Skip to main content

EDUCATION

Network Security Gets Next-Gen Performance Without the Cost

network security solutions

We know that 5G networks offer significantly higher throughput, more capacity, and lower latencies than legacy networks. But these benefits come at a price, which for enterprises and cloud-service providers (CSPs) is upgrading existing unified threat management (UTM), firewall, IPSec, and other security infrastructure with a network more capable of monitoring and securing 5G data traffic.

Everyone wants more bandwidth, but higher bandwidth means more data traffic and all that traffic must be secured. To stay competitive, enterprises and CSPs want to offer their own customers improved performance at the same cost, meaning they expect network security specialists to offer higher-performance security at the same price points as current solutions. Security providers have no choice but to pass these requirements onto security appliance vendors who are expected to deliver next-generation performance at previous-generation value.

To address this price-performance pinch, security appliance vendors like CASwell are developing solutions based on 3rd Gen Intel® Xeon® Scalable processors that deliver scalable 100 Gbps Ethernet performance and meet the line-rate security demands of next-generation networks.

Toeing the Line Rate with Reconfigurable Xeon® Appliances

Line-rate security implies that the security infrastructure can inspect streaming data traffic for security threats in real time, without any latency or buffering. At 5G speeds, which can reach 20 Gbps, achieving line-rate packet inspection is much more complex than at lower bandwidths. Some of the challenges include supporting all different types of data and packets so no information is lost mid-transmission and optimizing the underlying hardware platform to maximize throughput regardless of the software or application it’s running.

Because of these requirements, most security appliance designs are “semi-custom,” meaning that there is some level of fine-tuning for every customer. Of course, ODM services required to tweak a hardware platform to specific customer or application requirements aren’t cheap, and the goal is to deliver next-generation performance at previous-generation costs.

One way to accomplish that is by designing modular, reconfigurable systems from the ground up. For example, CASwell has developed the CAR-5060 rackmount appliance based on two 3rd Gen Intel Xeon processors and up to 512 GB of DDR4-3200 ECC memory spread across as many as 16 RDIMMs (Figure 1). The 3rd Gen Xeons onboard the CAR-5060 can each contain up to 36 cores and 72 threads for packet processing and data filtering, while Intel® QuickAssist Technology (Intel® QAT) built into the companion Intel® C627 Chipset offloads cryptographic workloads to improve processor performance as much as 1.5x over previous-generation Xeons.

Image of the CASwell CAR-5060 rackmount application, which features two 3rd Gen Intel® Xeon® Scalable processors.
Figure 1. The CASwell CAR-5060’s modular architecture lets network security providers configure the platform with various expansion cards to meet specific use case requirements. (Source: CASwell, Inc.)

But in addition to the Xeon processors, the CAR-5060 architecture contains eight PCIe Gen 4 x8 lanes and one PCIe Gen 4 x16 lane to support different combinations of storage modules, GPU/FPGA acceleration cards, and/or up to eight CASwell network interface cards (NICs) with as many as eight high-speed Ethernet ports each.

In other words, network security providers can configure the scalable 2U system with as many as 64x 10 GbE channels for a total platform bandwidth of 640 Gbps while still taking advantage of commercial off-the-shelf (COTS) pricing.

“A key difference between the CAR-5060 and previous generations is that this model is scalable in terms of the hardware and provides a higher throughput. Network service providers can choose the bandwidth that suits their application,” says Yannic Chou, AVP of Product Management at CASwell. “And they can select other options, such as AI compute capability and storage, as these systems are sometimes used for cloud storage. In addition, they may choose redundant power modules, a common feature.”

“This model is scalable in terms of the #hardware and provides a higher throughput. #Network service providers can choose the bandwidth that suits their #application” – Yannic Chou, CASwell, Inc via @insightdottech

Above the Line Rate with DPDK

Despite the flexibility, scalability, and cost efficiency of platforms like the CAR-5060, application tuning is still required to get the most out of any security appliance. This makes the Intel® Data Plane Development Kit (Intel® DPDK) the next step for network security providers looking to build and implement a next-generation firewall, UTM, IPSec, or other similar security function.

The Intel DPDK is a suite of network and data plane libraries that offload packet processing tasks from an operating system. When DPDK runs on Intel Xeon processors, it is capable of accelerating packet processing by up to 10x and has become all but a de facto part of the development suite for those looking to maximize performance and improve time to market.

This is joined by Intel® Boot Guard, a hardware mechanism in Xeon processors that protects the basic input/output system from unauthorized modifications at boot time to ensure the ground-up integrity of network appliances. In an industry where deployment speed is another top priority, the ability to streamline optimization and security engineering with tools like DPDK and Boot Guard helps OEMs configure platforms like the CAR-5060, port applications to it, and get up and running relatively seamlessly.

Scalable Network Security Solutions: Next-Gen Performance, Previous-Gen Cost

In practice, network service providers need to upgrade their security platforms about every three to five years, at which point many will try to optimize software stacks even further to squeeze every bit of headroom from their hardware appliances. Since there’s usually no way to know exactly what type of performance or functionality will be needed down the road, this has been the best defense CSPs and enterprise IT organizations have had against price-performance obsolescence. When that fails, new appliances are required.

Thanks to its expansion slots and compatibility with a range of network interface modules and adapter cards, upgrading the CAR-5060 is much simpler and more straightforward than in the past. In three-to-five years, customers can simply swap in a new, higher-bandwidth NIC or acceleration card right into the front panel without even opening the chassis.

And that’s how network security providers can beat the price-performance pinch.

 

This article was edited by Christina Cardoza, Associate Editorial Director for insight.tech.

About the Author

Brandon is a long-time contributor to insight.tech going back to its days as Embedded Innovator, with more than a decade of high-tech journalism and media experience in previous roles as Editor-in-Chief of electronics engineering publication Embedded Computing Design, co-host of the Embedded Insiders podcast, and co-chair of live and virtual events such as Industrial IoT University at Sensors Expo and the IoT Device Security Conference. Brandon currently serves as marketing officer for electronic hardware standards organization, PICMG, where he helps evangelize the use of open standards-based technology. Brandon’s coverage focuses on artificial intelligence and machine learning, the Internet of Things, cybersecurity, embedded processors, edge computing, prototyping kits, and safety-critical systems, but extends to any topic of interest to the electronic design community. Drop him a line at techielew@gmail.com, DM him on Twitter @techielew, or connect with him on LinkedIn.

Profile Photo of Brandon Lewis