Crossbeam and XOS, what is it and how to cook them correctly
A couple of months ago, one of the training seminars organized by a caring company in which I then worked was a seminar on Crossbeam products. Having decided to learn more information, I was very surprised that there was not a single mention of this company and its products at Habré.
Imagine switches, intrusion detection and prevention systems, a firewall and a bunch of gingerbread inside one box.
Under the cut a story about how it all works and what advantages such an architecture gives.
')
Two main components:
In fact, the standard kit, simply integrated into one device, but the most important thing here is:
Blade is the basic network unit from which, like a Lego, you can build a network infrastructure for your enterprise.
Blade is of three types:
As noted above, NPN is a regular switch, therefore we will not consider it in more detail.
This blade is a computer with an XOS operating system.
And finally, the most delicious is the control module, which allows the entire system to work.
It stores the images of all applications that can be deployed to APM. When the system starts up, depending on the settings and the number of connected APMs, it loads the corresponding images onto them.
CPM tracks the load on each APM and balances the tasks, distributing them between the same APM.
Consider a small example:
we have IPS and Firewall and 5 APM.
The administrator has set up to use 2 Blades as FW and 2 as IPS, and left 5 as a spare.
When you start the system, the CPM will load 4 APMs with the corresponding images.
If 1 blade dies, a spare one will immediately load instead. If another dies, then the distribution of spare APM will be in accordance with the priorities determined by the administrator.
Thus, in the event of chain links falling out, the system continues to function fully, and gives you the opportunity to replace a broken blade on the fly by simply pulling out the old blade and inserting a new one.
The more spare blades, the more reliable your system. And it's okay if at night some element dies, the system administrator can sleep at ease, and in the morning simply replace the element that failed.
Also supported by the system of duplication (VRRP) - you use 2 blocks, one of which works, and the second in the pickup. If a major malfunction occurs (the failure of several elements, or, God forbid, of course, the “cleaner” accidentally pulls it out of the network), the spare will immediately be put into operation.
As stated in the presentation of products about their operating system:
"... The next generation security platform is powered by the versatile, patented Crossbeam XOS software. The XOS software works brilliantly with complex, high-performance network security settings and has several other key advantages. For example, XOS dynamically distributes virtualized security applications across several APM modules with enhanced security. This provides intelligent balancing of traffic based on current AP utilization rates. M-Modules. Security applications and configuration data are automatically transmitted over the network through several CPM modules, resulting in ease of scaling when creating virtual clusters and reserving applications, as well as the ability to maintain high availability of individual devices thanks to self-healing functions ... "
In fact, after digging into images stored on CPM, we determined that this is just a modified linux:
Hence the following goodies:
If the topic is interesting, then in the next article I will describe:
Imagine switches, intrusion detection and prevention systems, a firewall and a bunch of gingerbread inside one box.
Under the cut a story about how it all works and what advantages such an architecture gives.
')
Architecture
Two main components:
- Server rack (chassis)
- nth number of so-called blades (hardware plug-in)
Chassis
- Blades slots
- Connectors to connect blades to each other
- Fans
- Uninterruptible power supply, etc
In fact, the standard kit, simply integrated into one device, but the most important thing here is:
Blades
Blade is the basic network unit from which, like a Lego, you can build a network infrastructure for your enterprise.
Blade is of three types:
- Network Processor Module (NPM) - a regular switch
- Application Processor Module (APM) - a module that executes a network application (FW, IPS, etc.)
- Control Processor Module (CPM) - a module that manages all others (load balancing, task management)
As noted above, NPN is a regular switch, therefore we will not consider it in more detail.
Application Processor Module (APM)
This blade is a computer with an XOS operating system.
Control Processor Module (CPM)
And finally, the most delicious is the control module, which allows the entire system to work.
It stores the images of all applications that can be deployed to APM. When the system starts up, depending on the settings and the number of connected APMs, it loads the corresponding images onto them.
CPM tracks the load on each APM and balances the tasks, distributing them between the same APM.
Consider a small example:
we have IPS and Firewall and 5 APM.
The administrator has set up to use 2 Blades as FW and 2 as IPS, and left 5 as a spare.
When you start the system, the CPM will load 4 APMs with the corresponding images.
If 1 blade dies, a spare one will immediately load instead. If another dies, then the distribution of spare APM will be in accordance with the priorities determined by the administrator.
Thus, in the event of chain links falling out, the system continues to function fully, and gives you the opportunity to replace a broken blade on the fly by simply pulling out the old blade and inserting a new one.
The more spare blades, the more reliable your system. And it's okay if at night some element dies, the system administrator can sleep at ease, and in the morning simply replace the element that failed.
Also supported by the system of duplication (VRRP) - you use 2 blocks, one of which works, and the second in the pickup. If a major malfunction occurs (the failure of several elements, or, God forbid, of course, the “cleaner” accidentally pulls it out of the network), the spare will immediately be put into operation.
XOS
As stated in the presentation of products about their operating system:
"... The next generation security platform is powered by the versatile, patented Crossbeam XOS software. The XOS software works brilliantly with complex, high-performance network security settings and has several other key advantages. For example, XOS dynamically distributes virtualized security applications across several APM modules with enhanced security. This provides intelligent balancing of traffic based on current AP utilization rates. M-Modules. Security applications and configuration data are automatically transmitted over the network through several CPM modules, resulting in ease of scaling when creating virtual clusters and reserving applications, as well as the ability to maintain high availability of individual devices thanks to self-healing functions ... "
In fact, after digging into images stored on CPM, we determined that this is just a modified linux:
Hence the following goodies:
- You can write an arbitrary network application, and process the traffic as you like (Crossbeam also provides an SDK for working with chassis interfaces)
- You can modify the ready-made images to your liking (although you will have to work hard here, but the problem is solved)
If the topic is interesting, then in the next article I will describe:
- What difficulties arose in assessing the possibility of certification of this equipment
- What modifications did we make to the firmware in order to solve these difficulties
- An example of writing your own application for APM
- The fundamental differences between XOS and linux, which were made by Crossbeam
Source: https://habr.com/ru/post/129172/
All Articles