Safer simpler networks UTM Unified Threat Management Ivan

Safer, simpler networks. UTM: Unified Threat Management Ivan Straniero Sales Manager Nick Copeland The 20: 1 Factor Senior SE Crossbeam Systems Italy

Crossbeam wants to give you an i. Pod Mini! Question: What does 20 to 1 mean?

Safer, simpler networks. Introducing Crossbeam Ivan

Corporate Overview RAPIDLY GAINING MARKET SHARE § Enterprise, Service Provider LEADING IT VENDOR WORLDWIDE TOP GERMAN TRAVEL NETWORK LEADER IN COMPUTER SECURITY RESEARCH GLOBAL PRESENCE § North America, EMEA, Asia Pacific § 10 regional offices TOP 10 BANK CARD ISSUER TOP 3 RBOC § Worldwide support organization PRIVATE COMPANY § Founded March, 2000 TOP 3 MEDICAL INSTRUMENT TOP EUROPEAN MORTGAGE LENDER § Headquarters in Concord, Massachusetts § President and CEO: Peter George TOP CHINESE MANUFACTURER

Global Company Concord (HQ) Valbonne Tokyo Singapore Over 500 Global 2000 Customers Worldwide

Securing “Blue Chip” Networks

Safer, simpler networks. Critical Security Problems Ivan

CERT Incidents CIO Challenge: Security Is Unpredictable! SMALL PACKETS MANY FLOWS 1991 1995 Server with FW CERT: Computer Emergency Response Team 1999 2003 FW Sandwich FW + IDS + DDo. S + URL Filter + Virus & Content … • • • Check Point Cisco Nokia Net. Screen Sonic. Wall • • Dragon ISS Snort LANcope Sourcefire Net. Screen Intrusion. com NAI • • Captus Mazu Arbor Asta • Websense • Surf. Control • Smart. Filter • • Symantec Trend Micro Aladdin e. Safe F-Secure

Explosive Performance Demand INTERNET IDS STACK IDS IDS FIREWALL STACK IDS Difficult and expensive to manage! IDS IDS IDS ROUTER SWITCH LOAD BALANCER

Increasing Security Exposures INTERNET ANTI-SPAM Complex to deploy and connect many security applications! ANTI-VIRUS INSTANT MESSAGING PEER-TO-PEER CONTROL FW VPN URL FILTER CONTENT FILTER PORT 80 CONTROL IDS XML ACCELERATION IDS APPLICATION-LEVEL FW IDS CORPORATE LANS IDS STORAGE NETWORK SECURITY IDS MOBILE USERS IDS

Security Critical for Business Continuity ANTI-SPAM URL FILTER CONTENT FILTER PORT 80 CONTROL Redundant Pair INSTANT MESSAGING PEER-TO-PEER CONTROL Redundant Pair ANTI-VIRUS Unwieldy as devices, links, and licenses multiply for redundancy! INTERNET IDS FW VPN IDS XML ACCELERATION APPLICATION-LEVEL FW IDS CORPORATE LANS Redundant Pair IDS IDS MOBILE USERS IDS STORAGE NETWORK SECURITYNETWORK STORAGE SECURITY

Safer, simpler networks. How can Crossbeam help? Ivan

Vision: Safer, Simpler Networks X SERIES C SERIES

20: 1 = Massive ROI CORPORATE SECURITY CONSOLIDATION PROJECT Traditional Appliance Crossbeam Security Switch Savings: $500 k!

Crossbeam Drives Tectonic Shifts in Market Unified Threat Management Market Explodes CAGR (%) 2003 Share (%) 2008 Share (%) Firewall/VPN -0. 2 93. 4 42. 4 UTM appliance 80. 1 6. 6 57. 6 Total 16. 8 100. 0 CROSSBEAM IS NUMBER #1 IN HIGH END UTM MARKET. Source: IDC, 2004 §Crossbeam “Transformational” – enables new ways of doing business across industries that will result in major shifts in industry dynamics. ”

Complete Enterprise Network Security X 40 BEST-IN-CLASS LAYERED SOLUTIONS FOR: -PERIMETER -DATA CENTER -CORE NETWORK C 10 C 6 C 2 X 45 C 30 X 80

