A NetDevices Technical Note

Download the PDF

This technical note describes the key features of NetDevices' unique OnePassTM capability and how it enables true unification of multiple services, and allows enterprises to fully address their performance, scalability and security requirements for branch office networking.

Modern enterprises are distributing more & more business applications to branch offices. In order to support these business requirements, multiple networking services such as security, firewall, routing and VPN are required at most locations. With mission-critical applications at the branch, the branch network infrastructure must be robust, scalable and remotely manageable, and maintain high performance as new services & applications are added. In addition, it must be capable of efficiently dealing with the most sophisticated security threats in today's intensely networked environment.

With traditional branch office solutions, enterprises have been offered one of two alternatives a set of independent cascaded point devices, or multi-function networking products that are just collections of independent service appliances consolidated into one box. Due to inherent architectural limitations, neither of these solutions are able to satisfy the requirements of distributed
enterprises. Complex system management, high service downtime, performance degradation and vulnerable security are some of the thorny problems enterprises deal with on a regular basis as they add new services to branch offices. Hence, enterprises need next-generation branch office solutions that have been purpose-built to unify multiple services and enable them to fundamentally rearchitect the way their branch office networks are built & managed.

In order to comprehensively address the requirements of today's distributed enterprises, a truly unified branch networking solution has to deliver the following capabilities:

• Always available remote management access to the system, independent of the state of the system
• High service resiliency via fast recovery from both hardware and software failures
• Non-disruptive servicing through in-service upgrades, configuration changes and new service additions
• High performance and scalability as new services are added
• Fast & effective response to even the most sophisticated security threats through a new approach to layered security

This technical note will focus on the last two requirements outlined above by highlighting the limitations of traditional solutions and contrasting with that how NetDevices' unique OnePassTM approach enables enterprises to satisfy these demanding requirements.

Limitations of traditional solutions:
Inefficiency and lack of scalability

Packet classification and inspection are essential for services processing. Traditional routers and today's consolidated services systems use Access Control Lists (ACLs) to classify packets for service processing. Different ACLs identify packets that qualify for different services such as firewall or security. A packet may need to be processed through several services, and most consolidated systems still classify packets one service at a time, as if they were passing through multiple independent appliances. The need to process each packet multiple times incurs significant processing overhead. In addition, multiple ACL service syntaxes increase the complexity of classification, thereby increasing the chances of introducing errors. The greater the number of services, the greater the processing load and system latency, and the less efficient the overall system becomes.
This can best be illustrated by following the journey of a packet as it traverses through a traditional consolidated system solution, which in this case is a router with security capabilities added to it.

Since this device is basically a router with security capabilities added in, the packet first hits the router, which sits outside the firewall, as illustrated in Figure 1 above. The router is open and unprotected and has no way of verifying if the packet is safe or not. All it does is classify the packet, determine where it is going, and forwards the packet towards its destination. The process of packet classification is CPU-intensive and involves determination of the source address, destination address, protocol type, source port, destination port, message types, packet fragmentation and packet type.

Next the packet enters the firewall, where the first service is usually Internet Protocol Security (IPsec) decryption service. One of the first steps undertaken by IPsec is again packet classification, even though this had just been done by the router. Because there is no unification of services in traditional solutions, there is no easy way to share information across service modules and leverage common resources. The IPsec decryption module proceeds to decrypt the packet if it has been encrypted, classifies the packet and authenticates the sender. Then the packet is sent to a filter.

The filter classifies the packet yet again and expends precious CPU cycles in determining source address, destination address, protocol type, packet type, etc. Based on this information, it decides whether to accept or deny the packet, even though the packet is already two steps inside the firewall now. Having decided to accept the packet, the filter sends it off to the Denial of Service (DoS) module to determine whether or not the packet is part of a DoS attack.

The DoS service classifies the packet again and inspects it for signs of a DoS attack. If the packet clears, it is sent to Intrusion Prevention Service/Intrusion Detection Service (IPS/IDS) for a closer look. IPS/IDS classifies the packet in its entirety ­ one more time -- and inspects the content for more subtle signs of intrusion by performing additional packet inspection such as URL extraction and normalization. If the packet is clean, it is forwarded to several other content security services such as Web Filter and Anti-Virus. Note that if these content security services need to re-use some of the information extracted by IPS/IDS, they have to no option but to repeat CPU-intensive processes such as URL extraction and normalization. Needless to say, packet classification is repeated too.

After clearing the content security services, the packet is finally forwarded to Network Address Translation (NAT), Route Lookup and Packet Forwarding, before being forwarded to its destination in the internal network.

As is evident from the scenario described above, there are several issues with the traditional approach that adversely impact performance and security:

• The reclassification of every packet by every service leads to highly inefficient usage of CPU cycles and increases system latency
• The repeated inspection of packet content by each content security service is likewise wasteful of system resources
• The router, sitting outside the firewall, is unsecured

Clearly, due to the lack of unification across multiple services, traditional solutions are not able to meet the stringent performance, scalability and security requirements of modern branch offices with mission-critical applications. A radically new approach is required to address these
requirements.

