Colorado Springs, Colo. - Among the host of vendors claiming silicon support for deep-packet inspection, CloudShield Technologies Inc. claims it has taken acceleration of high-layer services to a new level by placing all control processing directly in the data plane. Its Open Network Services Platform (ONSP), expanded this summer to include a modular 2RU chassis, integrates services through a silicon database that combines network processor and FPGA capabilities.
CloudShield (Sunnyvale, Calif.) has raised close to $50 million since its founding in 2000. Its original large-chassis CA-5000 systems are being used by financial institutions and the U.S. government at such sites as the Air Force's Information Warfare Center. The CS-2000, a five-board 2RU system that handles packet throughput in the range of 1 to 5 Gbits/second, is the company's first system to be offered for volume carrier and enterprise applications. It will be followed next year by a still-smaller system for enterprise networks only.
The systems will be used for multilayer security applications, said Peder Jungck, founder and chief technology officer at CloudShield, but the company is careful not to call the ONSP a converged security application box. In some cases, the ONSP may work alongside security systems from companies such as iPolicy Networks.
"We see the Cisco/Riverhead products most often in the carrier environment and see Pentium-class servers as competitors in enterprise environments," Jungck said. "We may compete against a Crossbeam [Systems] or iPolicy, but we see deep-packet processing as more than security."
The CS-2000 five-slot system is populated with boards called Deep Packet Processing Modules that provide silicon support for probing packet content and headers at Layers 4 through 7, as well as a stateful database in silicon. The database uses a 512-Mbit memory that can handle 500,000 bidirectional access control list entries.
In traditional networking applications, control plane and data plane processors are kept segmented, though some advanced designs have control processors that take care of data path information. "Our architecture turns this concept on its head, by handling even the control information within the data path processors," said Dan McBride, director of product marketing at CloudShield.
The 2RU, 3.5-inch-high chassis supports four 1-Gbit Ethernet ports, either copper or fiber, or two OC-48 packet-over-Sonet ports. It can be configured with redundant power supplies. Its server blade module has dual Pentium processors running under Red Hat Linux.
In order to acquaint application developers with the theory of writing applications directly for data path operations, CloudShield has introduced the Rave programming language, part of an integrated development environment called Eclipse. Applications can be designed, compiled and debugged in Rave using a single PC client. Rave uses graphical logic flows and a small command set, so users are not required to employ a software or network systems design expert to learn the program.
The CS-2000, with a single Gigabit Ethernet deep-packet-processing module (DPPM) board, starts at a suggested list price of $49,000. The development environment for Rave is $10,000. Both the processing platform and the software environment are shipping this summer.