New Juniper Networks Processor Takes On DOS Attacks

Juniper Networks Inc. Tuesday
introduced its next-generation Internet processor that will be put to work
thwarting denial of service attacks.

Juniper’s (JNPR)
application-specific integrated circuit (ASIC) Internet Processor II is
designed to break through performance limitations of current software based
approaches for load balancing, packet filtering and traffic shaping.
Internet service providers can scale their operations and service offerings
regardless of circuit speed or density.

MCI WorldCom Inc. plans to deploy the
new processor in March on a run between Chicago, New York and Washington,
D.C. Its UUNET subsidiary is
considering deploying Juniper’s ASICs in its entire router network while Metromedia Fiber Network Inc. subsidiary,
AboveNet Communications Inc., plans to
deploy Juniper Networks’ new ASIC capabilities within its global IP network
to strengthen security against denial of service attacks.

Vint Cerf, MCI WorldCom (WCOM)
senior vice president for Internet architecture and technology, said the
Juniper processor is more flexible than past IP solutions.

“While other routers have offered IP packet filtering, shaping and policing
in software in the past, the Internet Processor II offers even more
flexibility at little or no cost in terms of performance,” Cerf said. “The
ability to perform these functions at OC-192 wire speeds is unprecedented
in the industry.”

Managing some of the world’s leading Internet networks is a time-intensive
process. The Juniper ASIC allows network management to see into network
trends and traffic patterns. Because ASIC runs filtering processes without
diminishing router performance, Internet service providers can add
filtering and while maintaining peak network performance.

Mark Krause, UUNET director of network security, said that previously it
had to pay a performance penalty when UUNET turned on filtering software.

“By implementing sophisticated packet filtering capabilities in hardware
form, we are able to place filtering at the same priority level as
forwarding packets, without compromising performance for our customers,”
Krause said.

Paul Vixie, Metromedia Fiber Network (MFNX)
senior vice president for Internet services, said the firm is in pursuit
of security capabilities that could help to block and track DOS attacks to
protect customers from potential service disruptions.

“We have been building up security in our network against denial of service
attacks and unauthorized access to application servers, but lacked an
effective solution that let us apply complex filters and still maintain
wire-speed performance,” Vixie said. “The Internet Processor II is a
valuable new addition to our arsenal of preventive measures against DOS

Pradeep Sindhu, Juniper Networks chief technical officer, said the
processor breaks through past network performance barriers.

“The real uniqueness of the Internet Processor II lies in its ability to
perform wire-rate filtering at high speeds, from OC-48 and up to OC-192,”
Sindhu said. “By adding our new M160 Internet backbone routers using the
Internet Processor II to the core of their network, MFN can look forward to
blocking DOS attacks more effectively without compromising performance.”

Juniper’s new release enables IP packet filtering, sampling, counting, and
load balancing capabilities over high-speed networks. By deploying packet
filtering anywhere at any circuit speed in their network

s, service
providers gain flexibility to more efficiently manage the security of their

Sampling and logging give visibility into network trends and traffic
patterns at a detailed level, allowing better capacity planning and traffic
optimizations in high growth environments. Counting can be used for traffic
analysis while load balancing helps optimize the performance of existing
network links.

Juniper’s Sindhu said the high performance design of its Internet Processor
II has over 2.5 million gates, twice the size of its first generation
processing capabilities.

“Software based filtering on a given circuit tops out at approximately
200,000 packets per second,” Sindhu said. “The Internet Processor II can
filter at over 20,000,000 pps on a 10-gigabit per second OC-192 circuit.
This represents a 100-fold improvement over currently deployed solutions.”

The Internet Processor II was designed by Juniper Networks and fabricated
by IBM Microelectronics, a division of IBM Corp. (IBM).
The new capabilities of the processor are enabled by JUNOS 4.0, the sixth
release of Juniper Networks Internet software.

News Around the Web