A global leader in enterprise firewalls and a customer of Lanner was faced with the challenge of creating a firewall for the telecom market that could provide 20 Gbps IPS throughput, support up to 100 Gbps firewall throughput, be easily upgraded, and at the same time be offered at an entry-level price.

After working closely with Lanner, the end result was the breakthrough FX-7210 product, which because of this project can now be found in datacenters worldwide.

The FX-7210 successfully combined the multi-core capabilities of the high performance Intel® Xeon® processors with RISC-based network processing technology for optimal network throughput. This combination is a powerful all-in-one appliance platform that can be used for a wide range of firewall applications such as IPS, IPsec VPN, Antivirus, email security and much more.

The project also gave birth to a new product line at Lanner; The FX-7000 Series.

The Challenge

One of the most common integrated features in enterprise firewalls these days is intrusion prevention systems (IPS). The challenge with IPS is that it requires deep packet inspection, which means heavy processing requirements. The most efficient way of dealing with this processing is by using high-end x86 processors. However, RISC processors offers better network throughput performance. Building a cost-effective network appliance that combines high throughput and powerful DPI therefore relied on the ability to combine these two technologies into one appliance.

For this application the needs of the telecom market also needed to be considered. In addition to compliance with NEBS and FIPS, the telecom market requires extremely low system downtime. So the system had to have solid redundancy features, and also be very easily upgraded in the field to deal with ever increasing throughput requirements.

The Solution

At first look, the requirements made it look like an Advanced TCA platform would be necessary. But using ATCA would not allow the system to meet its cost target. Hot-swapping of the motherboards was also not necessary, so ATCA was ruled out.

The solution was to start from scratch and design a modular network appliance chassis with many of the same benefits as ATCA, but with the ability to use standard Lanner network appliance motherboards that could be connected together with a backplane. Then a selection of I/O blades was created. Three of these blades could be inserted into the appliance to get the exact number and types of LAN ports required. Using the 12-port Gigabit Ethernet copper or fiber card, a maximally configured appliance offers up to 36 Gigabit Ethernet ports. Alternatively, by using the 4-port 10 Gigabit Ethernet card, this appliance supports 10 Gigabit Ethernet on 12 ports. This product concept became the foundation for the FX-7000 Series.

For the combined firewall and IPS appliance, the two motherboards of FX-7210 were sufficient. For the x86 board, a recent Lanner board that could support two Intel® Xeon® 5600 processors was chosen. This could easily handle the extensive processing that was required. For the RISC network processing motherboard, the customer wanted to use their own custom design. This was not a problem, as Lanner handled the board-level manufacturing of the customer’s board.

The Result

The final product offers more than 20 Gbps IPS throughput, and 100 Gbps firewall throughput and can be easily upgraded when more powerful motherboards are released in the future. The two motherboards and the I/O blades are field swappable so that a system administrator can quickly upgrade the system to increase the maximum throughput without causing significant downtime. The redundant power supplies and fans are hot-swappable, offering sufficient reliability for this telecom application.

Because of its competitive cost, the system has already found several tier-1 telecom customers in USA and Japan.

FX-7000 Series Overview

The FX-7000 Series consists of various network appliance designs that has one primary mainboard, and can be extended with multiple secondary mainboards that are all connected through a backplane to enable data transfers. When creating a multi-purpose network appliance, this ability of combining several mainboards into one appliance allows faster time to market and very significant cost savings.

Products in the FX-7000 series offer different levels of redundancy and different number of I/O blade slots. This makes it easy to build advanced multi-purpose network appliances. Combining an x86 and a RISC motherboard to create a firewall with high-throughput IPS is only one of many possible combinations.