Safer, simpler networks. Crossbeam C-Series Ivan

C-Series Security Services Switch § Simplicity of Management § Turnkey Application Bundles § High Performance NETWORK BUNDLE § Firewall § VPN § Intrusion Detection / Prevention MAIL BUNDLE § FW/VPN § Anti-Spam § Content Scanning § Anti-Virus § High Port Density § Dual-box High Availability § Excellent Price-performance Ratio § Compact 2 Rack Units WEB USER BUNDLE § FW/VPN § URL Filter § Web Cache § Anti-Virus C 10 C 30 i, C 30 Small to Medium Enterprise, Branch Office § 6 Gig. E Interfaces (copper/fiber) Medium Data Center, Large Enterprise Department 2 Gbps of FW-1 Throughput 300 Mbps of VPN-1 Throughput with optional acceleration card C 30 § 4 to 8 Gig. E Interfaces C 30 i § 16 FE + 2 Gig. E Interfaces

C-Series Multi-Port IDS INTERNET DMZ Servers § Up to 18 ports of traffic monitored by one sensor license § One device to deploy and manage

Safer, simpler networks. Crossbeam X-Series Ivan

X-Series Security Services Switch § Secure and Easy Management § Flexibility of Integrating Security Applications § High Performance § High Port Density § Self-healing, Application Priority Pre-emption § Single- or Dual-box High Availability § Common Modules SECURITY ENGINES § Firewall § Virtual Firewall § VPN § Intrusion Detection / Prevention § Anti-Virus § URL Filter § Web Cache § Anti-Spam § Content Scanning § Transaction Audit Reporting X 45 X 40, X 80 Medium to Large Enterprise Perimeter & Data Center Service Providers and Large Enterprise Perimeter & Data Center § § Up to 16 Gig. E Interfaces Up to 32 Fast. E Interfaces Up to 4 Gbps of FW-1 Throughput Compact 7 -slot Chassis X 40 § Up to 16 Gig. E Interfaces § Up to 32 Fast. E Interfaces § Up to 4 Gbps of FW-1 Throughput § 14 -slot Chassis X 80 § Up to 32 Gig. E Interfaces § Up to 64 Fast. E Interfaces § Up to 8 Gbps of FW-1 Throughput § 14 -slot Chassis

X 45 Security Services Switch Key Benefits § All of the XOS features/benefits in a sleek 7 slot AC Chassis (8 RU) § Up to 5 APMs § Up to 2 NPMs § Up to 2 CPMs § Slots 2 and 6 are CPM/APM or NPM/APM Single-box HA mode 2 NPMs : 3 APMs : 2 CPMs Full single-box HA design and 4 Gbps of FW-1 Performance-mode 1 NPM: 5 APMs : 1 CPM Maximum application flexibility § Port Densities § Up to 16 Gig. E Interfaces § Up to 32 Fast. E Interfaces § Performance § Up to 4 Gbps of FW-1 Throughput

X 40 Security Services Switch Key Benefits § Full 14 -slot Chassis offers the ultimate in application flexibility § Up to 10 APMs § Up to 2 NPMs § Up to 2 CPMs § Port Densities § Up to 16 Gig. E Interfaces § Up to 32 Fast. E Interfaces § Performance § Up to 4 Gbps of FW-1 Throughput

X 80 Security Services Switch Key Benefits § Full 14 -slot Chassis offers the ultimate in port density and performance § Up to 10 APMs § Up to 4 NPMs § Up to 2 CPMs § Slots 3 and 4 can be APM or NPM § Port Densities and Performance § Up to 32 Gig. E Interfaces § Up to 64 Fast. E Interfaces § Performance § Up to 8 Gbps of FW-1 Throughput

X-Series Modular Architecture Control Processor Module (CPM) Internal chassis management - HA, monitoring, configuration External chassis management - Dedicated ports and access for management, logging, failover Network Processor Module (NPM) DYNAMIC STANDBY ANTI-VIRUS GROUP IDS GROUP FIREWALL GROUP Physical network interfaces X-Stream™ flow classification and sequencing Flexible flow rules and rate limiting 4096 VLANs Multi-Link Trunking PIM-SM Multi-casting § Fully switched data paths 40 to 80 Gbps of backplane capacity Application Processor Module (APM) Best-in-class security engine Full hot-swap and failover with no reconfiguration Warm standby without software license § Fully switched control paths 2. 4 Gbps of control plane capacity § No single point of failure

X-Series Self Healing, Self Protection Firewall Group IDS Group Standby APM No manual intervention Automatic boot in 30 seconds APM in IDS Group fails Standby APM boots with image of IDS § License (maintained on CPM) is “moved” to back-up APM in Firewall Group fails § No loss of sessions—failure transparent to users IDS pre-empted with image of Firewall § License (maintained on CPM) is “moved” to pre-empted APM

