Q. What makes Syphan different from other technologies that claim 10 Gb/s performance?
A. There is a huge difference between adding a 10G interface to a product and actually delivering 10G performance. Syphan delivers the latter across the whole spectrum of IPS, DDoS, content filtering and firewall functionality at incredibly low latency.
The ITC220 uses patent-pending, multi-dimensional parallel processing techniques and the latest FPGA chip technology in place of the more common ASIC or CPU approach used by most vendors. This enables full packet inspection, using up to 50,000 proprietary and industry standard rule sets, at speeds less than the inter-packet delivery rate (<64 nanoseconds) to support true 10Gb full duplex throughput regardless of the type of threat without introducing latency.
With dual 10 Gb/s connections, each ITC220 is capable of supporting up to 40 Gb/s aggregated throughput traffic, which is an order of magnitude higher than the current fastest technology.
Q. Why is low latency such a critical factor in a network environment?
A. Increasingly businesses are taking advantage of high-speed connectivity to power their WAN environment and introducing bandwidth hungry applications such as integrated voice and data systems for corporate communications. At the same time, companies are required to maintain high levels of security to prevent data leakage and meet strict compliance standards. Any latency in the system causes drops in productivity, failed or abandoned transactions, and even worse, attempts to bypass corporate systems by frustrated users. All of these cause inefficient working practices that could seriously damage a business.
Q. What is multi-dimensional parallel processing?
A. This is the foundational architecture that enables Syphan to deliver True 10G performance. Syphan’s patent-pending architecture optimises the natural parallelism of different packet inspection tasks by distributing them across several processing dimensions. Distributing tasks across multiple processing cores is a well-known technique (which we use) but is only of limited effectiveness for many inspection-heavy tasks.
Syphan however has developed a number of far-reaching parallel processing techniques that multiply performance to levels previously thought impossible. We can’t give away our trade secrets but they include separating and dividing tasks into micro-processing engines, multi-scheduling of tasks to ensure constant latency and many other performance-enhancing algorithms.
Q. How scalable is the ITC220?
A. Very. The ITC220 can be fully virtualised to support up to 500 individual client networks and be configured in a cluster of up to 4 appliances. With fail-over and shared state functionality the Syphan ITC220 is also highly resilient.
Q. But doesn’t virtualization decrease per-customer performance?
A. Normally it does. Running several virtual machines on a processor core means that both the processor and its support infrastructure (memory, busses, etc) are shared thus decreasing performance.
Syphan’s approach is different; the way it virtualizes customers means performance degradation does not happen at all. What’s different is that Syphan deals in processing-optimized rules, which are either shared (e.g. for common DDOS or intrusion prevention attacks) or allocated to individual customers for custom tasks. Each rule is input into the multi-dimensional parallel processing engine and thus runs at True 10G performance.
Q. Will the ITC220 provide protection against the latest application layer attacks?
A. Yes. The ITC2220 is able to inspect packets up to layer 7 as well as their data contents if required, and by using StealthTrap™ technology is able to track and mitigate multi-layered, multi-vector attacks that are used to get through typical defence technologies.
Q. What is StealthTrap™ technology?
A. At its most basic level, StealthTrap™ is a massive multi-contextual state machine that tracks multiple inputs including all the packets within a transaction flow, cross-flow signatures and events and behavioural alerts. These states can be held for days or weeks and enable the detection of multi-layered, multi-vector attacks that are staged over time. Other elements of StealthTrap™ technology include dynamic arming of rules so as to reduce false positives.
Q. Is the ITC220 just SNORT on steroids?
A. No. Certainly Syphan by some distance delivers the industry’s leading performance for SNORT rules, but the critical difference is that we do not run a SNORT engine, as its architecture is essentially sequential rather than optimized for performance-enhancing parallelization.
SNORT rules are used as one of many inputs into Syphan’s system but they are first converted, both to optimize their structure for processing purposes, but also to enable the reduction of false positives by placing them into multiple state contexts. Other rule types are also converted and include BRO, access control lists, firewall rules, URL lists, other signature libraries and indeed almost any other type of security or packet inspection rules.
Q. Where does the name Syphan come from?
A. The roots of the name are from the word siphon, also spelt syphon, meaning to convey, draw off, or empty. In the case of Syphan, we convey real network traffic at maximum performance levels and draw off or empty the traffic of malevolent elements. On a practical level, syphan.com was also available as a domain name and not siphon.com or syphon.com.