Data Center Zero-Trust Applications

Zero-trust is a method of defining and enforcing fine-grained security policies for widely distributed applications, containers, and virtual machines (VMs) at massive scale. Netronome adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust within a server.

Features

Data center zero-trust stateful security can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers. It provides the following advantages:
Automated provisioning
Easily move/add/change policy for workloads in VMs and containers
Distributed enforcement at every virtual interface
In-kernel, scale-out firewalling performance through distribution
Used with every hypervisor and baked into the platform
Through offload and acceleration of the vSwitch and Linux Netfilter Connection Tracking (Conntrack), the zero-trust stateful security datapath via the Agilio SmartNIC and software solution improves performance while freeing up vital CPU resources to applications running in VMs and containers.


Benchmarks

Standard OVS and Conntrack without acceleration struggles with packet processing which ties up valuable server CPU resources and creates a bottleneck that starves applications. Netronome Agilio SmartNIC reclaim up to 50% of the server CPU resources previously dedicated to OVS and stateful security, while at the same time delivering 4X or more of the packet data throughput to more applications. For detailed benchmarking results, see the Enabling Efficient and Scalable Zero-Trust Security Whitepaper.

Picture1
Picture 2

Architecture

Agilio SmartNICs and OVS Firewall Software enable zero-trust stateful security while significantly improving server-based networking performance. Provisioning of the zero-trust security policies is enabled through standard OVS interfaces and related OpenStack security group support. 

The Agilio OVS Firewall Software augments the Agilio OVS Software product through the addition of Conntrack. This gives users the ability to define more intelligent filtering policies, rules to replicate security groups, access control lists, and stateful firewall applications. Agilio OVS Firewall Software offloads the Conntrack functionality, boosting performance dramatically and eliminating the bottlenecks associated with implementation of zero-trust stateful security.