Company

Force10 Helps National Center for Computational Sciences Secure Data at Supercomputer Speeds

Working to build the world's largest unclassified supercomputer means pushing the envelope on all kinds of technologies. As the network task lead for the National Center for Computational Sciences (NCCS) at the Oak Ridge National Laboratory, Steven Carter has been tasked with securing several of the laboratory's 10 Gb/s circuits.

NCCS was established in 1992, and in 2004, was designated by the Secretary of Energy as the country's Leadership Computing Facility to provide a resource for unclassified research that is 100 times more powerful than current capabilities.

The challenge has been finding an intrusion detection/prevention system (IDS/IPS) that is capable of performing deep packet inspection at line-rate speed without affecting performance. "As the NCCS restructures its network to take advantage of the new 10Gb/s circuits added over the past year, it was important to find a solution that allows us to inspect and monitor traffic on our 10 Gb/s links with minimal impact on performance" says Carter.

Hitting the Numbers

Force10's P-Series cards perform stateful, wire-speed deep packet inspection and filtration of Gigabit and 10 Gigabit Ethernet traffic; each card can capture up to one million packets per second with only 1 microsecond of latency.

The high performance of the P-Series P10 card attracted Carter's attention. In addition, because the P-Series cards perform packet processing on board, they require significantly less processing power and memory from a host system. As a result, a single host can support multiple P10 cards.

"The cards are attractive because of their low CPU utilization," says Carter. "It is possible to put several cards in a single host allowing for low administrative overhead and a more reasonable incremental cost than other solutions."

Carter noted that the P10 differs from other high-speed IDS/IPS products he evaluated because they pull data up to the host's CPU for analysis. With this dependence on the CPUs, each 10 Gb/s circuit requires its own generously configured host.

Because the P-Series interfaces with the host operating system as a standard network interface card, it can seamlessly run a variety of standard application software, including open source network security and monitoring applications such as Snort. This openness provides IT with the flexibility to specify capture and filtering policies using public domain IDS signatures and standard monitoring libraries as well as to define site-specific rules. When a P-Series card captures packets, it presents them to the operating system as a standard NIC in promiscuous mode.

Staged Deployment

Following basic testing of the P10 to verify its performance characteristics, Carter plans to deploy them on the two main links to the NCCS network. As with the computing center itself, Carter expects his IDS/IPS deployment to evolve over time as he monitors more circuits and tries new configurations. With its commitment to high speed networking and security, Force10 will be there helping NCCS push the limits of IDS/IPS technology to meet its supercomputing needs.