X-Series Self Healing, Self Protection Firewall Group IDS Group Standby APM No manual intervention Automatic boot in 30 seconds APM in IDS Group fails Standby APM boots with image of IDS § License (maintained on CPM) is “moved” to back-up APM in Firewall Group fails § No loss of sessions—failure transparent to users IDS pre-empted with image of Firewall § License (maintained on CPM) is “moved” to pre-empted APM Spare, “generic” APMs replace failed hardware § Configuration and licensing details stored on redundant CPMs

Security Application Support SECURITY CATEGORY SECURITY APPLICATION PARTNERS § Network Security § Check Point § Clientless VPNs (SSL) § Source. Fire § Web Security § Enterasys § XML Security / Acceleration § Trend Micro § Port 80 Firewall § F-Secure § Application Level Firewall § Websense § Mail Security § Secure Computing § Anti-Spam § RSA § Storage Security § Snort § Vo. IP Security § Squid § Argus

Safer, simpler networks. Throughput & Architecture Nick

C-Series Architecture FW/VPN POLICY IDS X-STREAM™ BASE § Dual-stage processing § Firewall acceleration § Virtual Tap for multiinterface monitoring § Sequential processing for content scanning FW/VPN POLICY ANTI VIRUS

X-Series Security Services Switch Architecture Switched Control Path: 100 Mbps full duplex links 2. 4 Gbps of backplane capacity 2 CPMs Up to 10 APMs Mgmt Dynamic Standby Firewall Group A Firewall Group B IDS Group 2 - 4 NPMs Data Switched Data Path: 1. 6 Gbps full duplex links 40~80 Gbps of backplane capacity 2 switching fabric per NPM

Network Processor Module 8200 2 x PRC § Each PRC handles 7 x 1, 6 Gbps FDX connections to slot 1 -7 and 8 -14 via the backplane 1 x PRISM § Interconnects PHY front ports with backplane connectors via PRC. Each PRC lane has a bandwidth of 1 Gbps FDX.

Application Processor Module 8400 NPM 2 x FPGA § Two 1. 6 Gbps FDX Interfaces per FPGA. One NPM can connect to just one Interface via the cell based backplane. 1 x Quad Gig. E MAC § Provides four 1 Gbps FDX (4 Gbps) channels to the FPGAs. 1 Gbps per NPM to the backplane. Backplane Interconnect 1. 6 Gb link pair FPGA Focus FPGA Quad Gig. E MACs Broadcom Quad Gig. E PMC slot 1 PCI-X bus 64 bits @ 100 MHz Memory Controller North Bridge Intel Xeon 2. 4 GHz 512 KB L 2 1 GB 1 GB SDRAM 4 GB

APM 8400 Throughput 4 Gbps FDX NPM 8200 4 Gbps FDX APM 8400 NPM 8200 APM 8400

X-Stream Flow Sequencing Example LAYER 3 FORWARDING FLOW ACCELERATION AV AV PORT AGGREGATION VLAN TRUNKING RATE LIMITING ICMP=10% AV Built-in load balancing to scale performance FW URL LAYER 3 FORWARDING FLOW ACCELERATION IDS PORT AGGREGATION VLAN TRUNKING RATE LIMITING ICMP=25% INBOUND OUTBOUND PARALLELIZED X-STREAM SEQUENCER

Safer, simpler networks. Management Nick

Secure, Centralized Management AVAILABLE NOW e. g. Check Point Smart. Center CENTRALIZED POLICY CONTROL AVAILABLE NOW • FW • IDS • AV • CONTENT SECURE DEVICE CONFIGURATION Crossbeam Secure. Shore Manager • SNMP ALARMS, STATS AVAILABLE NOW NETWORK MANAGEMENT SYSTEM INTEGRATION AVAILABLE NOW e. g. SSH, HTTPS for CLI and Web management interface SNMP support, 3 rd party event correlation systems supporting Crossbeam application partners’ events and alarms C-SERIES X-SERIES

Network Management System Integration Automatic action execution CLI SNMP HTTPS HP Open. View Management server Real-time Statistics Monitoring C-SERIES Complete device management via embedded Web interface X-SERIES * Professional service required for integration implementation

Secure Device Configuration – CLI and Web 16 levels of management roles CLI via SSH C-SERIES XML over HTTPS SNMPv 1, v 2 c X-SERIES Web interface for configuration and monitoring

