Pervasive Inspection
Security Function Offloading
Perimeter Defense
1. Any-to-Any Delivery
1.1 Each interface can be INPUT or OUTPUT
1.2 1-to-many, many-to-1, many-to-many
1.3 To any selected interface after filtering
2. Advanced Distribution
2.1 Filter Processor - Composed of a set of rules with AND / OR operation - Session-based filtering and packet-based filtering - L2-L4 header filtering rule: MAC address, Ethertype, VLAN ID, IP range, TCP/UDP port…
2.2 DPI-enabled Filter Processor - L4-L7 Pattern-based filtering - Pattern format: HEX, ASCII strings and Regular Expression
2.3 Tunnel-awareness filter - Apply all filtering rules on in-tunnel packets where GRE / VxLAN / QinQ / MPLS - Tunnel ID (ERSPAN/X-tunnel) filtering
2.4 Processor Chain - User-defined graphs of Filter Processors
3. Out-of-band Load balance
3.1 Same Dst IP / Src IP / Dst Port / Src Port sticky to same egress ports
3.2 Same 5-tuple hash sticky to same egress ports
3.3 Delivery HA: Re-distribute to link-up egress ports
3.4 Balance port groups: Max 8 egress ports
4. Packet Engineering
4.1 Tag removal: MPLS / VLAN / QinQ…
4.2 Unpacking Tunnel
(Tag removal and re-encapsulation):
GRE / GTP / ERSPAN / NvGRE / VxLAN
4.3 User-defined VLAN tagging for input packets or output packets
4.4 Packet Deduplication
5. Monitoring Network Virtualization
5.1 GRISM to GRISM tunnel
5.2 Encapsulation: GRE, VxLAN, ERSPAN, X-tunnel
6. Network Traffic Intelligence Extraction
6.1 Generate Netflow V5 / V9
6.2 Generate HTTP log
6.3 Generate DNS log
7. Sensitive Data Protection
7.1 Packet slicing - Preserve N bytes - Remove TCP / UDP payload
7.2 Data mask - Replace sensitive data segment in TCP / UDP payload - Data segment can be defined in regular expression
8. In-Line Aggregation and Re-Distribution
8.1 N network links X M monitoring links (N X M)
8.2 In-line session-based load balance with HA strategy
8.3 Intelligent content-based bypass - IP address List - User-defined pattern in regular expression
9. PCAP File Prcoessing
9.1 Stream snapshot in PCAP format
9.2 Filter PCAP files with timestamp persistance
9.3 Remote recording agent over L2-L4 switch
10. Telecom Correlation Processing
10.1 Mobile 3G / LTE data netwok - Filter GTP-C / GTP-U by IMSI/IMEI - Subscriber-based load balance
10.2 Fixed ISP network - Filter user-plane packets by RADIUS ID - subscriber-based load balance
11. Virtual Machine Traffic
11.1 VM traffic redirection by GRISM-V (as a VM instance)
11.2 Supporting environment - KVM - VMware ESXi / vSphere
12. System Control and Operation
12.1 Web GUI agent for authenticated users
12.2 Advanced Control - XML script over HTTP
12.3 Management protocol: Telnet, HTTP, SNMP V2
13. Front-line Security
13.1 Massive Blocking - IP / Domain / URL - Max 2,000,000 entries
13.2 3rd party threat intelligence import