Deep Packet Inspection (DPI) is playing an increasingly important role in networking today, becoming more and more of a service enabler for quality of experience (QoE), data center and network security, Virtual CPE services, network and subscriber analytics, and more. With advancements in Network Function Virtualization (NFV) and Software Defined Networking (SDN), new use cases for Virtualized Deep Packet Inspection (vDPI), or DPI solutions such as Virtual Firewall deployed at a virtual network function (VNF), have emerged.
ALTEN Calsoft Labs Virtual Firewall Framework
ALTEN Calsoft Labs’ Virtual Firewall Framework is a reusable high performance DPDK optimized security solution developed to run on Intel x86 based platforms that can be used by Network Equipment Manufacturers (NEM) to develop customized Virtual CPE (vCPE), Firewall or IDS/IPS solutions for network operators. Software and hardware architecture of our Virtual Firewall Framework delivers up to 5x performance over traditional Linux appliances based on x86 processors. It forms an integral part of our vCPE solution with the addition of Firewall, IDS/IPS and application-aware QoS services. The framework offers an optimized and balanced combination of Access Control Lists (ACL), Stateful Firewall, Intrusion Detection/Prevention and application visibility & control. ALTEN Calsoft Labs’ vFirewall Framework is able to deliver industry leading performance by using innovative techniques such as Receive side scaling, hyper threading, SIMD instructions, and by keeping the signature database small enough to fit in to the processor cache thereby avoiding memory calls during runtime packet processing.
- Deployable on COTS x86 platforms
- Support for different virtualization environments (KVM, Xen, etc.)
- I/O Virtualization: VirtIO, SR-IOV
- 6.7Gbps of packet inspection per CPU core with 18K+ rules loaded
- Scales linearly with the number of CPU cores
- Bare metal deployment
- Standalone instance as a Virtual Machine (VM)
- Cloud deployment e.g. GCP, AWS, OpenStack cloud
- NFV Service Chain: vFirewall components (ACL, IDS/IPS or AVC) can be deployed in a service chain along with other VNFs such as VPN, NAT, Router, etc. to bring greater flexibility and efficiency to NFV deployments.
- Enterprise Firewall: Virtual Firewall can used to build application-aware enterprise firewalls with IDS/IPS capability in OpenStack orchestrated private clouds, or public clouds such as AWS, Google Cloud, etc.
- Virtual Firewall as a VNF component: vFirewall can be integrated as a standalone VNFC to develop solutions for Subscriber analytics, content caching, Application security and QoS.
This security solution is developed to run on Intel x86 based platforms, using Intel DPDK (Data Plane Development Kit) Software Development Kit (SDK). The next gen firewall, deeply integrated with our DPI framework adds strong security functionality to the complete solution. The solution addresses a need for security tools to prevent increasingly sophisticated attacks, with sufficient intelligence and automation to take the guesswork out of attack prevention and resolution. The solution is optimized and balanced combination of Access Control Lists, Stateful Firewall, Intrusion Detection/Prevention system (IDS/IPS) & Application Visibility & control (AVC).
- Intel DPDK (DPDK-16.04) based optimized packet handling for high performance Fast path processing
- Inherent multi-threaded architecture for high performance
- IPv6 Support
- Tunnel decoding
- TCP session tracking & stream reassembly
- File identification, extraction and logging
- Network stack visibility
- Stateful HTTP parsing
- IP reputation
- Malware/botnet/DoS/DDoS protection
- Signature/rule management with Emerging Threats
- User friendly GUI with comprehensive analytics
- Detection of 1000+ protocols & applications such as Facebook, Twitter, WhatsApp, Warcraft, Skype, YouTube, etc. using industry leading DPI libraries