Device Configuration – Parallelization FW IDS

Device Configuration – Serialization AV FW IDS

Event Correlation System Integration Security Application Events IDS – ISS, Dragon or Snort Anti-Virus CP Firewall Network Events 3 rd Party Event Correlation Engines System Events § Reduced events for ease of monitoring § Impact and conflict resolution of events from various sources § Better security with multi-vendor expertise and coverage

Safer, simpler networks. How will your network improve? Nick

Total Perimeter Defense PERIMETER

Total Perimeter Defense: FW-IDS Consolidation CROSSBEAM ADVANTAGES Before Crossbeam With Crossbeam § High performance FW and IDS at huge license and maintenance savings INTERNET § Scalable platform for future growth § Simplified and increased high availability INTERNET IDS STACKS IDS IDS IDS FIREWALL STACK FWFW IDS X-Stream IDS IDS FWFW

X-Stream – Total Perimeter Defense New Service FW IDS INBOUND IDS PARALLELIZED X-STREAM SEQUENCER

Safer, simpler networks. Case Studies Nick

We went from this… 60 Firewalls Various platforms 12 sites Various Availability Complex Management High risk of downtime Stretched resources

To this… 4 Platforms Crossbeam X Series 2 sites 99. 9999% availability Simpler Management Reduction in costs

Weather Channel Before Crossbeam

Weather Channel With Crossbeam

Safer, simpler networks. How does Crossbeam measure up? Ivan

How To Think About Crossbeam $10 $4 $5 Switches, HA, etc. Others Crossbeam $14 $5

C 30: Customer Value Proposition IDS FW FW IDS IDS AV/SPAM $ FINANCE MOBILE USERS OTHER GROUPS HIGH VOLUME APPLIANCE 600 Mbps FW, 8 FE ports DMZ CROSSBEAM C 30 1 Appliance: 1 Check Point: $ 12 K $ 10 K FW/VPN: $ 22 K 2 Appliances: 4 ISS Sensors: $ 20 K $ 36 K Free hardware (same C 30) 1 ISS Sensor: $ 9 K IDS: $ 56 K IDS: $ 9 K 1 Server: 1 Trend AV/SPAM: $ 3 K $ 15 K Free hardware (same C 30) 1 Trend AV/SPAM: $ 15 K AV/SPAM: $ 18 K AV/SPAM $ 15 K Appliance Total: $ 96 K Crossbeam Total: $ 58 K 7 x 24 H/W Support: S/W Subsc. +Support: $ 10 K 30% of $ 86 K 2 Gbps FW, 16 FE+2 GE ports 1 C 30: 1 Check Point: $ 24 K $ 10 K FW/VPN: $ 34 K 7 x 24 H/W Support (12%): S/W Subsc. +Support : $ 2 K 30% of $ 34 K C 30 vs. High Volume Appliance: $40 K+ savings, 3 X FW performance, >2 X port density, 4 to 1 box consolidation

X 40: Customer Value Proposition BUILDING 1 LB BUILDING 2 LB SW SW DMZ 4 Gbps FW/VPN SW LB LB INTERNET SW AV/SPAM BUILDING 3 URL FILTER HIGH END APPLIANCE MOBILE USERS CROSSBEAM X 40 5 Appliances (1 spare): 5 Check Point FW/VPN: 4 Switches: 4 Load Balancers: $275 K $ 50 K $ 4 K $ 32 K 1 X 40 (HA-2 CP, 2 NP): 5 APMs (1 spare): 4 Check Point FW/VPN: $ 97 K $ 75 K $ 40 K FW/VPN: $361 K FW/VPN: $212 K 2 Appliances (1 spare): 4 ISS sensors: $110 K $ 36 K 2 APMs (free spare): 2 ISS sensors: $ 29 K $ 27 K IDS: $146 K IDS: $56 K Appliance Total: $507 K 7 x 24 H/W Support: S/W Subsc. +Support: $ 88 K 30% of $ 86 K Crossbeam Total: 7 x 24 H/W Support (12%): S/W Subsc. +Support : $268 K $ 32 K 30% of $ 67 K X 40 vs. High End Appliance: $240 K+ savings, room to add 3 more applications, 15 to 1 box consolidation

Crossbeam wants to give you an i. Pod Mini! Question: What does 20 to 1 mean? Answer: Crossbeam consolidates security and networking devices by 20 to 1.

Safer, simpler networks. Questions? ? ? Come to visit our booth in the exhibition area Ivan & Nick