White Paper

Nortel Networks
Alteon Switched Firewall

A Nortel Networks positioning paper

Executive summary
The Internet has become a vital resource for business of all sizes. E-mail is now a
mission-critical resource; sharing applications and data online with customers, partners,
and suppliers is becoming the standard way of conducting business.
However, opening access to a corporate network — especially to servers in the data center
— generates significant security concerns. A firewall is the most common way to implement
perimeter protection for corporate information assets. While traditional firewalls do
a great job of securing entry to a network or data center, today’s solutions introduce
performance bottlenecks. Until now, an enterprise or service provider had to chose between
implementing the highest levels of security with maintaining the performance required for
data center operations.
To address the challenges of security, performance, and management within data centers,
Nortel Networks has developed a next-generation security architecture called the Nortel
Open Security Architecture (OSA). OSA is a new paradigm for ultra-high-throughput
security with unmatched scalability and flexibility. It combines the performance of wire-
speed switching with the sophistication found in best-of-class security software solutions.
The first product released using this new architecture is the Nortel Networks Alteon
Switched Firewall. The Alteon Switched Firewall, integrating Check Point FireWall-1 Next
Generation, is specifically designed to provide a total solution that allows you to ensure
high levels of security without giving up the data center performance that is truly critical to
business success. The Alteon Switched Firewall optimizes capital investment by providing
what we call “high-performance security” at a significantly lower cost than traditional
solutions that require multiple firewalls. All this comes in a highly flexible solution that
is easy to integrate into existing data centers.

