Security demands hardware improvements

Chris O'Reilly -April 04, 2014

Complex, Real-World Security Threats Impact Network Design: High performance security features – integrated into silicon hardware – allow network managers to more thoroughly and more intelligently inspect, encrypt, authenticate and secure Internet traffic at wire speeds.

Fast, reliable network connectivity is at the heart of business today – powering critical infrastructure systems, internal business operations, customer-facing communications and home-based entertainment services.  But it’s not only system performance that keeps network managers awake at night. As more people embrace multiple connected devices through a wide range of applications, security vulnerabilities are top-of-mind for both network managers and network hardware designers. As the type and scope of network traffic continues to evolve, so does the complexity of security threats. It is more important than ever to address greater levels of security at all points within these complex and varied network environments.  

Critical infrastructure networks (such as financial transactions and power plants) clearly require increased protection. But even ‘lower level’ networks must take greater care to protect personal information that may become exposed during everyday transactions. Emerging network platforms in the cloud, home gateways, and mobile enterprise have opened additional avenues for threats against data security and system performance.

Even the simple process of uploading a photo to the cloud – much less using it to transmit enterprise data – requires the image to be secure at the device level, in the cloud, and at all points between as it traverses the network itself.

As security threats continue to evolve and network providers vie for customers interested in high-performance, seamless security at every point within the network, innovation at the silicon level is critical. High performance security features – integrated into silicon hardware – allow network managers to more thoroughly and more intelligently inspect, encrypt, authenticate and secure Internet traffic at wire speeds.

Enhancing Security Performance with Security-Optimized Communications Processors
Traditional processors, since they are designed for general purpose processing, are extremely inefficient when it comes to security functionality, expending valuable cycles on computationally intensive security features. This approach is costly in terms of power and board space. Lack of hardware acceleration engines to turbo-charge the compute-intensive demands of security functions means these functions need to run on the processor cores, which slows down other applications sharing the same cores and requires additional CPU cores, which translates into much higher power requirements. This inefficiency forces a significant trade-off – prioritize performance or security, or do a poor job on both. Moreover, these general purpose processors typically lack physical networking interfaces to move traffic in and out of the chip at wire speeds, thereby often requiring a two- or three-chip solution.  

Security-optimized communications processors, on the other hand, combine both high-performance processors and application-specific hardware accelerators to more efficiently handle the heavy duty lifting of arduous security functions while simultaneously ensuring wire- speed throughput even under heavy load. With security-optimized communications processors, system developers are not limited by application-specific constraints; the implementation is instead driven by security performance. For example, where a 10 Gigabit network may have once had performance degraded by unusual or malicious activity – dropping to even a 1 Gigabit performance level – integrated, hardware-based security accelerators can handle a security attack while continuing to handle data packets at the 10 Gigabit wire speed.

Security-optimized processors are becoming essential in network design; they leverage advances in architecture, process technology and integration to enable flexible functionality without compromising performance - all while maintaining ideal power and cost profiles. Integrated accelerator engines, high-speed network interfaces, deep packet inspection (DPI) functionality with RegEx and grammar engines, combined with high-performance CPUs offer much greater security while ensuring network performance at wire speed.

The overarching concept is that implementations using highly integrated security-optimized processors do not restrict users to a protocol or two. Instead, depending on usage models, different points within the protocol can be offloaded to accelerator engines, providing a greater level of flexible security.

Security-optimized communications processors deliver dramatic advances in Layer 7 DPI at wire speed, inspecting the full content of every packet as it moves through the system, instead of viewing just the headers. This is significantly more secure, and is analogous to viewing the contents of an envelope rather than just the address on the outside of the envelope.

Integrated Regular Expression (RegEx) engines enable an intelligent and efficient way to represent rules within DPI databases. The most straightforward example of this is a virus. The system may be watching for a specific bitstream signature that could potentially represent a known virus, however because viruses evolve so quickly, the bitstream may be altered enough to slow down the process or even make its way through the system. The ability to represent the database in regular expression helps to ensure that the database of viruses is smarter and more efficient, further assuring the speed and efficiency of the DPI engine. Seamless performance results when rule databases are dynamically updated in memory.

In addition to the RegEx engines, integrated grammar processing engines are an important element to defining a security-optimized communications processor.  The grammar engine adds a level of intelligence that can pre-process and streamline packets into the respective RegEx engines, thus enhancing processing efficiency and effective throughput.

The Importance of Best-in-Class CPU Cores
In addition to the security hardware accelerators, communications processors require best-in-class CPU cores. These CPU cores need to be able to deliver the highest computational performance for both control-plane and data-plane processing. An example of a high-performance, intelligent CPU core is one that features a multi-issue, multi-threaded architecture with superscalar out-of-order capabilities. This type of core enables a 3-4x higher performance at the same power profile than traditional CPUs. Combining multiples of these intelligent, high-performance CPU cores with best-in-class security accelerators ultimately delivers the performance and power profile that are required for next generation network security.

Figure 1: With communications-optimized processors, advanced levels of security can be achieved without touching the CPU core, meaning zero performance alterations because capabilities such as encryption, decryption, authentication, and DPI are already built into the hardware.  

Greater Network Security is the Bottom Line
Security solutions are evolving, advancing in the form of more intelligent communications processors with the ability to secure traffic while advancing overall performance.  Security-optimized processors can reside anywhere in the network (edge, metro, core), delivering a range of encryption, authentication and real-time inspection for security threats to assure integrity and privacy networks and the data traversing through the networks.

The ability to perform full cross-packet content inspection at wire speed is essential to enabling original equipment manufacturers (OEMs) to deliver new levels of performance and functionality.

Also See
Embedded systems security
Hack this: secure embedded systems

About the Author
Chris O’Reilly serves as senior director of Marketing for Broadcom’s Processors and Wireless Infrastructure Group, responsible for product marketing, technical marketing, product definition and business partnerships. Previously, O’Reilly served as vice president of Marketing and senior director of Sales for the Asia Pacific region for NetLogic Microsystems. Prior to NetLogic, O’Reilly served product marketing manager at Hitachi where he was responsible for the ASIC, microprocessor and microcontroller product lines. He holds a B.S. in electrical engineering degree from the California Polytechnic State University in San Luis Obispo.

Loading comments...

Write a Comment

To comment please Log In