3. Virtual Switching Point-Virtual Switching Point
With the deepening of information construction, there are more and more applications on the Internet. As the infrastructure of frontier defense, firewall also faces multiple challenges. On the one hand, the security requirements are changing with each passing day, on the other hand, the network bandwidth is expanding rapidly, and the traditional small-workshop R&D design can no longer meet the requirements, so platform-based equipment has become the development trend.
Through platformization, the firewall can quickly adapt to the new hardware platform, and its performance can be rapidly improved to meet or even lead the development of network bandwidth. At the same time, the platform firewall has good expansibility and adaptability, can be quickly transplanted to various hardware platforms, improve the cost performance of the system, and can easily develop new functions to meet the special or ever-changing security needs of users. On the next generation security architecture, Lenovo Netroyal has launched a security platform with elastic architecture, which is in line with this development trend and pushes the research and design of firewall products to a new height.
The security platform of elastic architecture consists of four core components: General Security Platform (VSP) is the foundation of all firewall devices, Unified Security Engine (USE) is the security engine of firewall devices, Multiple Redundancy Protocol (MRP) is the guarantee of high reliability of firewall devices, and High Speed Security Hardware (HSH) is the booster of high performance of firewall devices.
In the realization of security products, the effective combination of the four core technologies can provide users with diversified security functions: not only can it provide high-end users with special, high-performance and high-reliability security devices, such as firewalls, VPN, IPS and so on. , it can also provide multi-functional, cost-effective and easy-to-manage security equipment for small and medium-sized users, such as UTM. We can also provide enhanced security functions on special security equipment according to the needs of users, and quickly complete product customization. (VSP: Versailles Security Platform) VSP is a special security software platform independently developed by Lenovo Netware. Based on international standards and perfect architecture design, the platform perfectly combines real-time operating system, network processing, security applications and other technologies. With the characteristics of high efficiency, intelligence, safety, robustness and easy expansion, it is a common platform for Lenovo Netware frontier defense products.
VSP is oriented to network throughput and security processing, which is different from the general operating systems such as Linux and FreeBSD. VSP concentrates the main resources on the data plane by separating the control plane from the data plane, which makes the system have strong real-time performance and network throughput.
VSP refers to the design of microkernel, and based on message mechanism, only the most basic operating system functions are put in microkernel, and redundant services and applications are built on microkernel to ensure that any service and application problems will not cause the whole system to collapse. At the same time, the attack defense engine integrated in the microkernel can effectively detect and resist attacks, and fundamentally improve the reliability and robustness of products.
System function and resource management work on different planes, and the plane and module follow the standard interface function. Compared with various embedded systems, VSP is highly flexible and extensible. At the same time, VSP separates hardware drivers into hardware abstract planes, provides a unified calling interface for upper-level software, defines driving standards for lower-level hardware, adapts to different hardware architectures, and realizes seamless integration with various special chips. VSP can make full use of the advantages of various advanced hardware platforms, from IXP, PowerPC to NP, as well as content acceleration chips. (Use: uniform security yengine) Based on VSP, the traditional security engine is optimized, the data model is abstracted, a unified architecture is constructed, and various types of security engines such as state filtering, VPN, IPS and content filtering are effectively integrated into a unified security engine, which significantly improves the security defense capability of Lenovo firewall. The unified security engine overcomes the shortcomings of traditional security engines that work alone and have a lot of redundant processing (for example, worm detection needs to be processed in IDS and virus detection). Through efficient engine integration technology, all security functions are organically integrated with the processing of network protocol stack, and engines such as state detection, protocol analyzer, deep filtering and content detection work together. For the monitored data packets, the detection of 2-7 layers can be completed once unpacking, and Lenovo's patented technology is adopted.
Lenovo's firewall can easily combine various security features according to the different emphases of users' needs through a unified configuration interface, and cooperate with different hardware architectures to adapt to users' different security needs. (MRP: Multi-layer Redundant Protocol) Based on the patented technology of Lenovo's high-reliability design of large computers and the professional experience of reliable operation and maintenance of telecom backbone networks, the high availability of Lenovo's firewall in user network applications is effectively guaranteed by realizing diversified redundant designs at the physical layer, link layer, network layer and entity layer. Lenovo's firewall supports multiple WAN ports at the link layer, and realizes load balancing and backup among multiple ports through link redundancy protocol. Under normal circumstances, link resources can be fully utilized, and any link failure will not affect the normal communication of the network.
Lenovo's firewall supports the aggregation of multiple physical ports based on the 802.3ad standard, which can help users to achieve "zero investment" bandwidth multiplication under normal conditions, and can realize normal network communication without interruption when a single point of failure occurs.
MRP supports dual-machine hot standby based on automatic state detection. When the main system fails or the corresponding line network fails, the backup machine can automatically detect and switch to the main state to take over the work of the main system, and the switching time is less than 1 second. At the same time, based on the "state incremental synchronization" technology pioneered in China, the problem of state consistency between master and slave devices is solved, the security of state detection is not lost, and the session is not interrupted when the system is switched.
MRP supports active load balancing, session protection and takeover, and active configuration synchronization. It can not only realize the synchronization of cluster and dual-machine configuration, but also simplify the management burden of users. Based on the "state incremental synchronization technology", the smooth and arbitrary distribution and switching of services among multiple devices is realized, the "service interruption problem" caused by the adoption of VRRP protocol and dynamic routing protocol is solved, and the load balance in transparent, routing, mixed and other working modes is realized, which can support 2~8 devices at most. (HSH:HighSpeedHardware) Lenovo Internet Firewall always leads the trend of security technology in the hardware field. In 2003, Lenovo Netroyal took the lead in introducing NP-based "Super Five" gigabit line-speed firewall, which was widely recognized by the industry for its excellent performance.
Multi-core and multi-thread chip technology is to build a network, which needs to be real-time. Fang ü? The integration of PU with network bus and security application acceleration engine greatly expands the internal bandwidth and solves the bus bottleneck of general platform. Multi-core and multi-thread architecture is especially suitable for network parallel operation, which makes the network processing speed of firewall move from gigabit to gigabit.
The security platform with elastic architecture is the technical foundation of Lenovo firewall, and the products and solutions formed on this basis can meet the challenges of new security threats in speed, scope and complexity, and meet the needs of users quickly. In addition, due to the flexibility of the platform, some modules and technologies can be embedded in hardware chips, network devices, operating systems or network applications in the future, which will naturally be integrated into information construction. A flexible security platform will surely become an important driving force to promote the coordinated development of information construction and information security.