2 Alteon Switched Firewall System White Paper

Introduction
Firewalls come in various sizes and
capabilities, filling many specific network
requirements depending on their point
of use. For example, data centers require
firewalls with tremendous throughput
capacity, often well in excess of 1,000
Mbps. Broadband subscribers, on the
other hand, connect at speeds of one
Mbps or less. Nortel Networks has the
right firewall solution to suit these various
customer needs. For high-performance,
high-throughput firewalls used in
enterprise and service provider data centers,
the Alteon Switched Firewall integrating
Check Point FireWall-1 is the choice.
To date, implementing perimeter
protection security within a data center
has required tradeoffs among high security,
flexibility, and high performance. The
most secure solutions impose a bottleneck
within the data path. For high-speed data
centers, the only solution until today was
to implement multiple firewalls operating
in parallel, load-balanced by a Web
switch. Although this solution scales
to gigabit speeds, it requires spending
significant capital and often introduces
an added level of complexity to data
center management. Today, the economics
of enterprise and service provider IT
infrastructures require simpler, more
cost effective solutions that scale to new
performance levels.
The solution? The Nortel Open Security
Architecture (OSA). OSA is a new paradigm
for ultra-high-throughput security with
unmatched scalability and flexibility. It
combines the performance of wire-speed
switching with the sophistication found
in best-of-class security software solutions.
The Alteon Switched Firewall is the first
product designed following the principles
of the Open Security Architecture.
The Alteon The second generation of firewalls
Switched Firewall consisted of appliances that were created
to solve server-based firewall shortcomings.
Evolution of security These so-called appliances represented a
hardware technology
new architecture — a combination of a
Firewalls have been used for many years
dedicated hardware device paired with a
to protect access to networks. Firewall
more secure operating system. The firewall
architecture has changed over time to
appliance has one function only, and that
meet new requirements for security
is to function as a perimeter security
and performance. The first generation
device. Processing power is not shared
of firewalls, some of the earliest forms
with any other application. Increasingly,
of protection in the new Internet
firewall appliances have become the
environment, involved deploying firewall
dominant solution for securing networks
software on a general-purpose operating
and data centers. Despite their popularity,
system running on a workstation
appliances still present a scalability and
or server. The firewall function often
manageability challenge. As traffic grows,
was one of many applications running on
the firewall appliance becomes a bottleneck
the device. As traffic volume grew and the
within the data path. The addition of
sophistication of Internet users improved,
other firewall appliances, load-balanced
problems with this firewall architecture
by a Web switch, allows for scaling and
emerged, such as security holes in
management of traffic distribution and
general-purpose operating systems and
sessions across multiple firewalls; however,
poor performance under moderate traffic
at a certain point this solution becomes
demands. It was time for an evolution to
untenable from throughput, management
the second generation in firewalls.
and cost perspectives. It is now time for
the next evolution in firewall architecture.
Figure 1: Contrast between traditional firewall architecture
and the Alteon Switched Firewall.
Traditional Firewall Appliances Alteon Switched Firewall
Scale Using Switches for Firewall Simplifies Configuration and
Load Balancing Management
Alteon Web Switches for Alteon Switched Firewall
firewall load balancing
Traditional
Firewall
Appliance
Alteon Web Switches for Alteon Web Switches for
server load balancing server load balancing
Alteon Switched Firewall System White Paper 3
The third-generation switched firewall
architecture takes the best of second-gen-
eration appliances and adds the scalability,
manageability, and performance of
switching – meeting key requirements
of the high performance IT data centers
(see Figure 1). The OSA-based Alteon
Switched Firewall is the first of this new
generation of firewall architecture. The
Alteon Switched Firewall System provides
multi-gigabit firewall performance for
data centers that require this level of
throughput and state-of-the-art filtering
in order to secure and safeguard servers.
Using the innovative OSA architecture,
the Alteon Switched Firewall System
overcomes the traditional performance
degradation that occurs with deep packet
inspection. This switch-accelerated firewall
solution not only increases throughput
performance to multi-gigabit speeds,
but also improves the flexibility and
manageability of the firewall function.
Firewall policies are controlled from a
dedicated appliance while high performance
comes from the addition of wirespeed
Layer 4-7 switching technology.
Alteon Switched
Firewall Architecture
Following the principles of OSA,
the Alteon Switched Firewall is a multi-
component solution that is managed
as a single system. It combines the traffic
management functionality of Web
switching with the firewall function
of one or more dedicated appliances,
providing unmatched levels of network
manageability and performance. The
cornerstones of this new architecture are:
• Nortel Networks Alteon Web
Switching technology
Figure 2: Alteon Switched Firewall accelerates session packets.
Traditional Firewall Solution Alteon Switched Firewall System
Secure Data Center Secure Data Center
Security
Revolution
90% of all packets Switched
are accelerated Firewall System
Un-Secure Internet Un-Secure Internet
• Nortel Networks Alteon appliance boosted by the acceleration of these
platform subsequent packets in a session because
• Nortel Networks Single System Image these packets are processed by the
(SSI) automatic configuration capability wirespeed switching fabric.
Based on typical session composition,
• Nortel Networks patent-pending
users will find that nine of every ten
interface technology, the Nortel
packets are accelerated — for a throughput
