Prabhu Goel, iPolicy's chief executive officer, said the original platform developed for carriers used 14 separate network processors in a 2U system. For the new enterprise platforms, iPolicy has turned to a Pentium-based programmable system where all security software operates at the kernel level.
"What we didn't change is our commitment to programmable architectures rather than ASICs," said Goel. "Many security access specialists try to rely on ASICs, but when you want to do multiple packet inspections at Layers 4 through 7, you need the advantages of programmability."
The assumption driving design of the ipEnforcer was that corporations and carriers alike would need multiple layers of security, preferably implemented in one system residing next to the router. The platform would have to act as deep-inspection firewall, intrusion-detection and -prevention system, virtual private network, anti-virus controller, content-filtering engine, surveillance system and assessment platform for network vulnerabilities.
These tasks can't be handled sequentially, Goel said, which is why the company's founders came up with the concept of a single-pass inspection engine with submillisecond latency. The system uses an adaptive rules-based framework built on a decision-tree analysis architecture. Because so many security threats involve simple yes-no dichotomies, Goel said, a decision tree can be very, very broad, yet shallow enough to allow resolution of problems at wire speed. For the fastest system, the 6500, packet throughput is 5 Gbits/second.
Tiered management
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
