Ever since the introduction of Raima’s database technology in the embedded systems market, the major telecom equipment providers like Alcatel-Lucent, 3Com and many others have utilized our products in their equipment. Adoption of RDM embedded database technology started with standalone voice and data switches and soon grew as advancements were made to these products. As the requirements for these systems expanded, so did the capabilities of our products. Requirements that once were “nice to have” features have developed into standard requirements. Examples of these requirements are 24×7 operations with system failover capabilities, distributed data across multiple processing units, and real-time and in-memory data processing needed to keep up with increasingly faster network speeds.
One application use case is a distributed IP intrusion detection system. The sole purpose of such a system is to capture IP packages and validate them against known patterns, and to shut down and prevent unwanted network traffic. One of the challenges to current solutions systems solutions is keeping up with the data speeds commonly found in modern networks. Not only does the application need to log at the speed of the network, it also needs to do complex intrusion validation on a wide range of IP packages. Additionally, it needs to trigger real-time alarms to network administrators and notify other IP units about black listed traffic origins.
Many of those original applications had implemented proprietary home grown data management solutions because of this logging speed requirement. This has resulted in the proliferation of proprietary alarming mechanisms and data distribution solutions. These systems are often far from ideal due to the absence of true transaction support within their databases. Because of this shortcoming, it’s common to find intrusion alarms being delayed, alarms not being delivered to appropriate personnel, and distributed black lists updated based on a scheduled batch process instead of in real-time. An additional complication is the need to merge blacklists between units. Because of the lack of transactions these merges must be followed by a complete destructive refresh list. This limitation exposes serious vulnerability of the system which could potentially let through network traffic whose origin had already been detected as hazards at one unit, but not at another.
With the RDM embedded database true in-memory and circular data buffering, IP intrusion units can efficiently add dynamic, transactional safe data logging with real-time pattern matching. This, combined with the dataflow capabilities described previously in this document, real-time alarms can be pushed upstream to network administrators with ease, and distributed black list updates can be performed at a transactional level. One possible extension to this is the capability of alarms being pushed further up the system to management for on-the-fly reporting and tends analysis.