Eric Ogren has a nice blog over at ComputerWorld, but his post this week left me shaking my head. Eric anticipates that the new generation of Intel and AMD chips with built-in security processing is going to change the playing field for security appliance manufacturers. More importantly, he states, “it is becoming increasingly difficult to justify the large engineering investments in custom-built ASICs or hardware that is not built on a standard platform”. This assertion couldn’t be further from the truth, and doesn’t anticipate where the ultimate direction of all the emerging security services is going. Security has become increasingly complex due to the sophisticatation of blended malware attacks, among other reasons. The increase in mobile systems, as well as non-employees on corporate networks have reduced the effectiveness of the perimeter and requires security services within the network infrastructure. From Nevis’ perspective, the switch is the ideal security enforcement point because it can block threats in microseconds at the lowest common factor, the port. Existing departmental firewalls or out of band appliances cannot keep malware off the network because, by definition, the malware is already inside the corporate LAN before they even detect it. The future of LAN security is a fully secure access layer – both wireless and wired. Many of the people we speak to get this message. Secure switching at wirespeed is now a reality. Many of the traditional switch vendors understand this dynamic and are planning to build ‘stateful’, application aware switches that are secure.
The challenge thus far in the market has been with performance. Obviously switches are blazingly fast and designed with performance and scalability in mind. LAN technologies require high performance and low cost. Traditionally, security products have been low performance and high cost. As security merges into the network fabric, secure switches need to remain cost competitive AND fast. Something has to give.
If you are going to layer in deep packet inspection and analysis, and do it on every packet, you can’t sacrifice the performance that people expect. Access layer switches are now shipping with multiple 10 Gbps interfaces. Many of the fastest IPS devices in the market struggle to cope with this level of traffic. Eric might be surprised to learn that the fastest Intel and AMD silicon can scale to ‘maybe’ 1 Gbps of traffic when running L4-L7 services. How then can we secure tens of gigabits per second of traffic at the access layer, while keeping them cost competitive? The only answer is the development of customized ASICs or multicore processors that have hardware acceleration for the key L4-L7 services.
Nevis was built on the vision of high performance and low cost stateful services. Key to our success has been the development of our SuperNova™ security ASIC – which has 24 cores and 96 threads, architected to drive security services and application recognition. It mght surprise Eric to learn that 10 of Intel’s fastest CPU’s cannot keep up with 1 SuperNova. Don’t believe me, listen to what one of our customers had to say.
10:1 price performance – now that’s impressive.
Comments