Juniper's Linux IPS Hits 10Gb/sec

By Sean Michael Kerner | Apr 8, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/news/article.php/3739336/Junipers-Linux-IPS-Hits-10Gbsec.htm

Many enterprises struggle with the competing requirements of speed and security in their networks. Juniper Networks (NASDAQ: JNRP) claims to have the solution with its new Linux OS-based high-end Intrusion Detection Platform (IDP), which can scale all the way up to 10 gigabits per second (Gb/sec) of throughput.

Juniper's new platform comes at a time when the market for high-end (intrusion prevention/detection (IPS/IDS) systems is becoming a hotly contested one with TippingPoint, Cisco (NASDAQ: CSCO), SourceFire (NASDAQ: FIRE) and others all trying to stake their claim to high-speed superiority.

"Because of new real-world performance in the IDP 8200, it's not just for deployment at the network edge but you could also deploy it at the network core," John Yun, product marketing manager at Juniper, told InternetNews.com.

That's not to say, however, that a carrier could deploy the IDP 8200 at the top end of the network core without having some kind of performance impact. At the high end of network core devices is Juniper's T1600 multi-terabit router, which could be deployed alongside the IDP 8200 but there are some caveats.

"We're looking far deeper into the packet than just looking at the header to make a decision of where to forward the packet," Rajneesh Chopra, director of product management at Juniper, explained. "Based on our internal lab tests it takes about 15 processing cycles to process packet forwarding," Chopra added. Chopra continued: "If you're doing firewall it requires 400; to do real IPS it takes about 45,000 cycles. So will it scale to T series scale? I think at that right place in the topology it will. If you sat it next to the T series to do all of IPS next to all the forwarding, it will certainly not do that."

Juniper's entry into the high-end 10GbE IPS space follows moves by other vendors into the space, including Force10 and TippingPoint.

Chopra argued that the time is now right for 10GbE IPS and that Juniper is now seeing the demand for it. Among the reasons why demand is surging is the fact that price points of 10GbE switch infrastructure have become more competitive. Chopra also noted that with the increased power of servers, laptops and virtualization the overall volume of network traffic is increasing as well.

All that increased demand is fueling the increased need for high end security.

"We believe existing demand for IPS will grow," Chopra said. "We also believe a large proportion of stand-alone IPS revenue will come increasingly from the larger boxes."

Across most of Juniper's product portfolio, routers and other networking gear are typically powered by Juniper's JUNOS operating system. That's not the case with the IDP 8200.

"These boxes run on Linux," Chopra explained. "It goes through the same discipline as JUNOS in terms of engineering and q/processes, so when we talk about a single core release and the rigors of regression testing it follows the same process."

Chopra noted that Juniper is not using a Linux distribution for any particular vendor but rather is using its own customized version of Linux.

For Chopra, though, the road to increased IPS adoption isn't necessarily about operating systems or raw speed, it's about usability and inspection. On the usability side, Chopra noted that Juniper has tried to make IPS easier to use with the new platform, which also integrates with Juniper's STRM and NSM management platforms.

"There used to be a time when you could enforce security using IPs and ports, but now we know that in many parts of the network that is too blunt an instrument to use," Chopra said. "You need something more nuanced that looks deeper into packets so you can enforce more on the constructs within the application, and that's where I think IPS is really going to shine."

Article courtesy of InternetNews.com