June 27, 2005
SECURE ROUTING: Branch gateway includes security, VoIP
By
Loring
Wirbel
Colorado Springs, Colo. — NetDevices Inc. will launch a gateway platform for branch offices this week that combines local and intersystem routing functions with security and voice-over-Internet Protocol duties. NetDevices hopes to subsume many firewall and intrusion-prevention functions in a platform priced at enterprise-router levels — $15,000 for the baseline configuration of the SG-8 Unified Services Gateway.
The SG-8 can serve as a Session Initiation Protocol (SIP) application gateway with quality-of-service shaping. Rob Haragan, co-founder and vice president of engineering, said NetDevices is betting that many sites that originally used soft switches based on the Media Gateway Control Protocol will "slim down" their VoIP support using a SIP gateway.
Two-year-old NetDevices, founded by veterans of Cisco, Redback Networks and Sonus Networks, employs more than 130, divided among sites in Sunnyvale, Calif., and the Indian cities of Bangalore and Hyderabad. The latter locations were critical in developing a proprietary Linux-based operating system, dubbed ModuLive, and a management system that monitors network performance independently of both the control plane and data plane.
The foundation for the 3U chassis of the SG-8 was an architecture that uses a custom services engine in which all packet operations take place in a single pass. Unlike many security appliances for intrusion prevention or virtual-private-network creation, the SG-8 performs firewall and IPsec decryption functions first. Back-end security functions, such as Web filtering and intrusion detection, take place via extraction and normalization of URLs to a common information base. Layer 3 routing takes place last, only after all security functions have been performed.
NetDevices has borrowed concepts from fault-tolerant operating environments like the Tandem Computers NonStop system to place multiple, independent services within separate user spaces on top of the Linux kernel. Individual software modules for routing, firewall, switching and other functions can be started and stopped independently.
The Lifeline resilient management environment uses out-of-band restoration of functions when denial-of-service attacks swamp the control and data planes. Management functionality can interface to common element management protocols using Simple Network Management Protocol or the Common Object Request Broker Architecture.
The RIP 1 and 2 routing information protocols are supported, as are long-haul routing protocols that operate among autonomous systems. IPsec-layer VPNs can be established using The Data Encryption Standard, Triple-DES or the Advanced Encryption Standard.
While plenty of new single-box security appliances and routing-security systems are arriving from startups, NetDevices marketing director Mark Weiner said that he still worries most about branch-office systems from Cisco, Juniper and Enterasys. Juniper's combination of resources from recent acquisitions could impinge most directly on NetDevices, but Weiner said his company still needs to see something concrete to assess the Juniper "infranet initiative" effort's competitiveness.
NetDevices' $14,990 baseline platform will ship with ModuLive V2.0 OS, a firewall, VPN, Phase 1 VoIP, routing, four-port T1/E1 interface and eight-port Ethernet switch. Additional line-card options will be priced separately, but Weiner said "$15,000 is the cost of a working system, not a simple chassis."
