Force10 Extends High Performance to Security

Ten Gigabit Ethernet Pioneer Force10 Networks branches out into intrusion prevention with a high-performance IPS appliance line.

Ten Gigabit Ethernet switch pioneer Force10 Networks on April 17 will try to leverage its expertise in high performance to gain entry into the market for intrusion prevention systems with a new line of high-performance appliances.

Force10s new P-Series appliances provide 10 Gigabit-per-second line rate packet monitoring, inspection, capture and blocking using a new patented architecture designed to protect network trunks without exacting a performance hit, according to Andrew Feldman, vice president of marketing for Force10 in Milpitas, Calif.

Force10 is no stranger to high performance in the 10 Gigabit Ethernet switching and routing arena. Thanks to its emphasis on high performance, and its low power consumption and lower heat generation, the company is on a fast growth trajectory, with three consecutive years of 100 percent growth and an installed base of 8,000 10 Gigabit Ethernet ports and 250,000 Gigabit Ethernet ports.

/zimages/5/28571.gifTo read more about Force10, click here.

"You do that by having the highest aggregate throughput —two 10 Gigabit ports that provide 20 Gigabits of throughput—with the lowest latency and a resiliency structure that makes it impossible to bring the system down," Feldman said.

The patented architecture, dubbed dynamic parallel inspection, allows network operators or security managers to set a rule and push it into the fabric of the chips used in the appliances. It represents the first time that field programmable chips have been employed to allow users to reconfigure the chips "on the fly" to accept and execute thousands of rules, Feldman said.

"You can reconfigure the chip so it blocks or sets an alarm when it sees that attack described by the rule. It combines the flexibility of software with the performance of hardware," he added.

The architecture is also unique in its ability to process all the applied rules simultaneously, rather than sequentially. "The packet is simultaneously being compared to 100 rules. Thats why we can do 10 Gigabit speeds that have eluded others," said Feldman.

The architecture uses no active components in the data path, inspection ports are invisible to attackers, software failures wont bring the appliances down, and CPU attacks wont cause the appliances to fail, Feldman said.

The P-Series includes two appliances: the P1 Gigabit Ethernet appliance with two 1 Gigabit Ethernet sensing or logging ports and the P10 10 Gigabit Ethernet appliance with two 10 Gigabit Ethernet sensing or logging ports. Both appliances, which run a hardened Linux operating system, can be deployed inline or passively in snooping mode to inspect traffic.

Feldman also claimed that compared to competitors, the P-Series appliances dont degrade in performance as traffic loads increase.

The appliances are priced at $100,000 for the 10 Gigabit appliance and $38,000 for the 1 Gigabit version. Both are available now.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.