The massive DDoS attack on Dynamic Network Service (Dyn) which caused severe network outages and disruptions to Dyn’s major clients including Twitter, Raddit, Spotify, Tumblr, and many other well-known websites. When a DDoS attack penetrates its targeted service website, users of the victimized site may experience disruptions or outages when accessing the services and functions. The crisis was regarded as a loud wake-up call on how vulnerable our cloud services and data centers are in terms of DDoS attack.
According to a recent report on global information security by Akamai, the number of DDoS attack incidents increased by 71% from Q3, 2015 to Q3, 2016. Another remarkable statistics, released by Ponemon Institute, stated that 22% of data center outages in 2015 were caused by DDoS attacks. The institute also pointed out an astounding fact that the data center outage by DDoS was only 2% back in 2010. The findings indicate that the more we rely on cloud services, data warehouse and web servers, the more the criminals tend to shut down the services by DDoS. These findings also indicate that most of DDoS attacks are targeted on banks, web services and telecommunications.
Determined to offer fortified solutions for enterprise data centers against DDoS, a major American company specialized in network security came to Lanner for a high-performance, high-throughput hybrid firewall designed to be optimized for DPI security and DNS defense in enterprise data centers. The integration of advanced threat prevention virtual software applications and next generation firewall will defend against malware from intruding both virtual and physical networks, while building up an SDN-based security.
The technological requirements for the next generation firewall for data center are listed as below:
Server-grade CPU engine
DPI (Deep Packet Inspection) is computing intensive, and thus the adoption server-grade x86 open-architecture processor is essential to handle the load balance for processing security measures in the network cloud and enterprise cloud infrastructures.
As DDoS attacks come by overwhelming the traffic, a high-throughput security firewall empowered by server-grade x86 CPU and high-frequency DDR4 are critical to perform countless security instructions in low latency.
Onboard crypto-acceleration chipset can help boost offload security protocol processing, when accompanied by server-grade CPU.
Scalability is especially important for enterprise data centers as network traffic continues to grow at exponential rates. The hardware design must incorporate seamless upgrade capabilities for processor and connectivity to scale up total throughput in order to meet the future demands without investing a new network appliance every time the traffic increases.
LAN Bypass Technology
To ensure traffic running without packet loss, the network appliances incorporate fault-tolerant LAN bypass function to bypass or dynamically disconnect an Ethernet port connection in response to system failure, power outage or a particular software issue.
High Availability and Reliability
Deployed in data centers to mitigate the threats from DDoS attacks, the security gateway adopts high reliability and redundancy design to ensure the system can run 24/7 non-stop network operation.
The FW-8894 is a high-throughput, high performance 1U next generation firewall that can perform intensive security policies through software-defined, cloud-based advanced threat prevention (ATP) measures to detect malicious malware. The integration of threat prevention and virtual appliance applications optimize the capability of FW-8894 as a hybrid firewall in enterprise data center environment.
Figure – FW-8894
FW-8894 is empowered by Intel® Xeon® E5-2600 v3/v4 family CPU and Intel® C612 Wellsburg PCH (codenamed “Grantley/Broadwell-EP”), offering superior computing and packet processing performance. The accompanied DDR4 memory support (up to 512GB) delivers higher memory bandwidth and more power efficiency.
The design of dual Intel® Xeon E5-2600 v3/v4 Series processors in FW-8894 not only boosts DPI scan rates for enterprise network traffic but also manage associated control/signaling infrastructure requirements. Another major technological advantage is the support for hardware-assisted crypto-acceleration with built-in Intel® DH8925 chipset (codenamed Coleto Creek), enabling offloading encryption/decryption and compression for up to 25 Gbps.
To boost high-speed packet processing and optimal throughput, FW-8894 leverages Intel® DPDK, a software set of libraries and Ethernet drivers for accelerated packet processing. The libraries of Intel® DPDK improve data plane performance, data prefetch and reduce TRIM memory latency. The integration of Intel® processors and DPDK software will enable higher scalability and flexibility in packet processing and workload offloading.
The modular and scalable panel design of FW-8894 allows installation of more than 20 different Lanner Ethernet modules. FW-8894 can accommodate up to 4 module slots compatible with 1G, 10G, or 40G, Fiber or Copper/Bypass connectivity and functionality (LAN Bypass may vary depending on module specifications), such as the recently released NCS2-IXM407 and the NCS2-IQM201, both empowered by the Intel XL710 controller (codenamed Fortville).
Other redundancy and management features include 650W 1+1 ATX redundant power supply, OPMA slot for IPMI, and 4 hot-swappable cooling fans with smart fan control.