Daniel Proch.jpg

Accelerated Security Architectures on Display at RSA

By Daniel Proch | Feb 29, 2016

Security architectures are rapidly changing to keep up with an ever evolving threat landscape. At RSA this year there will undoubtedly be a wide ranging set of opinions on what is the most effective architecture to secure your cloud, enterprise, or carrier network. One of the newest and most exciting techniques is called “zero-trust security.” The idea is to place security as close as possible to applications themselves and eliminate the idea of a trusted internal network and untrusted external networks. “Trust none. Verify all,” is the simple premise.

At end compute servers, we are seeing a rapid sprawl of the use of virtual machines (VMs) and various container technologies to house applications while also witnessing a continuously changing suite of required networking features for these VMs. These combined factors drive a rising need for zero-trust distributed security where policies are deployed close to applications in VMs and containers, rather than only securing the network perimeter. This server-based networking technique, called micro-segmentation, is a method of defining and enforcing fine-grained security policies for widely distributed applications, containers, and virtual machines (VMs) at massive scale. Netronome Agilio CX SmartNICs offload and accelerate the enforcement of the most comprehensive security policies, thereby eliminating the bottlenecks associated with implementation of micro-segmentation within a server. Our solution can offer up to 8X the security policies all delivered in programmable hardware reducing the need for the server to administer policy. This technique provides much higher performance at lower cost freeing up CPU cycles for the applications that you are actually trying to secure.

On the other hand, traditional appliances and perimeter-based security is not going away either. There is still a need to have complex analytics solutions that look at traffic on a network-wide scale, perimeter firewalls and intrusion prevention systems (IPS) at the network edge, gateway style DDoS filtering nodes, and lawful intercept (LI) devices where you are looking for the needle in the haystack, to name but a few. Architects of these platforms want to implement them on open, software-controlled architectures based on commodity servers for obvious scale and cost reasons. These applications are very compute-intensive and require a high number of instructions be applied to the traffic over potentially millions of individual security policies. Rather than rely on COTS servers with a traditional network interface card (NIC) with limited networking intelligence or programmability, a unique architecture coupling standard-high volume servers along with Netronome Agililo LX SmartNICs and Agilio software can support security applications at high throughput, while retaining all of the benefits of the COTS model, thereby offloading the server itself from hi-cost networking tasks.

At the show we will be demonstrating both of these security architectures accelerated by our Agilio SmartNICs and Agilio software.All under Open Daylight SDN control, the demo will highlight 25/40/50/100GbE security applications running on standard x86 servers from our partner AIC. The first will show a micro-segmentation, zero-trust security solution where intricate traffic policy is applied in hardware at the SmartNIC prior to demultiplexing traffic into VMs for application level processing. The second will show a service node with multiple security virtual networking functions (VNFs) in a service chain with portions of the traffic sent to these VNFs and other portions of the traffic, based on SDN policy, encapsulated into multiple VXLAN tunnels to emulate multiple tenant security isolation. You can see the network diagram below.

OvS Open vSwitch diagram

The goal of this demonstration is to show that performance can be achieved with high flexibility and scalability for security policies, which is critical for operators to enforce security and compliance. Netronome SmartNICs provide dramatic acceleration for data path performance, while at the same time providing significant server CPU offload and overall TCO savings.

Don’t forget to to come visit us at booth #1633 in the Moscone Center to see these demonstrations as well as our entire suite of products and solutions live!