DDoS Defense System's Core Platform
Corero Network Security's DDoS Defense System (DDS) product family draws its matchless detection capabilities and powerful performance from distributed denial of service-specific software built on Corero's powerful, extensible and flexible Core Platform. With Core Platform as its foundation, DDS leverages a DDoS-optimized realization of its unique First Line of Defense architecture. Corero's First Line of Defense® encompasses patented DDoS Defense algorithms and extensive rate-based protection mechanisms, stateful firewall filtering and malicious content protection, using Demerit Score and Requestor Behavioral Analysis, Acceptable Application Use and Stateful Protocol Analysis.
This unique combination of hardware and software technologies provide a highly effective, reliable and powerful on-premises DDoS defense solution that efficiently mitigates network layer and application layer Distributed Denial of Service attacks while allowing legitimate network traffic and web servers to function at normal levels.
Tilera Processor at the Heart
This platform, comprising a powerful Tilera 64-core processor and the CoreOS, is the foundation on which Corero developers and engineers have built and continue to build out a cohesive and integrated suite of network security products.
The ingenuity of the platform lies in an extremely powerful, yet elastic and flexible hardware appliance upon which Corero software developers have tightly integrated a highly optimized network security-specific hypervisor, which performs essential network security processing functions, including deep packet inspection and policy control.
By virtue of this architecture, Corero developers are provided granular control to assign optimal processing power from the 64 processor cores and to address targeted capabilities and their component application functions according to the requirements of the particular product.
Network security packet processing demands the power of massive parallel processing. However, this type of high-end processing is typically beset by resource management issues and performance bottlenecks that impede performance. Featuring 64 powerful cores operating in a mesh topology, Tilera processors utilize a unique cache management scheme to eliminate these problems. This is particularly critical in scaling modern network security applications in high-speed, high-volume environments. Security analysis through deep packet inspection requires processing packets not just as individual elements, but in the much broader context of flows and applications . All those processing cores, all of those packets and all that analysis have to be coalesced within a single coherent security policy.
This is particularly critical in scaling modern network security applications in high-speed, high-volume environments. Security analysis through deep packet inspection requires processing packets not just as individual elements, but in the much broader context of flows, applications and users. All those processing cores, all of those packets and all that analysis have to be coalesced within a single coherent security policy.
Limits of Alternative Technologies
Alternative custom processor-based solutions offer seemingly strong credentials, but typically fall short when it come to the delivery of timely and unified responses to the ever-changing demands of network security. Application-specific integrated circuits (ASIC) are functionally constrained by programming in hardware, rather than software, trading dedicated performance for flexibility. And, field-programmable gate array (FPGA) chips offer only limited flexibility. The extreme performance baked into specialized silicon is fine when the required security functions are limited, such as within a network firewall, but that's not how things are in the modern security environment. The scope of security and the threat landscape around our networks is vast, complex and changing, and the development of custom silicon simply cannot keep pace.
The Core Platform is a forward-looking and proven vehicle that delivers the power of custom silicon with the flexibility of software, giving Corero's Ninja developers the ability to respond rapidly to new demands in the rapidly changing network security environment.
CoreOS is the Intelligence
CoreOS is the software portion of the Core Platform, providing the essential foundation capabilities for network security processing, including packet handling, deep packet inspection and policy management, covered by the CoreOS through:
- Rate management of network through to application layer objects
- Policy enforcement through an integrated set of rules that spans all functions within CoreOS
- Packet analysis and validation, including protocol parsing and payload inspection
These three tightly integrated functional areas combine to perform the functional heavy lifting, and utilize a performance-oriented abstraction layer at the heart of CoreOS that "talks" directly to the mesh of 64 cores, leveraging Tilera's unique processing capabilities to minimize latency and maximize throughput.
By virtue of this architecture, Corero developers are provided granular control to assign optimal processing power from the 64 processor cores and to address targeted capabilities and their component application functions according to the requirements of the particular product. For example, Corero DDoS Defense System products require heavy emphasis on rate management to throttle the flow of attack traffic and allow legitimate traffic to flow freely, but still require packet analysis to differentiate between good and bad traffic. On the other hand, the Corero IPS product line, while offering a number of rate-based protections, requires a much greater portion of the appliance's resources to be devoted to packet analysis for malware and vulnerability detection and protection.
Clustering is also intrinsic to CoreOS, augmenting processing power, interface density or IO bandwidth, while allowing the physical devices in the cluster to behave and be managed as a single logical unit. The CoreOS cluster is designed for near linear performance scaling and provides highly available, resilient solutions with minimum management and topological complexity.
The result is DDoS Defense System, dedicated on-premises protection against the criminally and politically motivated Distributed Denial of Service attacks that threaten your business.