IBM Comes Out with 6G-bps Pipe Cleaner

Updated: IBM, with aims similar to McAfee's Clean Pipes initiative, is going after carriers and enterprises with high-throughput needs with its new 6G-bps intrusion prevention appliance.

IBM, aiming for carriers and enterprises with high-throughput needs, unveiled a 6G-bps intrusion prevention appliance at Interop on May 22. The appliance, IBM says, can clean service provider pipes of malware lickety-split, with extremely high throughput, high scalability and low latency—indeed, what its calling "unsurpassed" performance in those areas.

McAfee on the same day, also at Interop, launched what its calling the fastest network intrusion prevention system ever, its 10G-bps IntruShield M-Series platforms. But, IBM pointed out, its new Proventia Network IPS (Intrusion Prevention System) GX6116 supports throughput of up to 15G bps (5 gigs over McAfees IPS); its packet inspection rate is 6G bps.

/zimages/5/28571.gifClick here to read more about McAfees IntruShield.

At any rate, the promise that these super-fast network IPSes are holding out is that at some point carriers should be able to use their pipes to supply IP TV and VOIP (voice over IP) without delivering the Trojans, viruses and other malware that have not only compromised system security but have also gobbled up ample bandwidth to date. This isnt the first time a security vendor has attempted it, though. McAfee, for one, launched what it called the McAfee Clean Pipes initiative and the invitation-only Clean Pipes Consortium in 2005, but thats about the last time anything was heard from McAfee about that.

Tom Noonan, general manager of the ISS division as well as the co-founder and CEO of ISS and the executive who spearheaded the deal to sell the company to IBM, said in an interview with eWEEK that, speaking generally, the entire telecom industry is undergoing a "massive transformation" from proprietary and circuit-switched systems to next-generation networks—i.e., those that are IP from core to edge.

"The strategies of companies like British Telecom, their next-generation network … is to bring practically unlimited services to customers over an IP backbone," he said. "You and I think of that today and we think IP TV, VOIP, televideoconferencing. But it goes much further. Rich applications can be delivered to customers, including security services, over that same pipe."

IBM, like McAfee before it, is grounding its next-generation network security efforts in an industry consortium. IBMs consortium has 48 service providers around the world and meets twice a year at the ISS Telecom Summit.

"[The consortium constitutes] truly a global mix of carriers that have worked closely with ISS over the years on the IT side of networks with the anticipation and the expectation that someday wed be able to make systems that would meet [their] scale requirements … [for networks]," Noonan said.

The outcome is IBMs appliance, called the Proventia Network IPS GX6116. Its coming out of IBMs ISS (Internet Security Systems) product line—one more outcome of Big Blues $1.3 billion buy of ISS in August 2006.

At the time of the buy, industry experts wondered what IBM had in mind long-term for the company. The Proventia appliance, aimed at large enterprises and carriers, is part of the answer.

Noonan said that Proventia is the work of IBM research, ISS research and "many, many" customers whove struggled with how to get security into the high-speed landscape.

"Service providers are trying to supply security in the cloud so customers arent confronted with malware, threats and other things coming through the pipe," he said. "This is a watershed event for the industry; this is something Ive dreamed of for 14 years in the security business: security systems that are intelligent and capable of working at the core of the network" at low-latency speeds, he said.

Traditional security layers dont do well on service networks because they slow it down, Noonan said. "If a traditional piece of security was on the network between us, we couldnt have this [VOIP] conversation because of latency," he said. "[Proventia] is certified for VOIP and IP TV, where latency is simply unacceptable."

Noonan said that, up until now, on the service provider side of a network there has been little to no security.

"What goes in goes out. If some corporation transmits a worm, it goes over the service providers network and gets distributed to everyone. This is why high-distribution outbreaks are such a problem," he said. "If an outbreak occurs in a university that has multiple optical pipes coming in to service the needs of users, the malware gets propagated out of the university, through the service provider and into every endpoint on the network. On business networks, where billing and other things are conducted, telecom providers have done a reasonable job building security models to deal with threats. But heretofore there has been little security youd call carrier-grade."

The ultra-high-speed, low-latency, high-availability IPS/IDS features full deep-packet inspection—as opposed to just reading packet headers—for carriers pipes and core data center applications. Its geared toward high-performance applications such as Internet telephony that operate at the core of a network and that require security solutions capable of high throughput, high scalability and low latency.

Proventias 6G-bps protection spans eight network segments and uses configurable bounded latency to ensure that performance isnt impacted. The appliance features a custom-built architecture with a network processing unit specifically designed for high-speed processing of network packets.

IBM is also claiming that, unlike competitive IPS products, Proventia is part of a unified security platform. That platform is offered by ISS and can plug into either a centralized management console or management provided by IBM Managed Security Services.

Next Page: Crossbeams solution.