Chapter 3 | Introduction |
|
|
The
DPI synthesizes individual security policies and packet analysis algorithms and maps them directly into silicon hardware "gates." Through this design it is able to deliver full packet inspection and protection at line rate for
The policies can be derived from public domain signatures, or they can be completely
•Capture packets for the host (capture is defined as both DMA to host and copying to the mirror port)
•Forward packets (with negligible delay)
•Block packets
As a result, the P10 can be used as both an IDS accelerator and a stateful content filter for IPS applications. In an active configuration, it can be inserted inline into the network; this alleviates the need for a SPAN port or tap and enables filtering applications. In passive configurations, it can merely listen to the network via a mirroring port or tap.
Hardware Architecture Overview
The P10 is a
Figure 3 shows packet flow in the DPI, which is a two-port device. Packets are forwarded from the receive side of the first port (Rx0) to the transmit side of the second port (Tx1). Likewise, Rx1 forwards packets to Tx0 of the first port.
As the packets are being forwarded they are also processed in real time by two independent processing channels, each with its own set of policies. If there is a match in a processing channel, the DPI can block the packet, capture it, and send it to the host through the PCI-X bus. The two processing channels are completely independent, and thus they can be used to process two asymmetric links, or both directions of a full-duplex connection.
In addition to two sensing interfaces, the P10 includes two 1-Gigabit Ethernet mirroring ports. These ports can copy and forward matched traffic to another device. It is also possible to disable the PCI-X DMA capture, and let the matched traffic bypass the host entirely for applications in which host capture is not desired.
17 |
