Every commercial business, every governmental agency, every non-profit entity, and everyone else currently faces network security challenges and those challenges grow daily as cybercriminals continually hone their skills. The increase in the number of viruses, Trojans, worms, and other malware; the growth in distributed denial-of-service (DDoS) attacks; the expansion of the Internet into mobile and IoT devices; and the constant increase in data-center line speeds from 1 to 10, 25, and 40 Gbps further complicate the challenges associated with network security. Ensuring and maintaining network security in the face of the resulting data tsunami demands the use of specialized hardware and software.
Network security hardware and software has developed on two parallel tracks. The first cybersecurity track is based on custom hardware developed by a cybersecurity OEM. This track is expensive. The second track is based on off-the-shelf servers and open-source cybersecurity software including several well-known software applications such as:
- Zeek (formerly Bro): The Zeek Intrusion Detection System (IDS) framework is a very powerful network-monitoring tool that can capture hundreds of metadata fields about network connections. This metadata provides unmatched visibility into network traffic to identify behavior anomalies such as suspicious or threat activity.
- Suricata: Suricata is a mature, open-source network threat-detection engine that’s capable of detecting network intrusions in real time, inline intrusion prevention (IPS), network security monitoring (NSM), and offline processing of captured packets.
- Snort: Snort is an open-source network IPS capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes including buffer overflows, stealth port scans, CGI attacks, server message block (SMB) probes, and OS fingerprinting attempts.
- ntop n2disk and nProbe Cento: ntop n2disk and ntop nProbe Cento are, respectively, a network traffic recorder and a high-speed traffic-analysis probe that can keep pace with 1/10/100 Gbps Ethernet connections.
The open-source cybersecurity track is much less expensive than the first track based on custom hardware, but CPU-based servers are hard-pressed to keep pace with the traffic growth. A CPU-based server running open-source cybersecurity software on real-time data streams tops out at about 15 Gbps per server and virtually every data center will need more performance than that.
Using multiple CPU-based cybersecurity servers to handle larger loads requires a load balancer to split the incoming traffic into appropriately sized data streams and to distribute these streams to the various cybersecurity servers. The multiplication of servers to run the open-source cybersecurity software on multiple, parallel data streams drives up the cost of adding cybersecurity and the need for a load balancer further increases the cost.
Napatech has developed a middle path based on its own accelerated implementations of the open-source cybersecurity applications, which have been performance-boosted by an FPGA-based accelerator card – specifically an Intel® Programmable Acceleration Card (PAC) with Intel Arria® 10 GX FPGA.
However, the general-purpose nature of the FPGA-based acceleration technology in the Intel PAC with Intel Arria 10 GX FPGA allows Napatech to accelerate other network applications including:
- TRex: TRex is an open-source, stateful and stateless traffic generator based on the Data Plane Development Kit (DPDK). TRex generates Layer 4 through Layer 7 traffic based on pre-processing and the use of real traffic templates for smart replay.
- Wireshark: Wireshark is a widely-used network protocol analyzer that provides a microscopic view of network activity. It’s the de facto (and often de jure) protocol analysis standard and is used by many commercial and non-profit enterprises, government agencies, and educational institutions.
The Intel Arria 10 FPGA in the Intel PAC accelerates critical cybersecurity and other networking applications and allows one properly equipped server to handle 40-Gbps traffic at full speed without dropping packets. The current acceleration statistics are:
- Suricata – accelerated by 4X
- n2disk – accelerated by 3X
- TRex – accelerated by 4X
- Wireshark – accelerated by 7X
Intel® Programmable Acceleration Card (PAC) with Intel Arria® 10 GX FPGA
The Napatech Link™ Capture Software for Intel Programmable Acceleration Card with Intel Arria 10 GX FPGA transforms the Intel accelerator card into a SmartNIC that runs numerous accelerated cybersecurity and other networking functions based on the open-source applications listed above. A data center operator can pick and choose the needed cybersecurity applications based on specific requirements.
Note: The programmable nature of the Intel Programmable Acceleration Card with Intel Arria 10 GX FPGA allows the card to be used for many networking applications beyond cybersecurity, as demonstrated by Napatech’s accelerated implementations of TRex (4X acceleration) and Wireshark (7X acceleration).
For even more detailed information about cybersecurity, see Napatech’s White Paper titled “You can’t secure what you can’t see: Discover the value of network visibility for cybersecurity.”