Data Center Zero-Trust Applications

Zero-trust is a method of defining and enforcing fine-grained security policies for widely distributed applications, containers, and virtual machines (VMs) at massive scale. Netronome adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust within a server.

Features

Data center zero-trust stateful security can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers. It provides the following advantages:: Automated provisioning; Easily move/add/change policy for workloads in VMs and containers; Distributed enforcement at every virtual interface; In-kernel, scale-out firewalling performance through distribution; Used with every hypervisor and baked into the platform

Through offload and acceleration of the vSwitch and Linux Netfilter Connection Tracking (Conntrack), the zero-trust stateful security datapath via the Agilio SmartNIC and software solution improves performance while freeing up vital CPU resources to applications running in VMs and containers.

Benchmarks

Standard OVS and Conntrack without acceleration struggles with packet processing which ties up valuable server CPU resources and creates a bottleneck that starves applications. Netronome Agilio SmartNIC reclaim up to 50% of the server CPU resources previously dedicated to OVS and stateful security, while at the same time delivering 4X or more of the packet data throughput to more applications. For detailed benchmarking results, see the Enabling Efficient and Scalable Zero-Trust Security Whitepaper.

Architecture

Agilio SmartNICs and OVS Firewall Software enable zero-trust stateful security while significantly improving server-based networking performance. Provisioning of the zero-trust security policies is enabled through standard OVS interfaces and related OpenStack security group support.

The Agilio OVS Firewall Software augments the Agilio OVS Software product through the addition of Conntrack. This gives users the ability to define more intelligent filtering policies, rules to replicate security groups, access control lists, and stateful firewall applications. Agilio OVS Firewall Software offloads the Conntrack functionality, boosting performance dramatically and eliminating the bottlenecks associated with implementation of zero-trust stateful security.

Documentation

White Paper: Enabling Efficient and Scalable Zero-Trust Security; Agilio OVS Software Architecture

Product Brief: Agilio OVS Firewall Software; Agilio OVS Software

Do you want to know more?

Contact Sales

Testimonials

“Virtual switches have become an integral part of data center networking, however performance becomes a significant impediment at 10Gb/s and higher data rates. Netronome Agilio CX SmartNICs save significant CPU cycles while improving performance for server-based networking features such as virtual tunnel end points and policies per VM or tenant, enabling higher service levels at lower cost.”

- Chen Li, SDN Project Manager at China Mobile

“Ericsson’s Cloud SDN Platform based on OpenDaylight, leverages open source technologies such as Open vSwitch and OpenStack to provide a flexible and scalable networking framework for deploying IT and NFV services. Integration of the Netronome Agilio SmartNIC and software solution into the Ericsson Cloud SDN solution results in up to five times more output per server rack, helping lower overall dollar per compute resource in the data center infrastructure.”

- Elena Romero, Head of Product Line SDN & Policy Control at Ericsson

“Programmable networking data path implementation in hardware can enable differentiated performance and service levels on a per NFV application or per customer basis. The P4 data path programming language, as supported by Netronome’s Agilio CX SmartNICs and related development tools, is simple and hardware agnostic, allowing for rapid and future-proofed networking datapath innovation.”

- Elena Romero, Head of Product Line SDN & Policy Control at Ericsson

“The Juniper Networks Contrail vRouter, one of the key components of the Contrail SDN solution, is ideal for orchestrating and automating cloud networks. The Contrail vRouter and its ability to provide highly scalable secure virtual networks, combined with SmartNICs such as Netronome’s Agilio CX, allows the acceleration of a broad set of networking functions and the ability to evolve rapidly with changing needs.”

- Ankur Singla, Corporate Vice President and General Manager of Cloud Software at Juniper Networks.

“Zero-trust security implemented using OpenStack security groups fills many holes in traditional perimeter-based firewalling exacerbated by increasing east-west traffic. The integration of the Agilio CX 25GbE and Linux Firewall platform with Mirantis OpenStack solves this multi-dimensional challenge by improving performance, scale and economies for both east-west traffic and servers implementing zero- trust security.”

- Kamesh Pemmaraju, vice president of product marketing at Mirantis

“Increasing traffic and an explosion in the number of VMs has led many companies to want to firewall their infrastructure on a per-VM basis. By offloading Linux firewall functionality onto the Agilio CX adapter, Netronome allows companies to enable stateful firewalls for each VM without overloading server CPUs.”

- Abhi Dugar, research director, cloud infrastructure semiconductors and IoT security at IDC.

SmartNIC

Agilio Software

News

Data Center Zero-Trust Applications

Features

Benchmarks

Architecture

Documentation