to
multi-core open processors. Designed to be as flexible as possible,
these chips can be reprogrammed on short notice and upgraded as
necessary. Devices employing this technology can process information as
fast as 10 to 12 Gbps on a single server—and that number is rapidly
increasing. Because open processors are so adaptable, total cost of
ownership is lower, as well, since enterprises don’t have to replace
the technology as often as they might replace an ASIC-based system that
quickly becomes obsolete.
Still, open processor-based devices aren’t perfect. Even with these more flexible engines, the performance improvement by itself is still not efficient enough, much of this due to imbalances among the multiple cores on these processors—while one is running at 100 percent, another might be running at 20 percent. Net result, the system does not perform as well as it could. To avoid these slowdowns, enterprises typically do not depend on integrated intrusion prevention capabilities because they fear a significant negative effect on throughput. Instead, they will buy separate intrusion prevention boxes, contributing to security sprawl.
The Check Point approach
A new technology from Check Point Software eliminates these
inefficiencies and maximizes network security. Branded CoreXL, this
technology is integrated with VPN-1 Power and is employed on Intel
multi-core processors for speeding up network security scanning. CoreXL
acts as a traffic cop, engaging in "intelligent load balancing." It
levels out traffic across cores, dispersing high-KB packets to other
cores on the system. As a result, an enterprise can turn on a strict
protection profile where 70 percent of all SmartDefense intrusion
prevention settings are activated. VPN-1 Power will perform a
deep-packet inspection on nearly every packet that passes through the
network device.
Thanks to this strategy, CoreXL improves overall security performance from baseline open processor metrics by nearly 600 percent to approximately 1.8Gbps with a strict protection profile activated. What’s more, because CoreXL handles intrusion prevention, enterprises can minimize the number of security boxes on their networks, absorbing more functions into fewer tools. Finally, considering that the processors working with CoreXL are so adaptable, network administrators no longer have to worry about refreshing their security products every year. Every system should be so efficient.
For more information about Check Point CoreXL technology and the new Open Performance Architecture, read our white paper.