Intel® PRO/1000 PT and PF Quad Port Bypass Server Adapters for ...

Technology Brief Intel® PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server AppliancesIntrusion Prevention Servers andBusiness ContinuityCyber attacks on enterprise networks continue to increasein variety, frequency, and intensity. Worms, viruses, Trojanhorses, denial of service (DoS), identity theft, and otherattacks cost businesses worldwide an estimated USD 100billion annually. As a result, enterprises are becomingincreasingly proactive in combating cyber attacks. In turn,this has led to an increased demand for the protectiveadvantages of network integrated security appliances(ISAs), particularly those that deal with attacks beforethey even enter the network.Increasingly, enterprises are turning to ISAs that arespecialized security servers located at the networkgateway to stop attacks at the network edge. One classof such servers is the intrusion detection server (IDS).An IDS sits at the edge of the network or at criticalsubsegments and monitors all network traffic foranomalous data conditions indicating a possible attack.A more proactive approach, however, is the intrusionprevention server (IPS), which not only detects but alsoblocks or prevents intrusions. Even more recently, securitybegan moving to the network core with internal securitygateways to prevent attacks from inside the network.Rather than residing to the side of the network on a spanor tap like an IDS, an IPS resides in line with the network’scritical path (see Figure 1). This allows the IPS to monitorall network traffic flow and to detect and block trafficanomalies in real time using Layer 2 through Layer 7signature-based and protocol-based analysis.From a network performance viewpoint, the key concernswith the IPS approach are its in-line and real-timerequirements. To be real-time or near real-time, the IPSnetwork connection must have high bandwidth andminimum latency. Moreover, because it is in line with thecritical path, the IPS must be able to fail safely; otherwise,an IPS failure or instability could bring down the entirenetwork. To address these concerns, Intel has designed afamily of Gigabit Ethernet (GbE) quad port bypass serveradapters specifically for intrusion prevention servers andother in-line appliances. These server adapters—the Intel®PRO/1000 PT Quad Port Bypass Server Adapter forIntel® PRO/1000 PTDual PortServer AdapterIntel® PRO/1000 PTDual PortServer AdapterIntel® PRO/1000 PT Quad PortBypass Server Adapter (for fiber)orIntel® PRO/1000 PF Quad PortBypass Server Adapter (for copper)DepartmentWorkgroupServersIntrusionPreventionServerWorkgroupSwitchWorkgroupSwitchThe WANOutside InternetConnectionRouterDepartmentWorkgroupServersIntel® PRO/1000 PTDual PortServer AdapterIntel® PRO/1000 PTDual PortServer AdapterFigure 1. Intel® PRO/1000 PT and PF Quad Port Bypass Server Adapters provide high-performance, fail-safe Gigabit Ethernetconnectivity for intrusion prevention servers.3

Figure 2 further illustrates this bypass operation. The topillustration shows a pair of ports on the Intel PRO/1000PF Quad Port Bypass Server Adapter operating in thenormal in-line mode, and the illustration on the bottomshows the adapter switches in bypass mode. The bypasscircuit operates even in the absence of power so that thenetwork connection is always maintained, even with theserver powered down. Additionally, IT managers canprogram bypass mode to enable it for testing or to disableit to turn the adapter into a standard GbE server adapter.PCI Express, Quad Port GbE Connectivityfor Higher BandwidthUse of a quad port GbE adapter for any server—andespecially IPSs—is particularly advantageous. Quad portPCI Express (PCIe) server adapters provide four networkconnections from a single server slot, thus conservingserver slots for other applications while taking full advantageof the bandwidth provided by the new PCIe x4 slots. Justas important, the multiple GbE ports allow traffic capacityto be increased through various techniques, includingteamed links or ports and network segmentation.In the case of an IPS, at least two ports are required tosupport IPS in-line operation. One port provides the“outside” connection to the network or segment edge.Traffic from this outside port passes into the IPS and theIPS analyzes the traffic for anomalous conditions. Thesanitized traffic then passes from the IPS through thesecond, “inside” port to the network under IPS prevention.In the case of the Intel PRO/1000 PT and PF Quad PortBypass Server Adapters, four ports are provided. There aretwo “outside” ports and two corresponding “inside” ports.This allows essentially a doubling of GbE traffic capacityby allowing the IPS to protect two links or networksegments at once. This is illustrated in Figure 1, whereone IPS receives incoming traffic off two links from therouter and passes the “protected” traffic to two differentworkgroup switches.To help ensure availability of the full bandwidth potentialof GbE connectivity, the Intel PRO/1000 PT and PF QuadPort Bypass Server Adapters use the PCIe architecture forserver I/O, rather than the PCI or PCI-X bus. As opposed tothe PCI or PCI-X shared, multi-drop, parallel-bus structure,the PCIe interface is a dedicated point-to-point serial buswith a unidirectional raw bandwidth of 2.5 Gigabits per

