ATCA Newsletter

Accelerating Network Security Applications

By Dan Joe Barry, NapaTech

Network security is a growing problem with unwanted intrusions ranging from annoying SPAM emails through viruses, worms, Trojan Horses, and a constantly evolving world of innovative criminal activity. The issue has become so serious that US President Obama recently devoted a speech to it in which he announced an extensive cybersecurity program at the highest level for protecting government, military, and private sector networks.

The high speeds of current networks, plus the wide range of threats, tax the capabilities of even the highest-powered security systems.  The simple fact is that such systems need to examine every packet in detail at line speed to avoid slowing down the entire network. The advent of 10 Gb, 40 Gb, and even 100 Gb speeds further exacerbates the situation. Furthermore, more sophisticated detection methods are being developed that require even more processing power to perform statistical analysis, do pattern-matching, and look for other signs of malicious traffic. 

For in-line security applications, such as Intrusion Prevention Systems (IPS), the challenge is to ensure no loss of data and low latency for all networking conditions. A solution is needed that does not depend on servers handling both application support and data traffic processing. The key is to get the data off the network and into the security applications as quickly and effortlessly as possible. The network interface card (NIC) can be a major roadblock here if it must deal with every packet.

A standard NIC delivers specific packets in the aggregated traffic flow to a particular addressed server and its supported applications. NICs are simply not designed for transferring all traffic to the server. If more packets arrive than the server can handle, the network basically discards the overflow. Network security applications require a much more robust and intelligent adapter.

An intelligent network adapter for in-line security applications should be capable of processing all traffic received at any line-rate or packet size. This ensures no dropping of packets. 

However, an in-line device should be transparent to the network. Thus, the latency introduced should be low to allow swift re-transmission of packets back onto the network.

Intelligent network adapters that can filter and tag packets, as well as balance the processing load on up to 32 CPU cores, can ensure fast, intelligent execution that is fully configurable. A typical example is the Napatech NT20E In-Line Adapter. It provides full 10 Gbps throughput on all ports with zero packet loss. It can perform packet classification, packet tagging and filtering, and intelligent distribution of traffic processing. The device can thus offload work from the CPU. An extensive software suite offers ease of integration for systems based on Linux or Windows.

The net effect is less than 5% server CPU utilization for traffic processing, essentially liberating processing power for network security applications. Standard servers can continue to be used, no matter the line speed, allowing broad and cost effective deployment of network security.

Dan Joe Barry is VP Marketing at Napatech. You can reach him at djb@napatech.com.