Embedding Hardware Security at the Edge

Article By : Gary Hilson

Ethernet gear helps keep data secure at the edge while keeping up with CPU performance...

The days of building a moat around the castle to keep data secure were long gone before the pandemic led to a surge in remote work. With the enterprise network no longer rooted in a single place, every connection needs to be secured in line with increased server connectivity bandwidth requirements of cloud and edge computing.

With 800 Gigabit Ethernet (GbE) expected to be broadly deployed across data centers, enterprise and carrier networks for reduced latency and faster data processing, safeguarding data communications must keep pace with data transfer speeds that are working hard to keep up with CPUs.

But security can’t put constraints on bandwidth either, said Neeraj Paliwal, general manager and vice president of Rambus’ security business. The company recently announced its 800G MACsec Protocol Engine, which is aimed at securing the L2 Data Link Layer, where device to device communication begins, while L1 Physical Layer takes care of the encoding. Each layer depends on the integrity of the layers below it, he said, and attacks that exploit L2 vulnerabilities may not be detected by security at higher layers, such as spoofing, denial of service, eavesdropping and “Man-in-the Middle” attacks.

Rambus’ 800G MACsec Protocol Engine secures terabit switches with aggregate throughput at full line-rate up 800 Gbps because security is embedded at the hardware level

Rambus’ 800G MACsec Protocol Engine protects data in motion using Layer 2 security anchored in hardware, said Paliwal, and can be easily integrated into networking SoCs and ASICs. One use case would be to secure terabit switches, where a subset of all terabit traffic needs to be secured. He said the company’s multiport MACsec engine can service a flexible number of ports with aggregate throughput at full line-rate up 800 Gbps because it’s embedded at hardware level, which enables it to support real-time applications.

As the big cloud companies continue to grow, new startups pop up and computer architecture gets more heterogeneous, said Paliwal, there’s a also push for devices to become smarter with more data pushed to the edge, which raise privacy and latency concerns. This is compounded by 5G, which is enabling these devices and processing to happen at the edge.

“Cloud companies are starting to see if they don’t focus security on the edge and the connected devices, then no matter what they do in implementing security on their data infrastructure in the data centers, it will never be fully secure,” he said. “And that’s why you see companies like Microsoft implement and start a new group called Azure Sphere, which focuses on security.”

Nvidia-Mellonix’s latest SmartNIC can do decryption on the fly by using IPsec in-line cryptography, allowing accelerators to perform as designed

Nvidia Mellonix’s latest SmartNIC, meanwhile, is designed to meet the needs of modern data centers, where 25Gb/s connections are becoming standard for handling demanding workflows, such as enterprise applications, artificial intelligence (AI) and real-time analytics.

“There’s a massive shift now to 25Gb that’s really driving the market,” said Nvidia Mellanox vice president of marketing Kevin Deierling. “A lot of people are underpowering the network part of the servers. What we see is brand new servers with the latest greatest processors coming out at 1Gb and best 10Gb in terms of the network connectivity. It simply doesn’t make sense.”

Aside from needing to fuel these servers with connectivity commensurate with power of the CPUs and GPUs, there’s a need to secure the data, said Deierling, which is why Nvidia-Mellanox is claiming its ConnectX-6 Lx the world’s first 25Gb secure SmartNIC. It includes IPsec in-line cryptography with hardware-accelerated engines to offload more security and network processing from CPUs. Also built into the device is a secure Hardware Root of Trust, which enables other features such as secure boot, firmware updates and anti-rollback protection. Other features include XTS-AES key management, PCIe 3 and 4 support, and RDMA over converged Ethernet (RoCE) support.

Deierling said Nvidia-Mellanox’s success in the Ethernet adapter market to date can be attributed to the security features of its SmartNIC offerings. “If you want to run RoCE or if you want to run accelerated switching at packet processing, you need to look at the data inside of the IP packet,” said Deierling. “And if everything is encrypted, then it’s just a bunch of gobbledygook with ones and zeros and we can’t do all of the accelerations.” By having IPsec engines in-line, decryption can be done on the fly, he said, so all the all the accelerators being implemented and integrated into platforms such as VMware, Linux and Microsoft can perform as designed.

Nvidia’s latest SmartNIC comes at a time where the market for Ethernet adapters with speeds of 25 gigabits (25GE) and faster deployed by enterprises, cloud service providers and telecommunication network providers at data centers were $1.7 billion in 2019, according to research firm Omdia. It was the first time the market broke the billion-dollar mark, driven by growth in data sets and the adoption of new software technologies that must examine large data sets, including artificial intelligence and machine learning.

More than a quarter of the market last year was due to 25GE Ethernet adapters. A small portion of the market is represented by 100GE Ethernet adapters, according to Omdia. Cloud service providers are leading the transition to faster networks and expects telcos to invest more in higher speeds including 100GE to handle increased demands network function virtualization (NFV) and increased bandwidth requirements from HD video, social media, AR/VR and expanded IoT use cases.

Despite the economic impact of the COVID-19 pandemic, the research firm expects the current growth curve for Ethernet adapter revenue to continue through 2020 with 21 percent on average each year through 2024.

Subscribe to Newsletter

Leave a comment