IBM, aiming for carriers and enterprises with high-throughput needs, unveiled a 6G-bps intrusion prevention appliance at Interop on May 22. The appliance, IBM says, can clean service provider pipes of malware lickety-split, with extremely high throughput, high scalability and low latency—indeed, what its calling “unsurpassed” performance in those areas.
McAfee on the same day, also at Interop, launched what its calling the fastest network intrusion prevention system ever, its 10G-bps IntruShield M-Series platforms. But, IBM pointed out, its new Proventia Network IPS (Intrusion Prevention System) GX6116 supports throughput of up to 15G bps (5 gigs over McAfees IPS); its packet inspection rate is 6G bps.
At any rate, the promise that these super-fast network IPSes are holding out is that at some point carriers should be able to use their pipes to supply IP TV and VOIP (voice over IP) without delivering the Trojans, viruses and other malware that have not only compromised system security but have also gobbled up ample bandwidth to date. This isnt the first time a security vendor has attempted it, though. McAfee, for one, launched what it called the McAfee Clean Pipes initiative and the invitation-only Clean Pipes Consortium in 2005, but thats about the last time anything was heard from McAfee about that.
Tom Noonan, general manager of the ISS division as well as the co-founder and CEO of ISS and the executive who spearheaded the deal to sell the company to IBM, said in an interview with eWEEK that, speaking generally, the entire telecom industry is undergoing a “massive transformation” from proprietary and circuit-switched systems to next-generation networks—i.e., those that are IP from core to edge.
“The strategies of companies like British Telecom, their next-generation network … is to bring practically unlimited services to customers over an IP backbone,” he said. “You and I think of that today and we think IP TV, VOIP, televideoconferencing. But it goes much further. Rich applications can be delivered to customers, including security services, over that same pipe.”
IBM, like McAfee before it, is grounding its next-generation network security efforts in an industry consortium. IBMs consortium has 48 service providers around the world and meets twice a year at the ISS Telecom Summit.
“[The consortium constitutes] truly a global mix of carriers that have worked closely with ISS over the years on the IT side of networks with the anticipation and the expectation that someday wed be able to make systems that would meet [their] scale requirements … [for networks],” Noonan said.
The outcome is IBMs appliance, called the Proventia Network IPS GX6116. Its coming out of IBMs ISS (Internet Security Systems) product line—one more outcome of Big Blues $1.3 billion buy of ISS in August 2006.
At the time of the buy, industry experts wondered what IBM had in mind long-term for the company. The Proventia appliance, aimed at large enterprises and carriers, is part of the answer.
Noonan said that Proventia is the work of IBM research, ISS research and “many, many” customers whove struggled with how to get security into the high-speed landscape.
“Service providers are trying to supply security in the cloud so customers arent confronted with malware, threats and other things coming through the pipe,” he said. “This is a watershed event for the industry; this is something Ive dreamed of for 14 years in the security business: security systems that are intelligent and capable of working at the core of the network” at low-latency speeds, he said.
Traditional security layers dont do well on service networks because they slow it down, Noonan said. “If a traditional piece of security was on the network between us, we couldnt have this [VOIP] conversation because of latency,” he said. “[Proventia] is certified for VOIP and IP TV, where latency is simply unacceptable.”
Noonan said that, up until now, on the service provider side of a network there has been little to no security.
“What goes in goes out. If some corporation transmits a worm, it goes over the service providers network and gets distributed to everyone. This is why high-distribution outbreaks are such a problem,” he said. “If an outbreak occurs in a university that has multiple optical pipes coming in to service the needs of users, the malware gets propagated out of the university, through the service provider and into every endpoint on the network. On business networks, where billing and other things are conducted, telecom providers have done a reasonable job building security models to deal with threats. But heretofore there has been little security youd call carrier-grade.”
