Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
The iPolicy Single-Pass Architecture
 

Most network security applications -firewall, intrusion detection and prevention, url filtering, content screening, etc.- execute by following very similar steps: inspection of packets, followed by analysis of protocols and of content, followed by a decision on how the packet, the session, the traffic from the source, etc. should be handled.

Information security today requires protection from a variety of threats, each of which is typically mitigated by a specialized security function or product. Each specialized security appliance – or each security application if executed on a shared hardware platform- runs the sequence of processes just outlined. Each opens the packet. Each inspects it. Each analyzes it and makes a decision to let through or discard. And each does all this, oblivious to the findings and rules applied by the other security functions in the chain. This sequential process increases overall traffic latency, lowers throughput, and is ineffective against blended threats.

Innovative Approach
iPolicy Networks took an innovative approach to providing comprehensive security monitoring and policy enforcement that obviates the inefficiencies of the repetitive steps used in today’s solutions. It’s name: the Single Pass Architecture.

A security gateway based on the Single Pass Architecture performs a one-time layer 3 to layer 7 stateful inspection of the packet. This is followed by a shared multifunction security analysis and the result can be a correlated multi-level response. The Single Pass Architecture implementation relies on two main components: a single-pass rule analysis engine and a single-pass rule enforcement engine.

The Single-Pass Rule Analysis Engine
The single-pass rule analysis engine runs on the central management platform. Its function is to generate a rule tree that defines the behavior of the enforcement devices. The rule analysis engine takes all the security policy rules configured by the administrator and generates a common rule tree for all the security services enabled. The rule tree incorporates layer 3 to 7 information that is required for analysis against the configured policies as well as the knowledge bases for the security functions enabled. The primary rule tree is then optimized and broken into subsets that will be downloaded to the sensing devices on the network for comprehensive security monitoring and policy enforcement. The enforcement devices are called Intrusion Prevention Firewalls.

The Single-Pass Rule Enforcement Engine
 The second component of this architecture, the single-pass rule enforcement engine, runs on the iPolicy Intrusion Prevention Firewall appliances, which are the in-line devices installed at perimeter or internal security check points across the network. The rule enforcement engine opens each packet once then applies the inspection and decision defined by the centrally-compiled rule tree. Based on the policy, the action responses vary from letting the packet through, silently dropping it, logging an event, starting to record the session, generating an alert, blocking a port, etc. In essence only one holistic security application that incorporates all the enabled security functions is running. This enables an intrinsic correlation between the security functions. For example, an IDS signature match identifying a worm can instantly create a dynamic firewall rule to close a specific port or to block all traffic from an infected host that the worm is using to propagate itself. There zero delay between the time the worm is identified and the firewall rule takes effect.

Measurable benefits
 The Single Pass Architecture brings forth many benefits in addition to the enhanced security posture that comes from instantly correlated responses. One is higher performance and significantly lower latency. Low latency is important in media streaming applications such as Voice over IP.

Unlike competing solutions with disjoint security application running as separate processes and processing packets sequentially, the performance of the iPolicy solution is little affected when additional security functions are enabled. This advantage will gain further prominence as the number of security functions required to protect a network keep growing.

Another benefit is lower cost especially when compared to the cost of multiple security appliances from different vendors deployed in series. The savings apply not only to the initial equipment acquisition cost, but also to the ongoing costs of management, training, maintenance and support.

Future-proof Architecture
 Finally, a key benefit of the Single Pass Architecture is extensibility. This is important in a world in which new forms of threats keep emerging. The rule analysis engine can be enhanced to account for new threats, resulting in an expanded common rule tree. It will not impair performance because the rule tree becomes wider rather than deeper. Many more branches may be added, but irrelevant branches are quickly pruned off during the analysis and enforcement step. Of course, the addition of new security function does not change the critical fact that packets are open and inspected once, and only once. New functions do not require more steps during security processing.
 
 
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 

Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2007 iPolicy Networks | Privacy Policy | Site Map