Addressing the Challenges of High-Performance Filtering in Enterprise-Class Security Appliances

By David Le Goff – 6WIND Product Marketing Manager

Today’s enterprise-class security appliances need to secure and manage hundreds of thousands of connections, within applications such as enterprise and public/private cloud data centers. Advanced security features are required to address the increasing sophistication of threats, requiring ever-increasing levels of security processing within standard equipment form-factors.

The standard Linux OS is inefficient for high-performance security solutions, since its inherent locking mechanisms limit its ability to scale effectively as NAT establishment rates are increased. Any Linux-based security-based application, however, must be fully-compatible with Linux management standards such as netfilter, iptables etc.

The 6WINDGate packet processing software includes a comprehensive packet filtering solution, architected as a stateless 5-tuple-based ACL (Access Control List) that is fully compatible with the netfilter standards. Within the Linux kernel and the 6WINDGate fast path, the appropriate hooks are implemented to intercept and manipulate network packets. Both NAT and filtering functions are performed within the fast path, in order to maximize the overall packet processing performance. The lock-free architecture achieves the level of scalability required for high-end equipment, since performance increases linearly with the number of cores configured to run the fast path.

To ensure full compatibility with industry standard, 6WINDGate supports Linux netfilter functions such as ebtables, arptables, ip6tables, iptables and conntrack.

6WINDGate Filtering Architecture

A wide range of network security products benefit from 6WINDGate, achieving high performance along with efficient management of hundreds of thousands of sessions. Examples of these products include Linux-based firewalls, IPSs, security gateways, proxies and ADCs. The availability of other QoS and crypto features within 6WINDGate enable its use as an integrated security solution for high-end networking equipment within large-scale data centers and core networks. In such applications, a 6WINDGate-based security appliance can handle more than 100K NAT sessions per second and scale up to more than 18M Large-Scale NAT sessions in total.