Data Center Zero-trust Applications

Zero-trust is a method of defining and enforcing fine-grained security policies for widely distributed applications, containers, and virtual machines (VMs) at massive scale. Netronome adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust within a server.

Features

Data center zero-trust stateful security can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers. It provides the following advantages:
Automated provisioning
Easily move/add/change policy for workloads in VMs and containers
Distributed enforcement at every virtual interface
In-kernel, scale-out firewalling performance through distribution
Used with every hypervisor and baked into platform
Through offload and acceleration of the vSwitch and Linux Netfilter Connection Tracking (Conntrack) datapath that is used to implement zero-trust stateful security, the Agilio solution improves performance while freeing up vital CPU resources to applications running in VMs and containers.

Benchmarks

Standard OVS and Conntrack without acceleration struggles with packet processing which ties up valuable server CPU resources and creates a bottleneck that starves applications. Netronome Agilio intelligent server adapters reclaim up to 50% of the server CPU resources previously dedicated to OVS and stateful security, while at the same time delivering 4X or more of the packet data throughput to more applications. For detailed benchmarking results, see the Enabling Efficient and Scalable Zero-Trust Security Whitepaper.
Performance graph in Gigabits per second
Performance graph in CPU utilization

Test Setup/Tools

Netronome utilizes the popular OpenStack cloud orchestration software from Mirantis to deliver a zero-trust stateful security proof of concept implementation that can be experienced through the zero-trust stateful security test drive section of this website. The test setup utilizes the Mirantis OpenStack solution to provision zero-trust stateful security rules into OVS and the Agilio CX solution hosted on servers.

Architecture

Agilio OVS Firewall Software, combined with Agilio intelligent server adapters (ISAs) enable zero-trust stateful security while significantly improving server-based networking performance. Agilio Firewall restores valuable CPU cores by offloading Open vSwitch (OVS), and Linux connection tracking (Conntrack) to Netronome’s family of ISAs. Provisioning of the zero-trust security policies is enabled through standard OVS interfaces and related OpenStack security group support.
The Agilio OVS Firewall Software augments the Agilio OVS Software product through the addition of Netfilter Connection Tracking (Conntrack). This gives users the ability to define more intelligent filtering policies, rules to replicate security groups, access control lists, and stateful firewall applications. Agilio OVS Firewall Software offloads the Conntrack functionality to the NFP datapath instead of NetFilter software in the kernel boosting performance dramatically. Performing this connection tracking in the NFP, in addition to standard OVS match/action profiles, adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust stateful security within a server.

ROI Calculator

This ROI calculator compares the CAPEX and three-year OPEX for a virtualized EPC (vEPC) application built using servers with Agilio CX intelligent server adapters (ISAs). Compared to traditional NICs, the Agilio CX ISAs offload and accelerate server-based networking functions, helping vEPC applications run faster and improve overall server efficiency. The comparison shown below assumes an Intel server with 24 physical CPU cores and a 40GbE network interface per server. Additional configurations can be provided upon request.

Calculate Your Savings