Fady Khalil (Sales Engineer) - PowerPoint PPT Presentation

1 / 25

About This Presentation

Title:

Fady Khalil (Sales Engineer)

Description:

– PowerPoint PPT presentation

Number of Views:839

Avg rating:3.0/5.0

Slides: 26

Provided by: cpug

Category:

more less

Transcript and Presenter's Notes

Title: Fady Khalil (Sales Engineer)

1
Fady Khalil(Sales Engineer)

Nokia Security Solutions Update
(November 2004)

2
Agenda

Nokia high-end enterprise platforms
IPSO 3.8
IP 380
IP 1220/1260
IP2250
Nokia Secure Access System
Nokia One Business Server

3
IPSO 3.8

Nokia IPSO v3.8
New Features
Dynamic Routing Protocol Support with VRRP and
Clustering
DHCP Client, DHCP Server and PPPOE
Enhancements to IP Clustering in IPSO
Supported Platforms
Nokia IP110, IP120, IP130, IP330, IP350, IP380,
IP440, IP530, IP650, IP710, IP740, IP1260, New
Enterprise High-End Platform
Nokia IPSO v3.8 Improves Performance
IPSO 3.8 Support for Check Point NG with
Application Intelligence
Utilizes Check Point SecureXL 2.0 for accelerated
firewall CPS and VPN throughput
Increases Connections Per Second from 2x and up
on existing IP platforms (this will vary on
platforms)
Increases VPN 3DES and AES small and large packet
performance from 1.5x to 3x depending on the
platform
Does not increase existing FW large or small
packet throughput
VPN Accelerator Hardware support
Significant encryption acceleration for Nokia
IP530 and IP700 series

4
Nokia IP Platform OS

SecureXL v2.0
Enables higher firewall and VPN performance
across the Nokia IPSO product family
Small packet performance target is 4x in Nokia
IP380 and IP740
Performance target for all packet sizes is 2x
across all Nokia IPSO gateways
Firewall Flows technology co-developed with Check
Point

5
Network Security Platforms
New!
Nokia IP2250
NEW!
Nokia IP1260
Nokia IP740
New!
Nokia IP1220
Nokia IPSO v3.8
Nokia IP530
Price
Nokia IP380
Nokia IP350
Check Point Express or Enterprise VPN-1/FW-1
Nokia IP130
Nokia IP40 Check Point VPN/FW software included
Performance Functionality
6
Nokia IP350

High Speed Performance
Optimized for Check Point NG
Standard 256MB RAM (512 Max)
400 Mbps for NG FW-1
60 Mbps 3DES VPN
Flexible Connectivity
4 Integrated 10/100 Ethernet Ports
2 Option Slots for Dual WAN
WAN Connection Backup
2 Type II PCMCIA Modem Slots
Rapid Serviceability
Slide Out Access Tray

Small- and Medium- Enterprise Security Platform
7
Nokia IP380

High-speed Performance
Optimized for Check Point NG
Standard 256MB RAM (1024 Max)
600 Mbps for NG FW-1
90 Mbps 3DES VPN
130 Mbps 3DES VPN W/ Accelerator
Real-world Traffic Flexibility
Up to 8 Ethernet Ports
4 Integrated 10/100 Ethernet Ports
2 Type II PCMCIA Modem Slots
2 Option Slots
Dual 10/100 Mbps Ethernet or WAN
1 Internal PMC Slot for the Nokia VPN Encryption
Accelerator
Easily Serviceable
Slide Out Access Tray

Medium-Enterprise Security Platform
8
Nokia IP1220
Beta Trial

Nokia IP1220 platform supports same chassis/FRUs
as Nokia IP1260
Runs Nokia IPSOTM 3.8 with the following
applications
CP NG FP4 (FW-1, VPN-1, GX)
Nokia Secure Access System
Nokia Wireless Accelerator
Nokia OK applications

2RU serviceable slide-out tray
P4 CPU 2 x 256 MB System Memory (512 MB)
1 x IDE Hard Disk
1 x AC Power Supply
Fan Tray Assembly
4-Port 10/100 Ethernet PMC (external PMC slot)
2 x Dual PMC Carrier (I/O slots)

9
Nokia IP1220 Nokia IPSO 3.8 Check PointTM NG
R55 SecureXL 2.1

The importance of the Nokia IP1220
Faster then Nokia IP700 family in every measured
category
Huge performance increase in VPN at mid price
point
Performance addresses mid to large enterprise
growth needs
Continues to deliver more performance at
existing price points

10
Nokia IP1260
11
Nokia IP1260

Base System
2 RU appliance, serviceable tray
P4 CPU (2.8 GHz)
1 GB memory
4 built in 10/100 ethernet ports (removable)
Two dual PMC carrier cards for I/O cards (ADP
upgradeable)
Built-in VPN accelerator sub-system (3DES and
AES)
Two load-sharing power supplies
Two mirrored hard drives
Available I/O options
Dual-port 10/100 ethernet
Four-port 10/100 ethernet (IPSO 3.8)
Dual-port MMF or copper GBE
WAN options for T/E1, V.35, X.21, ISDN

