The Policy Man Returns

Date:   Monday , May 31, 2004

How malicious can a worm be? For Pankaj Parekh, co-founder and CTO of Fremont, CA-based iPolicy Networks, it was bad enough to make him sell his house and invest even those dollars back into his company, as he fought off a diving economy to re-build his startup back into a strong, security-enforcement product company. With the renowned Prabhu Goel taking over as the CEO and the second largest security investment of 2003 infusing fresh funds, iPolicy Networks is back on track. The company has developed an Intrusion Prevention Firewall that analyzes every incoming packet in depth in order to provide comprehensive security.

Parekh’s background includes leading the engineering team that developed the Itanium silicon validation server platform at Intel. Reflecting back to those days, Parekh says, “The race was on to develop ever faster processors. I found that most of the processing power was actually used up for one basic function —these processors were busy opening and closing TCP/IP connections. Whenever IT managers asked to upgrade their CPU, it was primarily because TCP/IP processing had exhausted the current CPU’s processing capability.” Parekh’s a-ha moment came was when he realized that the key lay in separating TCP/IP processing from other information processing, moving it onto another layer (think box), so that the CPU could do what it was designed to do—data and information processing. “And once you talk of TCP/IP, you also are talking application security,” he remarks.

Parekh left Intel to start Tunnelnet. He formed an R&D team in India to build a network product concept that could solve the performance constriction of the data center processor, and tested the concept with some initial service providers like Exodus. With another angel investor who brought in good security background, he merged Tunnelnet with Prabhu Goel’s Duet Technologies to form iPolicy Networks.

Parekh observed that service providers’ data centers had mostly deployed a series of point solutions providing limited security such as narrowly-focused firewalls and intrusion detection systems (IDS) “Moreover, most of the point solutions were managed as products, whereas the service providers really need to manage customers—this implies a different approach to business,” recalls the co-founder. Hence iPolicy took a different tack to solve the problem. “The new approach to the problem was to open and analyze the packet once, only once, and then perform all security inspections and enforce all security rules in one pass,” explains Parekh.

The startup’s approach paid off. “Our first product, the ipEnforcer 5000 could solve many problems at once—firewall, intrusion detection, intrusion prevention, virus scanning, and content filtering solutions,” recalls Parekh. One of the early wins was with one of the largest service providers in the world, where the iPolicy security appliance proved its superior security capabilities, ease of management and reliability against leading vendors in the market. “With iPolicy, the service provider could add a new customer in less than 30 minutes, whereas it took 48 hours or more using the solution from the closest competitor,” recalls Parekh. Service providers consider security a significant opportunity that provides them a much-needed differentiator in a market place where it is hard to differentiate oneself merely selling bandwidth. “As carrier CSOs outlined their vision, they single out quality of bandwidth as a key differentiator: the need to offer their clients a secure, reliable, and manageable service and not just raw bandwidth,” reminisces Parekh. And then, in 2001, Parekh found the service provide market started shrinking and almost disappearing. “We had revenues from service provider deployments, but it wasn’t enough,” Parekh recalls, which was when he sold his house to keep the company running.

In 2003, there was a much-needed transition, when Prabhu Goel came in to revive the company, bringing in new investors, and a laser-focus to the execution model. The company decided to address the growing enterprise market. “Our strength lay in our architecture, which was independent of any operating system or platform,” observes Goel. “To build an enterprise product was almost a no-brainer.” The ipEnforcer 3400 was productized in less than a year, and iPolicy Networks hit the road again adding the enterprise market to its total available market.

Polite Policies
Traditional firewalls are like Swiss cheese—they have many holes in them through which viruses, worms, undesirable content, etc. creep in. iPolicy’s Intrusion Prevention Firewall incorporates multiple firewall defense mechanisms intrinsically built into the firewall, thereby eliminating the security holes that exist in today’s firewalls. These firewall defense mechanisms—worm mitigation, DDoS mitigation, URL Filtering, anti-virus, and so on, are selectable depending on the level of defense desired for the network. Upon selection of desired firewall defense mechanisms, a highly optimized rule tree is created that not only provides access control functions (as in traditional firewalls) but also provides the desired defense mechanisms.

The Intrusion Prevention Firewall successfully blocks worms, viruses, MMC (mobile malicious code), encrypted threats, blocks undesirable content through URL filtering policies, and mitigates DoS and DDoS attacks. iPolicy’s layer 3-7 firewall also has support for protocol and traffic anomaly detection.

Network isolation and attack cleanup capabilities are enhanced by the power of the Intrusion Prevention Firewall. The Intrusion Prevention Firewall achieves this by segmentation of the network via user created Virtual Security Domains allowing for the creation of virtual subnets (e.g., engineering, marketing, etc.) that isolate and confine malicious network traffic within the virtual subnet. In the event a network segment is attacked, the attack is contained within the virtual subnet, preventing the attack from spreading to other virtual subnets. This isolation capability is very powerful for attack containment and cleansing.

Intrusion Prevention Firewall Architecture
iPolicy’s “Single Pass Inspection Engine” is the foundation of iPolicy’s Intrusion Prevention Firewall. The single pass inspection engine has the ability to perform high speed layer 3-7 inspection of packets for detection of activity that requires enforcement action by the Intrusion Prevention Firewall. The rules required for implementing the selected firewall defense mechanisms are distilled into a highly optimized decision tree by iPolicy’s rule compiler. The Single Pass Inspection Engine and the Enforcement Engine work in harmony; the Single Pass Inspection Engine provides the content analysis for each packet and the Enforcement Engine further uses enforcement rules to determine whether the packet should be allowed, dropped, quarantined, logged, or generate an event. The end result is an architecture where the firewall itself is making decisions based on all the firewall defense mechanisms selected, thereby thwarting attacks in real-time.

Today, enterprises are realizing the need for the different point solutions to talk to each other, and iPolicy’s unified security system solution is adept at resolving this need. This is very important, as enterprise IT resources come under stress to perform multiple functions, and security is just one of them. “Ease of use is the biggest win,” says Parekh. A unique architecture and a product that has been designed with customer requirements in mind have fetched iPolicy excellent test results and analyst reviews. Richard Stiennon, vice president of security research at Gartner says, “Intrusion prevention systems and application-specific firewalls came about only because of failures in firewalls,” calling iPolicy’s Intrusion Prevention Firewall as the “network security nirvana.”

A new team, fresh funds, a climbing economy, and customers demanding better security solutions have given Parekh much needed respite. And asserted his policy to persevere.