Technology Brief Intel® PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliancessecond (Gbps) for a x1 (“by one”) bus lane. The IntelPRO/1000 PT and PF Quad Port Bypass Server Adaptersare scaled up to x4 PCIe lanes, providing four times thebus bandwidth of a single (x1) PCIe lane.Also, PCIe lanes are bi-directional: a transmit path and areceive path allow simultaneous transmission andreception. In contrast, PCI and PCI-X are limited to eithertransmitting or receiving at any given time, which injectslatency when a transmit process is forced to wait fora receive process to complete before transmitting.Such latency does not occur with PCIe because it isbi-directional, and the adapter does not have to contendwith other devices for the bus.Another feature critical to in-line appliances is the abilityto handle the full traffic flow of the network withoutadding latency, especially for the small data packetstypical of network front ends. To verify capability for this,Intel tested the new Intel® 82571GB Gigabit EthernetController used in the Intel PRO Quad Port Bypass ServerAdapters with a special hardware performance driver ina stackless loop-back mode. At 64-byte packets andlarger, Intel measured on both ports simultaneously a fullbi-directional wire-speed line rate (measured as packetsper second) and bit-stream and payload throughputs up tothe theoretical maximum. This gives the Intel PRO/1000PT and PF Quad Port Bypass Server Adapters thepotential for providing the best possible small-packethardware performance for optimizing in-line applianceapplications.Intel® I/O Acceleration Technology MovesNetwork Data More EfficientlyThe Intel PRO/1000 PT and PF Quad Port Bypass ServerAdapters also incorporate the new Intel I/OAT. Intel I/OATis an evolving platform-wide technology that movesnetwork data more efficiently through Dual-Core IntelXeon processor-based servers for fast, scalable, andreliable networking. It improves network applicationresponsiveness by unleashing the power of Intel Xeonprocessors through more efficient network datamovement and reduces system overhead, plus it scalesseamlessly across multiple Ethernet ports.Intel I/OAT addresses all segments of the server I/Obottleneck problem and does it by using TCP/IP withoutrequiring any modification of existing or futureapplications. The system-wide network I/O accelerationtechnologies applied by Intel I/OAT are summarized inFigure 3 and include network flow affinity, asynchronouslow-cost copy, and improved TCP/IP protocol with anoptimized TCP/IP stack.In the Intel PRO/1000 PT and PF Quad Port Bypass ServerAdapters, Intel I/OAT is supported through packet-orientedroutines that provide header splitting and interruptmoderation. Header splitting separates the TCP/IP packetheader and payload for faster processing of each onseparate, parallel paths. Interrupt moderation collectsinterrupts at the adapter and only interrupts the CPU tohandle a larger set of packets at a time.Optimized TCP/IPprotocol stack withenhancementsServer with Intel® I/O Acceleration TechnologyBalanced networkprocessing on multipleCPUs with networkflow affinityEnhanced direct memoryaccess with asynchronouslow-cost copyNetworkData StreamFigure 3. Intel® I/OAT moves network data more efficiently through Dual-Core Intel® Xeon® processor-based servers.6

Technology Brief Intel® PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server AppliancesBoth header splitting and interrupt modulation provide forgreater packet handling efficiency through the adapter.The result is greater throughput, and this can be furtheramplified when Intel PRO/1000 PT and PF Quad PortBypass Adapters are used with the Intel I/OAT capabilitiesof Dual-Core Intel Xeon processor-based servers.NIC-in-Front Access to LAN I/O PortsBecause of the critical nature of IPS and other in-lineappliances to the enterprise network, IT managers mayperform frequent monitoring of the NIC I/O ports. To makethis easier, bypass adapter versions are available with NIFaccess to the LAN I/O ports. NIF provides a front-panelconnector and the corresponding light-emitting diode(LED) and cable assemblies to allow port access and LEDdisplays at the front of the server, while the adapterremains in the rear of the chassis in a standardmotherboard.These new adapters are the world’s first native PCIe quadport bypass adapters, and they join a long line of Intelfirsts in NIC technology, including the world’s first 10 GbEadapter. Like all of the GbE adapters in Intel’s broadproduct line, the Intel PRO/1000 PT and PF Quad PortBypass Server Adapters are supported by open-sourcedrivers that reflect the extensive engagement Intelmaintains with the open-source community. In fact, OpenSource Linux* and FreeBSD* reference drivers are availableon request for integration into your solution.For more information on Intel® PRO/1000 PTand PF Quad Port Bypass Server Adapters forin-line server appliances, contact your IntelSales Representative or visitwww.intel.com/go/bypassadaptersSafe and Easy IPS ConnectivityThe Intel PRO/1000 PT and PF Quad Port Bypass ServerAdapters provide safe and easy in-line applianceconnectivity, because they are designed to meet in-lineappliance needs with multiple GbE ports for in-lineconnectivity and a fail-safe bypass mode. Additionally,these adapters supersede PCI and PCI-X with the muchfaster third-generation PCIe serial bus for greaterthroughput, and they use Intel I/OAT for furtherperformance enhancement, including the reducedoverhead so important to IPS applications.7

Copyright 2006 Intel Corporation. All rights reserved. Intel, the Intel logo,©Intel. Leap ahead. and Intel. Leap ahead. logo, and Xeon are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the UnitedStates and other countries.*Other names and brands may be claimed as the property of others.Printed in USA 0606/BY/PMS/PP/1KOrder Number: 313587-001US