Top of Rack Security Switch

The B1 is a unique device that combines a Top-of-Rack switch with a high-end compute environment. In the Security Switch configuration, the compute environment is running the Brocade vRouter Firewall.

Thus, in the same 1U that is currently occupied by only a switch, you can now also host rack level Firewall security.

The B1 provides:

  • Twice the density
  • In one-half the rack space
  • At about two thirds the hardware cost

The front panel of the B1 has 24 x 10Gig ports and 4 x 40Gig ports. The network and compute environments are connected with an 80Gig link (8 x 10Gig ports). This is a total non-blocking switching capacity of 480Gig.

Firewall Features

  • 60+ Gbps throughput
  • State-ful Inspection Firewall
  • Zone-based Firewall
  • Intel® DPDK Support
  • ICMP Type Firewall

Switch Features

  • 480 Gbps switch fabric
  • 24 10G ports
  • 4 40G uplink ports
  • 80 Gbps data path between server/switch environments

Additional Features

  • Network Address Translation
  • 3DES, AES Encryption
  • MD5 and SHA-1 authentication
  • RSA, Diffie-Helman Key Management
  • NAT Traversal
  • Role-Based Access Control (RBAC)

Tunneling/VPN Functionality

  • SSL-based OpenVPN
  • Site to Site (IPSec)
  • Layer 2 Bridging over GRE
  • Remote VPN (L2TP, IPSec)
  • Layer 2 Bridging over OpenVPN
  • Dynamic Multipoint VPN

Full Featured Switch

The networking environment is a fully featured switch/router. OpenArchitect switch management software provides the management functionality and the Linux Networking API for protocol support. The Quagga L3 Protocol Suite includes all the major RFCs (RIP, OSPF, BGP, LACP, etc.).

In addition, Packer Filtering software included with OpenArchitect provides the ability to selectively control flows prior to the standard L2, L3 processing in the switch silicon. Packet Filtering is a key technology in managing which flows have to pass through the firewall and which can get directly switched to the server in the rack.

Firewall Environment

In the Top-of-Rack Security Switch configuration, the compute environment of the B1 hosts the Brocade 5600 vRouter Firewall software with Brocade vPlane technology. vPlane utilizes the Intel Data Plane Development Kit (DPDK) technology to deliver breakthrough performance levels of 60+ Gig Firewall throughput.

The B1 plus vRouter set new price/performance standards that enable deploying firewall security at the top of every rack.

Threats from everywhere

Not too long ago security threats were viewed as an external problem that was address via a firewall at the perimeter. Now the concept of the “perimeter” is not clear. The East-West traffic with the data center is risky just like the external North-South traffic.

The New Security Model

A new security strategy is needed. One that moves the security closer to the compute resources. One that provides Firewall security at the top of every rack.

Enforcement Point at the top of every rack

A new, and effective strategy, is to divide the enterprise network infrastructure into isolated segments with a security “enforcement point” at every intersection. A natural segmentation in the data center is the rack. Data flows to and from all the servers within the rack through the top-of-rack switch. Adding a firewall Enforcement Point at the top-of-rack moves a critical security technology next to the servers in the rack.

It also creates a security architecture that is scalable. As the data center grows each new rack has the same configuration: servers in the rack, top-of-rack switch, and a top-of-rack security Enforcement Point.

Figure 2 shows the B1 with a vRouter Firewall installed on the computer section as a top-of-rack Enforcement Point. Flow coming into the rack can be routed to the Firewall or directly switched to the servers.

Processing Trusted Vs. At-Risk Flows

In the most common configuration of the B1 Security Switch, the uplink capabilities will be configured as two 80 Gig trunks—one active and one standby. The Firewall capabilities are in the 60+ Gig range. This means that full line rate into the chassis will exceed the Firewall throughput.

The solution to this issue is to treat some flows as “trusted” and have these forwarded directly to the down rack servers by the network section of the B1. The other flows will be treated as “Risky” and therefore have to be processed by the vRouter Firewall.

As shown in Figure 2 above, the B1 Network section determines how flows traverse from ingress to the switch to the target server (or VM). Some flows are directly routed by the Network switch in the B1 to the target sever (VM). The other flows have to pass through the vRouter Firewall to gain access to the down rack server (VM).

Using ToR Enforcement Points to Address Attack Vectors

Figure 3: Security Enforcement Points at the top of every rack shows a data center with the standard firewall at the connection to the Internet. It also shows a B1 Security Switch at the top of each server rack. This strategy provides multiple layers of security. The number on the Figure 1 correspond to a Threat Vector addressed by the B1 Security Switches. These Threat Vectors are defined in Table 1: Example Attack Vectors and Enforcement Point Mitigation.

# Attack Vector Description Enforcement
1 Insider and Malware The most damaging attacks happen from the inside, not under the scrutiny of the security gateway. The highest profile data comprises have occurred from employees accessing unauthorized data or accidently allowing malware on the internal network. Enforcement points allow for segmenting and individually provisioning data and services so malicious activity can occur. Malware and insiders are limited in which segments they are authorized to use.
2 Compromised Server Servers within the datacenter need the ability to handle different types of traffic and some must accept connections from the outside world to deliver their services (ex. http or email traffic). This leaves segments open to access across the east to west plane of a datacenter. By deploying Enforcement points at each datacenter segment, the security services enabled can be customized to the type of traffic and services on that segment. A compromised server on one segment cannot provide access to a server on another segment limiting the attack.
3 Exploit Exploits in network equipment operating systems can allow access to the device from across the internet using discovery processes in protocols. Once inside the gateway, the client running the network operating system can access non-protected areas of the datacenter By provisioning each individual segment enforcement point, unauthorized access can be limited to the network infrastructure and not the servers/clients in each protected segment
4 Outsider Both malware or misconfiguration (ex: ports open) of the main security gateway can allow an outside attacker access. Once an access methodology is established, a malicious user can access different segments of the network Enforcement Points provide a second layer of security for each leaf segment of the network, stopping malicious users from accessing segments that are not allowed.

* Brocade and 5600 vRouter are trademarks of Brocade.