When explaining our NetGladiator technology the other day, a customer was very intrigued with our Layer 7 engine. He likened it to a caged tiger under the hood, gobbling up and spitting out data packets with the speed and cunning of the world’s most powerful feline.
He was surprised to see this level of capability in equipment offered at our prices. He was impressed with the speed attained for the price point of our solution (more on this later in the article)…
In order to create a rock-solid IPS (Intrusion Prevention System), capable of handling network speeds of up to 1 gigabit with standard Intel hardware, we had to devise a technology breakthrough in Layer 7 processing. Existing technologies were just too slow to keep up with network speed expectations.
In order to support higher speeds, most vendors use semi-custom chip sets and a technology called “ASIC“. This works well but is very expensive to manufacture.
How do typical Layer 7 engines work?
Our IPS story starts with our old Layer 7 engine. It was sitting idle on our NetEqualizer product. We had shelved it when we got away from from Layer 7 shaping in favor of Equalizing technology, which is a superior solution for traffic shaping. However, when we decided to move ahead with our new IPS this year, we realized we needed a fast-class analysis engine, one that could look at all data packets in real time. Our existing Layer 7 shaper only analyzed headers because that was adequate for its previous mission (detecting P2P streams). For our new IPS system, we needed a solution that could do a deep dive into the data packets. The IPS mission requires that you look at all the data – every packet crossing into a customer network.
The first step was to revamp the older engine and configure it to look at every packet. The results were disappointing. With the load of analyzing every packet, we could not get throughput any higher than about 20 megabits, far short of our goal of 1 gigabit.
What do we do differently with our updated Layer 7 engine?
Necessity is the mother of invention, and so we invented a better Layer 7 engine.
The key was to take advantage of multiple processors for analysis of data without delaying data packets. The way the old technology worked was that it would intercept a data packet on a data link, hold it, analyze it for P2P patterns, and then send it on. With this method, as packets come faster and faster you end up not having enough CPU time to do the analysis and still send the packet on without adding latency. Many customers find this out the hard way when they update their data speeds from older slower T1 technology. Typical analysis engines on affordable routers and firewalls often just can’t keep up with line speeds.
What we did was take advantage of a utility in the Linux Kernel called “clone skb”. This allows you to make a temporary copy of the data packet without the overhead of copying. More importantly, it allows us to send the packet on without delay and do the analysis within a millisecond (not quite line speed, but fast enough to stop an intruder).
We then combined the cloning with a new technology in the Linux kernel called Kernel Threading. This is different than the technology that large multi-threaded HTTP servers use because it happens at the kernel level, and we do not have to copy the packet up to some higher-level server for analysis. Copying a packet for analysis is a huge bottleneck and very time-consuming.
What were our Results?
With kernel threading, cloning, and a high-end Intel SMP processor, we can make use of 16 CPU’s doing packet analysis at the same time and we now have attained speeds close to our 1 gigabit target.
When we developed our bandwidth shaping technology in 2003/2004, we leveraged technology innovation to create a superior bandwidth control appliance (read our NetEqualizer Story). With the NetGladiator IPS, we have once again leveraged technology innovation to enable us to provide an intrusion prevention system at a very compelling price (register to get our price list), hence our customer’s remark about great speed for the price.
What other benefits does our low cost, high-speed layer 7 engine allow for? Is it just for IPS?
The sky is the limit here. Any type of pattern you want to look at in real-time can now be done at one tenth (1/10th) the cost of the ASIC class of shapers. Although we are not a fan of unauthorized intrusion into private data of the public Internet (we support Net Neutrality), there are hundreds of other uses which can be configured with our engine.
Some that we might consider in the future include:
– Spam filtering
– Unwanted protocols in your business
– Content blocking
– Keyword spotting
If you are interested in testing and experimenting in any of these areas with our raw technology, feel free to contact us firstname.lastname@example.org.