Foundry NetIron MLX

High-Performance Seven-Layer Network-Wide Security, With Security Traffic Managers and Secure LAN Switches

SecureIron Traffic Managers

Organizations increasingly rely on IP networks to deliver applications that are critical to business productivity and profits. Securing this infrastructure against debilitating attacks from malicious users is necessary to ensure sustained business operations. Mobility, convergence, and Web-centric applications are rendering centralized security models ineffective. Today, organizations require distributed, network-wide, security architectures to protect against threats from outside the network and to minimize vulnerabilities inside the network. Furthermore, the line between Internet and intranet is fading fast as users become more mobile and less identifiable. In such an open infrastructure, the threats are not concentrated at a single entry point at the network perimeter, but are network wide. Attacks are also becoming more sophisticated and exploiting application-level vulnerabilities to cripple critical IP services.

The Foundry Networks® SecureIron™ traffic managers deliver high-performance Layer 2 through 7 switching and security, enabling organizations to achieve a highly secure and scalable network and application infrastructure. These security traffic managers are designed to protect against network- and application-layer threats network wide—at the network perimeter, inside the data center, and within the enterprise LAN. The SecureIron traffic managers are specially built for inline networkwide deployment to provide perimeter-like security enforcement inside the LAN against threats within the enterprise network. The SecureIron traffic manager family comprises two performance models: SecureIron 100 and SecureIron 300. Foundry’s SecureWorks™ software suite powers the SecureIron, protecting the network and applications against high-speed attacks.

The SecureIron traffic managers enforce highly customizable security policies and prevent intrusions, transparently protecting against attacks targeting any IP application. These switches also feature specialized security protection for Web, Domain Name System (DNS), Voice over IP (VoIP), Session Initiation Protocol (SIP), and e-mail applications.

Key Features and Benefits

• Networkwide security—Purpose-built, high-performance, high-availability, networkwide security traffic manager
• Seven-layer security—Highly advanced, seven-layer security for protection against emerging application threats
• Intrusion prevention—High-performance intrusion prevention that includes highly customizable signatures
• Application rate limiting—Granular application rate limiting to prevent attacks and abuse of critical resources
• Application-specific protection—Application-specific protection for Web, DNS, SIP, VoIP, and e-mail attacks, including network-based spam mitigation
• DoS protection—Superior denial of service (DoS) protection against SYN flood attacks up to 3.6 million SYN/sec (wire speed 2.5 Gbps) and support for more than 30 DoS signatures
• Traffic monitoring—Always-on real-time traffic monitoring with standards-based hardware-assisted sFlow
• Stateful capacity—Industry’s highest stateful capacity, supporting as many as 5 million concurrent flows
• Stateful security—Stateful security with high availability and hitless failover for zero enforcement downtime
• Firewall clustering and availability—Highly transparent firewall clustering and high availability to scale firewall performance
• Firewall offload—Firewall offload includes support for wire-speed access control lists (ACLs), high-performance, stateful IP Network Address Translation (NAT), and advanced DoS
• Scalability and high performance—Choice of performance models that are scalable to multi-Gigabit secure throughput

SecureIron Platform Highlights and Benefits

• Modular design—Highly modular and resilient design with future port expandability and performance upgradeability
• Redundant power supplies—Support for redundant, hot-swappable, and front- serviceable power supplies
• Hot-swappable modules—Hot-swappable modules and expansion slots for hot- pluggable management and line modules to add performance and port density
• Dual-management modules—Optional second active management module for redundancy and doubling the performance
• Integrated SSL traffic security—Optional service module future upgrade to add integrated and scalable security enforcement on Secure Sockets Layer (SSL)-encrypted traffic
• Investment protection—A unique platform to meet current and future needs for features, performance, and scalability
• Reliability—Resilient switching and routing foundation with advanced ASIC-based architecture and highly reliable embedded real-time operating system
• Flexible connectivity—Copper and fiber gigabit media options, and support for high-density gigabit over copper

SecureIron Traffic Management Solutions for Network Wide Security

Foundry's SecureIron is uniquely designed to meet the demands of multi-gigabit traffic rates and the diverse needs of many organizations, including enterprises, service providers, and managed security providers to achieve seven-layer security, network wide. The SecureIron is well suited for deployment at the network perimeter, inside the LAN, and within the data center to protect against threats from external and internal users.

Perimeter Security Solution
Organizations have relied on firewall solutions at the perimeter to manage and control access to specific resources and applications inside the network. Now organizations can cap their firewall investment and extend the life of these devices by using the SecureIron traffic managers as a front end to the firewalls.

The SecureIron traffic managers augment the firewalls, delivering high-performance protection against not only network-layer and DoS attacks, but also against application-level attacks carried in seemingly legitimate traffic. Additionally, the SecureIron offloads firewalls by relieving them of IP NAT and access control functions. To scale firewall performance, the SecureIron offers a high-availability firewall clustering solution. The end result is more robust perimeter security protection and life extension of firewalls for maximum return on investment.

Data Center Security Solution
Every organization’s most critical application, server, and storage infrastructure resides in the data center, and these assets are the high-value targets of most attacks and malicious exploits. The SecureIron traffic managers go beyond the network-layer protection offered by most firewalls, blocking threats and attacks against applications and application data. Using innovative, hardware-assisted DoS protection solutions, the SecureIron protects server farms from multi-gigabit TCP attacks. Additionally, the switches use highly customizable application-layer filters to block malicious messages and content from reaching the servers. The SecureIron includes application-specific signature definitions and policy enforcement for Web, DNS, VoIP, and e-mail applications.

Internal LAN Security Solution
Network users and host machines inside the LAN have long been considered to be safe and trusted. As these users become diverse, more connected, and increasingly mobile, the trust boundary no longer extends to the edge of the network. The LAN edge is essentially as untrusted a source for threats and attacks as the network perimeter connecting to the Internet.

Foundry’s SecureIron traffic managers provide seven-layer protection to traffic entering and leaving the enterprise LAN edge. They also offer the edge devices superior protection from network-originated attacks, and vice versa. With the advanced layer 2/3 switching and routing foundation, the SecureIron traffic managers are well suited for inside-the-LAN deployment.

Performance is a key consideration when deploying security solutions inside the LAN because of the high-bandwidth links and their usage. To optimize network and service performance while enforcing needed security policies, the SecureIron traffic managers can be deployed either inline (see Figure 4) or as one-arm (see Figure 5).

Inline implementation is suited for networks that require all traffic to be inspected and subject to security policy enforcement. Performance-sensitive networks can benefit from segmenting the traffic into trusted and untrusted flows, and diverting only untrusted flows to the SecureIron to security policies on these flows. With the choice of these options, Enterprises can achieve an optimal balance of performance and security protection.

SecureIronLS LAN Switches

SecureIronLS LAN switches are the industry’s first and only secure LAN switches that deliver dedicated, multi-layer security to high value users and servers that host key business applications. The family features pre-equipped port configurations with a choice of high density 10/100 Mbps and Gigabit Ethernet options, with fiber Gigabit and 10 Gigabit Ethernet uplinks.

SecureIronLS Series:

• SecureIronLS 100-4802
• SecureIronLS 100-32GC02
• SecureIronLS 300-32GC02
• SecureIronLS 300-32GC10G