The ultra-high-speed, low-latency, high-availability IPS/IDS features full deep-packet inspection—as opposed to just reading packet headers—for carriers pipes and core data center applications. Its geared toward high-performance applications such as Internet telephony that operate at the core of a network and that require security solutions capable of high throughput, high scalability and low latency.
Proventias 6G-bps protection spans eight network segments and uses configurable bounded latency to ensure that performance isnt impacted. The appliance features a custom-built architecture with a network processing unit specifically designed for high-speed processing of network packets.
IBM is also claiming that, unlike competitive IPS products, Proventia is part of a unified security platform. That platform is offered by ISS and can plug into either a centralized management console or management provided by IBM Managed Security Services.
Next Page: Crossbeams solution.
Page 2
One of IBMs competitors, Crossbeam Systems, markets a chassis-based UTM (unified threat management) platform built to run multiple, best-of-breed applications, such as firewall, IPS, content filtering, etc. That eliminates the need to run separate security appliances, a spokesperson said. “This enables carrier and large enterprise networks to better manage appliance sprawl and gain enormous performance benefits for the applications that run on the Crossbeam platform,” she said. “In other words, its difficult to make a direct comparison because ISS solution is solely an IPS appliance whereas Crossbeam is providing a UTM platform that enables consolidation and optimized performance of multiple security applications. So, its sort of like comparing apples to oranges.”
But IBM is claiming that Proventia, more than being just an appliance, is a platform protection platform that provides multilayered protection for enterprises from network to host. “By infusing its products with security intelligence from the IBM Internet Security Systems X-Force research and development team and its unique IBM Virtual Patch technology, IBMs solution is designed to protect customers before their business assets are impacted by online intrusions,” IBM ISS said in a release.
Going after the same goal, McAfee in September 2005 inaugurated what it called the McAfee Clean Pipes initiative, an expansion of its managed security services offerings. With Clean Pipes, McAfee planned a line of new carrier-grade security products and services and a new network access control product for enterprises.
At the time, McAfee was working with Cable and Wireless PLC, British Telecommunications PLC (British Telecom), Telefónica SA and China Network Communications (China Netcom) to tailor its offerings through an invitation-only group it called the Clean Pipes Consortium.
The outcome of Clean Pipes was supposed to include managed IPS; secure content management; vulnerability management; malware protection, including anti-virus, anti-spam and anti-spyware services; and mobile device security.
If any of that materialized, the company kept quiet about it.
“The chassis-based products which were to deliver these services never materialized and neither did the services,” said Crossbeam Chief Technology Officer Christofer Hoff in a blog that, he said in a disclaimer, doesnt represent the views of his employer. “Why? Because its really damned hard to do correctly. Just ask Inkra, Nexi, CoSine, etc. Or you can ask me. The difference is, were still in business and theyre not. Its interesting to note that every one of those consortium members with the exception of Cable and Wireless are Crossbeam customers. Go figure.”
Hoff says there are a number of things that make cloud security hard. One issue is that once a provider starts filtering at ingress/egress, attention has to be paid to performance impact, or impact on confidentiality, integrity and availability.
“Truth be told, as simple as it seems, its not just about raw bandwidth,” he said in the blog. “Service levels must be maintained and the moment something that is expected doesnt make its way down the pipe, someone will be screaming bloody murder for slightly clean pipes. Ask me how I know. Ive lived through inconsistent application of policies, non-logged protocol filtering, dropped traffic and asymmetric issues introduced by on-prem and in-the-cloud MSSP offerings. Once the filtering moves past your prem as a customer, your visibility does too.”
But unlike McAfees Clean Pipes initiative, IBM ISS has actually come up with a product to ship. Proventia is slated to be available by the end of the second quarter. For more information on IBM ISS intrusion prevention technology, the divisions site is here.
McAfee hadnt supplied input as to the fate of Clean Pipes or the Clean Pipes Consortium by the time this story posted.
Editors Note: This story was updated to clarify Proventias throughput and packet inspection speeds and to correct the date when it will ship.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.