The Nevis LANsecure architecture is embedded in all LANenforcer LAN security systems. This architecture provides a comprehensive set of LAN security services and deployment options that are completely compatible with existing LAN infrastructures. The LANenforcer systems are enabled by the Nevis LANsecure security ASIC, an advanced design that provides a highly scalable, massively parallel computing base for Nevis high-performance operating system and highly integrated security processing software.
The LANsecure architecture is the first to integrate usable, effective LAN security and networking without the need to install clients or replace existing network infrastructure. The LANsecure architecture provides the following security services, completely within the network:
- Role-based user access control policies, implemented using stateful firewall technology, which are centrally managed and based on a flexible, easy-to-use composite group policy model.
- Advanced threat containment using multiple techniques to detect, identify, and block problems close to the source and in real time, integrating traffic anomaly, signature matching, protocol anomaly, behavior anomaly and denial of service mitigation on all flows.
- Proactive endpoint compliance verification, combined with automatic quarantine and provisions for user self-remediation, which both supports multi-vendor network admission and access protection initiatives and includes clientless endpoint assessment.
- Centralized management, control, monitoring, and presentation that enables visibility into network use and abuse, combined with advanced security event correlation algorithms designed to identify and contain threats and threat trends across multiple networks.
Multiple, Flexible Deployments
The LANsecure architecture accommodates a variety of deployment models capable of securing the entire enterprise network, from access to the core.
- For secure access, users directly connect to the LANenforcer Secure Access Switch, Nevis provides the ideal compartmentalization for security policy enforcement and threat containment.
- For transparent deployment, uplinks from access switches connect to their existing upstream infrastructure through a LANenforcer LAN security appliance port pair, providing a two-port security enforcement point bridge for each link. The architecture is much more than just securing the switched domain; it extends seamlessly to securing inter-subnet and core routed traffic as well, without the need to replace or upgrade existing network infrastructure.
The LANsecure ASIC provides the enabling technology for the entire LANenforcer product line, having been designed from the ground up as the basis for a family of security platforms. The overarching design goals were to enable integrated deep packet inspection security with high throughput flow-based network processing in a way that scales in multiple dimensions.
Most security appliances today are designed around general-purpose processors. As these processors were not really designed for networking, most appliances add FPGA, NPU, or custom ASIC front-ends. These front-ends offload mechanical fast path processing to enhance performance. However, slow path classification and security policy processing, including looking deep into packets to detect and identify malware, still must be done in software on the CPU, or in look aside peripheral processors attached to the CPU.
The LANsecure ASIC overcomes this fundamental scalability limitation by integrating slow path security processing directly into the massively multi-threaded network processing engines. This not only enables integrated flow classification and stateful firewall policy processing, it modularizes the processing to support scaling, and provides the ability to react in real time to changes in policy or dynamic network threat status. Since the LANsecure fast path is entirely in software, it can easily be extended to accommodate additional security or networking services in subsequent software releases. Furthermore, it uses the integrated security engines to accelerate in-line security processing on every packet, including threat signature matching, and checksum verification.
In summary, each LANsecure ASIC provides:
- Up to 10 Gbps integrated networking and security throughput
- High performance interfaces, with hardware packet I/O and memory management, including hardware managed queues
- Six clusters of four CPU engines, each supporting four-way hardware multi-threading, for a total of 96 threads. Each CPU can access any memory location, whether on-chip or off-chip.
- Integrated security processing engines for signature matching, and TCP checksum processing