SolarSecure Provides Network Protection and Application Segmentation with a Hardware Firewall on Every Server

By providing the first and last line of defense at the threshold to the server, SolarSecure stops threats from penetrating and navigating around the data center. Avoiding the shortcomings of software-only solutions which can be compromised via code vulnerabilities.

Built on Solarflare Network Interface Cards (NICs)

Solarflare SolarSecure Image

SolarSecure is delivered as a turn-key solution, comprising of two tightly integrated parts: The ServerLock NIC which provides a hardware firewall in every server and Domain Fortress which is the centralized command & control software, and user interface.

Hardware application segmentation has unique advantages

Every packet, every server

Validates every packet in the data center – SolarSecure’s distributed, hardware architecture is inherently high capacity and scalable; giving specific protection to every server

Ultra low latency firewall

No compromise on latency – firewalling adds less than 250ns to NIC latency, which is 10x faster than any firewall appliance

Secure by design

Hardware based solution has no software on the host server - cannot be attacked or disabled, even with root permission

ServerLock

ServerLock is the hardware firewall on Solarflare’s NICs. It protects the network by  checking every packet before it enters or leaves the server.

Solarflare SolarSecure ServerLock

Packets filtered in hardware

The hardware filter looks at millions of headers every second, deciding whether to allow or drop each packet. Filtering is offloaded onto the NIC and does not have a software component on the host server that might add a security risk or might compromise latency performance.

  • Software configurable filtering tables

  • Filter Tx and Rx packets, based on layer 2, layer 3 and layer 4 header fields

  • Filter for IP address, port number, IP protocol and Ethernet protocol

  • Filter on IP address subnets

Firewall capability

ServerLock delivers a dedicated firewall in every server. Thousands of firewall rules can be configured to enforce whitelist or blacklist rules, at ultra-low latency.

  • Implement whitelist and/or blacklist filters

  • Configurable to enforce firewalling (drop packets) and/or monitor traffic

  • Supports 5,000 filters and 1,000 counters

  • Low latency data path -- filtering less than 250ns

  • Allows separate filtering for TCP client and TCP server applications (to support “Established” firewall rule semantics)

  • New network flows are discovered and reported

  • Isolate a server by switching quickly to an alternative rule set

Configurations supported

ServerLock works with a range of different configurations, as all Solarflare products.

  • Supports VLANs, bonded ports and multiple adapters per server

  • Supported configurations include bare-metal, containers and virtualization

  • Driver support for Linux, Windows, VMware, KVM and Hyper-V

  • Compatible with other Solarflare products, including Onload, TCP Direct, and Precision Timing Protocol software

  • Runs on SFN8000 series NICs, and beyond 

Domain Fortress

Domain Fortress is the user interface and controller for ServerLock. It identifies and eliminates threats that hide in the mass of data center traffic.

Learning and Setup

Traffic flows within the data center can be so numerous that threats can hide within plain sight. Domain Fortress learns about valid application flows and guides you to match them to security policies. Easy visualization helps you to manage hundreds of server firewalls in minutes. Unmanaged flows are highlighted as exceptions to the established setup.

Protect and Monitor

When traffic does not match the security policy, it is listed in the security event log and displayed visually. For example, a financial trading server attempts to establish an SSH connection to another network layer, trying unsuccessfully to connect to a number of machines. This is immediately highlighted to the security team for review – it may be a legitimate system administrator action, or it may well be the start of an attack.

User Interface

Graphical User Interface guides you through a standard work-flow

Organize servers into groups of similar functions

Out-of-policy traffic flows highlighted as risks for review by security team

Build and test security policies based on least permission required by applications

Configurable security stance to monitor traffic, enforce firewalling or isolate a compromised server

Command Line Interface to enable integration with your automated work-flows

Command and Control Functions

Discover application traffic flows

Identify servers on the network

Bind ServerLock NICs to Domain Fortress - establish a domain of trust that is extended to every server in your network

Scales to protect thousands of servers

Auditable activity logs

Version control for security policies

NIST approved cryptographic algorithms – architecture validated by third party security researchers

Penetration tested

Secure by Design

ServerLock is designed to be the most secure NIC available for commercial deployments.

Host Secured

ServerLock has no software running on the local server – there is zero attack surface on the host

Attacker with root permission cannot modify or disable ServerLock

Firmware Secured

Regular in-field updates to fix issues and upgrade features

Firmware updates are signed by Solarflare - malicious code cannot be executed by the NIC

Command/Control Secured

Secure command and control framework, uses TLS1.2

Authentication of both sides, using digital certificates encrypted with ECDSA algorithm with ECC secp384r1 curve

Communications encrypted using AES

Binding of ServerLock to Solarflare’s secure control software enforces remote control only, and disables local control over the PCIe interface

NIC Secured

NIC private key generated during manufacture and never revealed

Tamper-resistant fuse technology stores secure secrets on our communications ASIC

Integrity check for information stored in flash, including executable code and configuration data