Appliance Acceleration Protocol (NAAP)
improvement of nearly ten times that of
• Check Point Software Technologies’
traditional firewall appliances — while
FireWall-1 Next Generation security
still maintaining full security (see Figure 2).
application and SecureXL performance
architecture Each component of the Alteon Switched
Firewall has a specialized function.
Traditional firewall appliance architectures
integrate the policy control and forwarding
The Alteon Switched Firewall Director,
running FireWall-1, performs policy
functions of an in-line data processing
checking for every new connection
device. Scalability is achieved through
request, manages the connection table,
the use of multiple firewalls load-balanced
and specifies the rules for handling
by a Web switch. In contrast, the Alteon
subsequent packets in a session. While
Switched Firewall separates the control
a session is active, policy checking for
and forwarding functions. A dedicated
packets is managed by the Alteon
firewall appliance — the Alteon Switched
Switched Firewall Accelerator at blazing
Firewall Director — runs Check Point’s
speeds. As traffic and the number of
Firewall-1 Next Generation application.
policies grow, additional Alteon Switched
The Alteon Switched Firewall Director
Firewall Directors can be paired with a
handles the control functions of policy
single Alteon Switched Firewall Accelerator.
management, session acceptance, session
management, etc. However, once the
first packet in a session passes through
the inspection engine, rule checking
and packet forwarding are offloaded to a
high-speed switch, the Alteon Switched
Firewall Accelerator. Throughput is
Alteon Switched Firewall System White Paper 4
The Nortel Appliance Acceleration
Protocol (NAAP) controls and manages
the interface between the devices. NAAP
is a communication protocol that simplifies
management and centrally enforces
security between the Switched Firewall
Accelerator and Switched Firewall
Directors, providing integrated
communication and acceleration of
the interface function.
This breakthrough hardware acceleration
architecture — the sharing of the
connection tables and separation of
the control and forwarding planes —
represents a paradigm shift that is similar
to the movement from routing to Layer 3
switching. Extracting the forwarding
function out of the software and processing
it on a specially-purposed ASIC was the
basis of the LAN routing-to-Layer 3
switching market paradigm shift. Nortel
Networks is accelerating perimeter security
in a similar fashion with the Open
Security Architecture and the Alteon
Switched Firewall. Not only does the
specialized forwarding function improve
firewall throughput performance, but
additional acceleration comes from
the automatic offload of CPU-intensive
network address translation (NAT) to
the Alteon Switched Firewall Accelerator.
NAT has always been a CPU drain for
firewalls. By offloading this function
to the exceptionally powerful processing
on the Alteon Switched Firewall
Accelerator, the firewall appliance (Alteon
Switched Firewall Director) is not wasting
valuable CPU resources performing
NAT functions.
5 Alteon Switched Firewall System White Paper
Multiple Switched Firewall Directors The acceleration capabilities of
can be teamed with one Switched Firewall the Nortel Networks Open Security
Accelerator. NAAP creates a Single Architecture can be extended to other
System Image as the first Alteon Switched security technologies, such as intrusion
Firewall Director is configured. detection systems, virus scanning, content
Adding additional Directors is a simple filtering and virtual private networks.
plug-and-play operation as the device is Nortel Networks higher-end switching
automatically recognized and the system platform rides the switching performance
image created. curve and scales to incredible performance.
The Alteon Switched Firewall is the first
Benefits of the Alteon
product released using this innovative
Switched Firewall
OSA architecture. The result is a firewall
Nortel Networks’ revolutionary Alteon
that delivers in excess of 3 Gbps through-
Switched Firewall system enables service
put and supports up to 32,000 new
providers to deploy current and future
connections every second with over
high-margin managed security services
500,000 concurrent connections —
over a cost-effective and flexible infra-
performance that is unmatched
structure. With its innovative architecture
in the industry.
and plug-and-play provisioning of firewall
resources, the Alteon Switched Firewall
allows service providers to reduce capital
expenditures due to the Nortel Networks
Open Security Architecture’s “pay as your
traffic grows” flexiblity.
The Alteon Switched Firewall provides
the best price/throughput ratio on the
market, making it the best choice for
performance-hungry networks.
Operation costs are minimized because
administrators no longer must configure
each firewall as added. The first firewall
can be provisioned in minutes using a
GUI-based configuration wizard. The
Single System Image replication and
management wizard capabilities of the
Alteon Switched Firewall System makes
adding new Alteon Switched Firewall
Directors a plug-and-play operation.
For more information, contact your Nortel Networks representative or call 1-800-4-NORTEL
(1-800-466-7835), or 1-506-674-5470 outside of North America.

www.nortelnetworks.com
United States Europe, Middle East, and Africa
Nortel Networks Nortel Networks EMEA, S.A.
4401 Great America Parkway Les Cyclades-Immeuble Naxos
Santa Clara, CA 95054 25 Allee Pierre Ziller
1-877-655-2ASK Valbonne, 06560 France
Canada 00-800-8008-9009**
Nortel Networks 44(0)-20-8920-4618
8200 Dixie Road, Suite 100 Asia Pacific
Brampton, Ontario Nortel Networks
L6T 5P6 Canada 27/F City Plaza One
1-800-466-7835 1111 King’s Road
Caribbean and Latin America Quarry Bay
Nortel Networks CALA Inc Hong Kong
1500 Concord Terrace 852-2100 2888
Sunrise, FL 33323-2815
954-851-8000 **Number accessible from most European Countries

Copyright © 2001 Nortel Networks. All Rights Reserved.

*Nortel Networks, the Nortel Networks logo, and the Globemark, are trademarks of Nortel Networks. All other trademarks are the property of their
respective owners. Information in this document is subject to change without notice. Nortel Networks assumes no responsibility for any errors or
omissions that may appear in this document.
94013.25/01-02