Data Center Zero-Trust Applications

Zero-trust is a method of defining and enforcing fine-grained security policies for widely distributed applications, containers, and virtual machines (VMs) at massive scale. Netronome adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust within a server.

Features

Data center zero-trust stateful security can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers. It provides the following advantages:
Automated provisioning
Easily move/add/change policy for workloads in VMs and containers
Distributed enforcement at every virtual interface
In-kernel, scale-out firewalling performance through distribution
Used with every hypervisor and baked into the platform
Through offload and acceleration of the vSwitch and Linux Netfilter Connection Tracking (Conntrack), the zero-trust stateful security datapath via the Agilio solution improves performance while freeing up vital CPU resources to applications running in VMs and containers.

Benchmarks

Standard OVS and Conntrack without acceleration struggles with packet processing which ties up valuable server CPU resources and creates a bottleneck that starves applications. Netronome Agilio SmartNIC reclaim up to 50% of the server CPU resources previously dedicated to OVS and stateful security, while at the same time delivering 4X or more of the packet data throughput to more applications. For detailed benchmarking results, see the Enabling Efficient and Scalable Zero-Trust Security Whitepaper.
Performance graph in Gigabits per second
Performance graph in CPU utilization

Architecture

Agilio OVS Firewall Software, combined with Agilio SmartNICs enables zero-trust stateful security while significantly improving server-based networking performance. Agilio Firewall restores valuable CPU cores by offloading Open vSwitch (OVS), and Linux connection tracking (Conntrack) to Netronome’s family of SmartNICs. Provisioning of the zero-trust security policies is enabled through standard OVS interfaces and related OpenStack security group support.
The Agilio OVS Firewall Software augments the Agilio OVS Software product through the addition of Netfilter Connection Tracking (Conntrack). This gives users the ability to define more intelligent filtering policies, rules to replicate security groups, access control lists, and stateful firewall applications. Agilio OVS Firewall Software offloads the Conntrack functionality to the NFP datapath instead of NetFilter software in the kernel boosting performance dramatically. Performing this connection tracking in the NFP, in addition to standard OVS match/action profiles, adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust stateful security within a server.

ROI Calculator

This ROI calculator compares the CAPEX and three-year OPEX for a virtualized EPC (vEPC) application built using servers with Agilio CX SmartNIC. Compared to traditional NICs, the Agilio CX SmartNICs offload and accelerate server-based networking functions, helping vEPC applications run faster and improve overall server efficiency. The comparison shown below assumes an Intel server with 24 physical CPU cores and a 40GbE network interface per server. Additional configurations can be provided upon request.

Calculate Your Savings

See for yourself with a hands-on demo.

Test Drive