NetDevices' OnePass Approach:
The Foundation for Full Services Unification

NetDevices unified service gateways are purpose-built branch office networking solutions designed from the ground up to reduce complexity, optimize network performance and unify branch office services. At the heart of full services unification is its OnePass capability, which provides a radically more efficient solution for packet classification and inspection, and ensures that all services are performed at the correct points in the packet flow path.

OnePass offers an elegant syntax for defining packet classification and specifying complex policies. As a result, the NetDevices unified services gateways provide global classification of packets for all services, down to an application's payload level, in a single pass. Once a packet is classified, it is processed only through the appropriate services. With service modules relieved of the need to classify and process every packet, CPU efficiency dramatically increases, thereby improving service performance and reducing the risk of errors. To illustrate the difference with the traditional approach, let us take a look at the life of a packet as it traverses through a NetDevices unified services gateway.

As illustrated in figure 2 above, the packet first enters the firewall where it encounters IPsec decryption. Note that, unlike in the traditional solution scenario, the packet enters the firewall before passing through the routing service module. Using the OnePass syntax for packet classification, the IPsec service classifies the decrypted packet and attaches a tag with the classification data. This tag follows the packet all the way on its journey through the firewall. The classification data is available to each new service, and no further classification is performed. This approach ensures optimum use of CPU cycles and decreases system latency.

The tagged and decrypted packet passes on to a filter that determines whether to accept or deny the packet based on the information in the tag. The filter looks for unauthorized sources, destinations, protocols, etc. Then the packet passes through the DoS module, before being forwarded to the IPS/IDS service.

In addition to inspecting packet content for signs of intrusion, IPS/IDS service extracts information about the content (e.g. URL extraction and normalization) and stores this in a centralized content management repository. This content data is available to all subsequent content security services such as web filter and anti-virus, thereby eliminating the need for additional CPU-intensive content inspection.

Finally, only after the packet has passed through all firewall and content security services, it is passed on to the NAT function and then to the router for route lookup and packet forwarding. If the packet represents part of a DoS attack or some other type of security threat, it is eliminated long before it reaches
the router.

With the NetDevices OnePass approach, security functions are applied at correct points in the packet flow. This greatly reduces the likelihood of deployment and configuration errors in the branch office, no matter whether both networking and security services are deployed simultaneously, or as in the case with typical branch offices today, networking services are deployed first and security functions are added at a later stage.

In addition to maximizing performance and enhancing security, the OnePass approach provides scalability by making it easy to add new services without having to reroute packets and without straining the gateway's resources. Because a packet is inspected in one pass when it enters the gateway, latency is minimized no matter how many service modules the customer adds to the system. In addition, new services that are added to an existing NetDevices gateway will by default have the same level of extensive protection against all security threats as the existing services. In contrast, with traditional cascaded solutions or consolidated systems, latency constantly increases and scalability degrades because each additional service requires significant additional processing.

Besides, there is no guarantee that the new services will fully benefit from the security functions in place for existing services, and ensuring this may require a re-design and re-deployment of the solution.
Since the NetDevices unified services gateways have been architected from the ground up to unify multiple services, the architecture allows multiple services to work together, rather than in logical isolation, and leverage common resources whenever possible, thereby ensuring the highest possible performance, reliability, reusability and manageability.

Key Benefits

The following table summarizes the key benefits offered by the NetDevices OnePass capability and the features that deliver these benefits:

Key Benefits	Derived From:
Maximum performance and minimum latency across multiple services	Single pass packet classification eliminating the need for multiple classifications of the same packet Single pass content inspection that can be re-used by all content security services Unified syntax for classification across all services that reduces the risk of errors No wasteful usage of CPU cycles on packets that are rejected
Maximum scalability across multiple services	Minimal or no additional processing overhead as new services are added Minimal incremental latency due to the addition of new services
Enhanced security that enables rapid response to even the most sophisticated security threats	All services applied at correct points in packet flow All security services first, then routing/packet forwarding Unified multi-service architecture that ensures new services automatically receive full protection from existing security functions

Summary

Enterprises are distributing more & more applications to branch offices and branch office networking requirements are changing at a rapid pace in order to support this business need. Traditional solutions, based on multiple point devices or consolidated multi-function systems, are unable to satisfy the new requirements. A truly unified branch office services platform is required to overcome these challenges. To maintain high performance and scalability as new services are added, such a system has to be architected from the ground up to unify multiple services. The NetDevices Unified Services Gateways, with their innovative OnePass approach for service unification, are purpose-built solutions designed to overcome the limitations of traditional point products and consolidated systems, and fully deliver the benefits of integrating multiple services.