12
Nokia IP1260 Nokia IPSO 3.7 with CP AI FP3 and
3.8 with CP AI

The importance of the Nokia IP1260
Nokia IP1260 is 3X faster then Nokia IP740 in
every measured category
Huge performance increase with a lowering of
/Mbps
Planned additional boost in VPN CPS with Nokia
IPSO 3.8 and SecureXL
Performance addresses unique needs of web based
traffic
Substantial increase in small packets, CPS

13
IP Traffic Performance Results
14
IA Packet Forwarding
15
IPSO 3.8 Changes

IPSO 3.8 Flow infrastructure
Improved scalability
Specialized slowpath queues.
Fastpath code enhacements in preparation for
SecureXL.
SecureXL
SecureXL can run only in FlowPath.
Formalization of Checkpoint interface to offload
functionality.
API defines
Connection setup
SecureXL Templates
Connection control
TCP state machine
Connection vs Flow
NAT
IPsec (ESP/UDP Encap) packet processing

16
Flow Infrastructure pre-3.7
firewall
SlowPath
Route/Flow trie
Flow Client
FlowPath/FastPath
17
3.8 Implementation
firewall
SlowPath
SXL Client
Flow Client
Flow Hash
VPN
Clear text
Crypto driver
FlowPath
sa
conn
18
IPSO Flow Implementation
FW Connection table
FW SA table
Ike negotiation
packet
Flow API
C2S Flow
S2C Flow
Luna API
19
SecureXL Implemenation
FW Connection table
FW SA table
Ike negotiation
packet
FW
SecureXL API
IPSO Connection
IPSO SA
Fw key
Decrypt Flow
C2S Flow
C2S Flow
c2s key
s2c key
20
SecureXL

IPSO implementation based on Flows Infrastructure
New features
Full connection offloading
Local traffic, ICMP, NAT, Sequence adjustments
VPN support
Hardware only, Luna card not supported.
SecureXL modes
V1.0
VPN support
TCP SYN, SYN-ACK, SYN/SYN-ACK to firewall
UDP First packet to firewall
V1.5
V1.0
TCP only SYN to firewall. Full state machine in
IPSO. State change notifications update FW of
changes. In case of error F2F.

21
Initialization

Enabled by CheckPoint (cpconfig)
Disabled by default.
In Kona is enabled by default.
Version exchange
Backward compatibility FW vs IPSO (not an issue
in 3.8)
Feature advertising
Routing
Cryptography (hardware based)
MD5
SHA1
3DES
DES
AES-128(AES-256 limited by hardware)
NAT
TCP state negotiation
Multicast

22
Summary

Good
Connection rate.
VPN forwarding.
Not so good
Connection setup sync traffic.
Higher memory use.
In flows not all is offloaded.
Ipsctl variables
Netsxlstats API statistics
Netipflowtcperror TCP state machine errors
netipflowsatablestats SA table statistics

23
Nokia ADP Packet Forwarding
CP Applications
IPSO Slow Path
Pre IPSO Kona with ADP and SecureXL
Acceleration traffic has longer path to travel
IPSO Fast Path
Network Processor
Motherboard
24
Nokia ADP Packet Forwarding
IPSO, ADP SecureXL acceleration speeds up FW
Connections Per Second (CPS) VPN throughput by
shortening the IP path
25
Nokia IP2250
Beta Trial

Base Configuration Diskless Based System
3RU chassis with serviceable slide-out tray,
motherboard, NP boards, midplanes, backplanes,
internal cabling, etc.
P4 CPU (3.0 GHz)
4 x 512 MB System Memory (2 GB)
1 GB Compact Flash
2 x AC Power Supplies
Fan Tray Assembly
4-Port 10/100 Ethernet CPCI (integrated)

Factory Installed Options
2-Port MMF Gigabit Ethernet ADP
2-Port Copper Gigabit Ethernet ADP
8-Port 10/100 Ethernet ADP
Nokia Encrypt Card
1 GB Flash PC-Card

26
Nokia IP2250

FW/VPN only - performance leader for large
enterprise, data center SPs
Designed to meet market trend to short session
small packet traffic with SecureXL 2.0, Nokia
IPSO 3.8 and high CPS VPN 3DES/AES Gbps
Delivers leading edge scalable flexible NP ADP
technology adding to existing IP Intel
architecture family
Positions Nokia as a very competitive technology
leader against NS, Cisco, Nortel, Crossbeam
without their inflexible proprietary solutions
price per mbps better then most competing
products
Highest port density in IP line up to 36 10/100
Ethernet
VRRP only for HA configuration
Positioned above IP1260
Can meet FIPS 140-2 and NEBS III certification
for Government market
Highly redundant for high profile sites
out-of-the-box
First diskless system from Nokia