Introduction, Hardware architecture overview, Chapter 3 – Force10 Networks PSeries 100-00055-01 User Manual

Page 17: Chapter 3 introduction

Advertising
background image

P-Series Installation and Operation Guide, version 2.3.1.2

17

The P-Series P10 Intrusion Detection and Prevention System (IDS/IPS) appliance employs Dynamic
Parallel Inspection (DPI) technology. It uses a Multiple Instruction Single Data (MISD) massively parallel
processor that executes thousands of security policies or traffic capture operations on the same data stream
at the same time.

DPI synthesizes individual security policies and packet analysis algorithms and maps them directly into
silicon hardware "gates." Through this design it is able to deliver full packet inspection and protection at
line rate for 1-Gigabit and 10-Gigabit links whether the traffic load or security policy is 1% or 100%.

The policies can be derived from public domain signatures, or they can be completely user-defined. For
each policy, you can direct the DPI to:

Capture packets for the host (capture is defined as both DMA to host and copying to the mirror port)

Forward packets (with negligible delay)

Block packets

As a result, the P10 can be used as both an IDS accelerator and a stateful content filter for IPS applications.
In an active configuration, it can be inserted inline into the network; this alleviates the need for a SPAN
port or tap and enables filtering applications. In passive configurations, it can merely listen to the network
via a mirroring port or tap.

Hardware Architecture Overview

The P10 is a 1-RU appliance provisioned with one DPI processing system, and has at minimum: an AMD
Dual Core Opteron 280 processor, a 400-GB hard drive, 8 GB of RAM.

Figure 3

shows packet flow in the DPI, which is a two-port device. Packets are forwarded from the receive

side of the first port (Rx0) to the transmit side of the second port (Tx1). Likewise, Rx1 forwards packets to
Tx0 of the first port.

As the packets are being forwarded they are also processed in real time by two independent processing
channels, each with its own set of policies. If there is a match in a processing channel, the DPI can block
the packet, capture it, and send it to the host through the PCI-X bus. The two processing channels are
completely independent, and thus they can be used to process two asymmetric links, or both directions of a
full-duplex connection.

In addition to two sensing interfaces, the P10 includes two 1-Gigabit Ethernet mirroring ports. These ports
can copy and forward matched traffic to another device. It is also possible to disable the PCI-X DMA
capture, and let the matched traffic bypass the host entirely for applications in which host capture is not
desired.

Chapter 3

Introduction

Advertising
See also other documents in the category Force10 Networks Hardware: