Qosmos for Next Generation Firewalls

Overview

The Challenge

Firewalls can no longer use ports to effectively classify traffic. Today’s firewalls must have:

  • Layer 7 / application identification
  • Beyond classification, advanced security applications such as IPS require visibility on application usage patterns (who is doing what).

Firewall vendors risk spending considerable time and money developing a traffic decoding technology such as Deep Packet Inspection and keeping up with constantly changing protocols and applications that make networks vulnerable.

Solutions

How Qosmos Inside Solves the Problem

  • Qosmos decoding engine – ixEngine – is embedded into next-generation firewalls to provide Layer 7 application classification and delivery of traffic metadata attributes, such as message senders and receivers, and names of files shared or attached in an application.
  • Within days, firewall vendors can embed ixEngine into products for unmatched application classification and more effective security policy management.
    Protocol Watch Service systematically tests protocols, identifies variants and new protocols, and updates ixEngine’s decoder.

Benefits

Benefits for firewall vendors

Full application visibility
  • Identifies applications based on protocol grammar analysis, not ports
  • Beyond traditional Deep Packet Inspection to decode traffic inside tunneling protocols
  • Distinguish actions launched within an application (such as login, browse, chat, file transfer, etc.)
  • Real-time extraction of communications metadata such as message senders and receivers, and names of files shared or attached in an application.
  • Recognizes thousands of protocols, applications and metadata
  • Protocol Plugin Creator allows users to develop their own protocol plugins that can be integrated in the ixEngine framework.
Designed with “Triple R” (robustness, reliability and resilience) in mind
  • Resilience, by functioning even under adverse external conditions (e.g. maliciously forged packets or flows)
  • Robustness, by performing well during difficult situations (e.g. SYN flood attacks, incomplete traffic)
  • Reliability, by adequately decoding traffic even under unusual circumstances (e.g. tunnels, obfuscated traffic, non-standard protocol behavior)
Support for ALL leading processor architectures
  • Optimized for all leading processors on the market: Intel x86, NetLogic XLR, Cavium Octeon, Tilera TILEPro, and Freescale PowerQUICC.
  • Application classification at traffic speeds up to 10 Gbps on a single processor

Example

qosmos for next generation firewalls example

Protocols and Applications

Recognized protocols and applications (sample)

  • Email (smtp, pop3, imap, Lotus Notes, etc.)
  • Webmails (gmail, Yahoo mail, Outlook web access, etc.)
  • Instant Messaging (MSN Messenger, Yahoo!Messenger etc)
  • Web applications (HTTP, web browsing, URLs, etc.)
  • Tunnels (ICMP, HTTP tunneling, GRE, L2TP, etc)
  • File transfer protocols (FTP, Jabber, AIM file transfer, etc.)
  • P2P applications (eDonkey, BitTorrent, Gnutella, etc.)
  • Streaming (VoIP, media streaming, etc.)
  • Business applications (CRM, ERP, appliance or web mode, etc.)
  • Database protocols (MySQL, Postgress, etc.) Online gaming

Application visibility (sample)

  • HTTP: visited URL, URI
  • Email, webmails, Social Networks and messaging: logging, sender, receiver(s), attached document (type, name, content) etc.
  • File transfer, P2P: login, file type, file name, file content, etc.

“There is a trend towards using niche specialists in the DPI area. Outsourcing highly specialized technical capabilities allows Equipment Manufacturers to focus on overall solutions development.”

Graham Finnie
Chief Analyst, Heavy Reading

heavy reading