Hardware, software for SME security gear

To design a next-generation small/medium-enterprise (SME) converged security appliance, a number of security hardware, software and algorithm technology trajectories must be considered.

When the designers of next-generation security boxes evaluate the challenges, they must first consider the target market. How many users will have to be supported? How much secure bandwidth must be delivered?

Those requirements must be satisfied in systems that can range from the type of box found in a large company's headquarters down to a small-office/home-office (SoHo) gateway designed to serve only a handful of users. Clearly, the two would try to solve technical challenges in different ways. The focus of this discussion will be on small/medium-enterprise security equipment, which typically specifies support for up to a hundred users simultaneously and provides up to 100 Mbits/second of full-duplex secure bandwidth.

A second design consideration is the decision to use a one-chip or a two-chip architecture. Some semiconductor vendors have introduced integrated processors with on-chip security engines to address the SoHo market. While there are specific applications for which these one-chip solutions are most appropriate-SoHo is one-this category of security appliance has historically been designed using a two-chip embedded architecture comprising an integrated communications processor working with a dedicated security coprocessor device to provide Internet Protocol Secure (IPsec) acceleration used as the basis for virtual private network (VPN) tunneling technology. The integrated communications processor provides the key on-chip interfaces to connect to the various network ports and external devices.

A two-chip solution can provide both flexibility and a higher degree of security in the applications where it is required. A two-chip design allows the designer to choose the best-in-class solution; the integrated single-chip approach must compromise on some aspect of performance.

For example, one of the designer mandates mentioned earlier was to provide an upgrade path to address new security threats as they arise. To do that, it would be prudent to choose a faster processor with extra CPU cycles or at least choose one with higher-frequency pin-compatible family members in the road map. Often this is not possible with the integrated solution, since it has been optimized for a certain price/performance point. The designer of a next-generation security box must allocate processor performance headroom in anticipation of increasing software demands to address the latest hacker attacks. Similarly, the choice of an external security coprocessor should be made based on its ability to handle flexible designs. Security requirements change over time; they include the encryption/hashing algorithms, the number of concurrent VPN tunnels that need to be supported and the overall secure bandwidth delivered.

Additionally, the two-chip architecture may be a more secure approach to designing a security appliance. The National Institute of Standards and Technology, a nonregulatory federal agency within the U.S. Commerce Department's Technology Administration, has defined security requirements, known as the Federal Information Posting Standards (FIPS) 140-2, and has established a validation program for cryptographic modules. The standard has been adopted by all federal agencies and has gained wide popularity among financial, legal and medical institutions that are concerned about conducting secure data communications and ensuring that consistent security design practices are in place.

The two-chip embedded architecture provides the boundary needed to meet the FIPS 140-2 criteria. By isolating the security functions and providing for storage of critical security parameters on the external security coprocessor's internal memory, the design can meet the highest levels of security defined by FIPS 140-2.

A single-chip architecture often will not meet the FIPS criteria, because of the difficulty of partitioning the security functions away from the operating system, the typical vulnerability that is targeted by hackers. If one of the primary goals of the security appliance is to achieve a high level of security certification, those concerns must be addressed.

Once the hardware specifications have been considered, the next objective is to put together a software architecture that meets the goal of handling both today's and tomorrow's security requirements. Of course, there are several layers of security to consider. The above figure shows an example of architecture that highlights the different security layers in the Open Systems Interconnect model and how they can be mapped to a proposed security appliance design. The one below shows that different security protocols must be applied at almost every layer.

The embedded operating system is one of the most critical pieces to enabling a secure system. Operating-system flaws are one of the most popular routes for hackers to take when compromising a system and then the corporate network. There are several trade-offs to consider, however. Software engineers typically want to use a flexible operating system that can act as a generic platform to integrate new applications. On the other hand, security system architects want to use an operating system that emphasizes security. In fact, many companies that develop proprietary operating systems consider them the most valuable piece of intellectual property when developing a security appliance. Designers who decide to license their operating system will have to determine the most important security criteria for their designs.

A standard embedded open-source distribution is not enough these days to ensure that a system will be able to reject intruder attacks. Of course, open source does have an advantage in that a large community of developers is constantly on the lookout for security vulnerabilities and is trying to supply patches before they are exploited. Another choice is to start with a so-called security-hardened operating system that might have the disadvantage of costing more and being somewhat less compatible with off-the-shelf applications. These products try to compartmentalize the key functions in an attempt to deny hackers the ability to access more-sensitive services. Some vendors now supply upgraded versions of the embedded Linux operating system that meet the security-hardened criteria needed for such designs.

The software protocols are also an important piece of the equation, and their impact on the system design must be understood. The most frequently mentioned of these is IPsec. By strict definition, this protocol should be embedded in the operating system itself in the form of a modified TCP/IP networking stack. But it can also be implemented using a "bump-in-the-stack" approach that performs IPsec processing before the operating-system TCP/IP stack processes the packets. A similar route can be taken with the MAC-layer authentication standard, 802.1x, which is most often used for the new WPA and 802.11i wireless-security initiatives but is applicable to both wired and wireless networks. Some vendors have chosen to offer an authentication engine bundled within the operating system; others handle it at the application layer. The 802.1x does not specify encryption, message integrity checking or message authentication but rather a secure communication channel, sometimes called port-based network access control. Further, 802.1x uses the Extensible Authentication Protocol, which allows for a number of authentication schemes. The security appliance architect will have to decide which authentication types to support.

Firewall and intrusion-detection technology have been the most active areas of development in the security world. The goal of a firewall is to defend against attacks by executing a set of rules that permit or deny traffic to pass between a corporate network and the public Internet. Today, with outside hacker attacks having become much more sophisticated, a new set of algorithms is needed. Stateful inspection firewall technology monitors the state of each TCP/IP connection, making sure that source and destination addresses are valid. By inspecting the headers of these packets, it can thwart attackers that attempt to gain access by posing as a legitimate connection. The protocol-level firewall algorithms take this one step further and monitor traffic all the way up to the application layer to detect unauthorized access.

The design impact is an increased amount of software and accompanying CPU performance as the number of cycles per packet rises. Similarly, intrusion-detection technology has been developed that scans network traffic and identifies unusual activity using a set of predefined rules. Again, these algorithms demand a great deal of horsepower because of the more complex software activity. To implement these security technologies and even more sophisticated versions over time, the security appliance architect will either have to include a higher-performance processor or specify a lower system bandwidth throughput when these software modules are active.

Alex Soohoo is technical applications manager at IDT Internetworking Products Division (Santa Clara, Calif.).

See related chart