A Hyperscale Architecture

With millions of servers inside their data centers, hyperscale cloud service providers need a security solution they can trust, that is affordable, and which can scale. The answer for Google is to instrument thousands of servers with their own security chips delivering line-speed packet inspection, that cannot be hacked even with root access to the server OS, and which allow network engineers to define application-specific firewall policies down to a single server.
 

Google Infrastructur Image

Now Available for the Enterprise

Solarflare is bringing hyper-scale to the enterprise. Solarflare transforms server security based on appliances and FPGAs costing thousands of dollars each, into a 10 million server per year market leveraging security that is “just there” on every standard NIC. SolarSecure can be enabled concurrently with Ethernet NIC, acceleration, monitoring and capture solutions in a Solarflare XtremeScale Smart NIC fabric.

SolarSecure Image
 

Download Product Brief

Firewall appliances are great for “outside” the data center

Typically, the primary focus of data center security is managing north–south traffic in and out of the environment. Protecting traffic running east-west between servers is often done by hair-pinning the data back through fire walls. Backhauling is inefficient because it adds congestion, hops, and latency to the network.

NIC-based security is great for “inside” the data center

The singular focus of NIC-based security is protection inside the data center. The result is application level micro-segmentation of the network down to the specific VM or container workload. The benefits are superior system performance with chip-hardware on every server, highly distributed policy enforcement, and centralized management.

If the bad guys get in...

...SolarSecure hardware firewalls act like electronic door locks on every office (server).

Download Infographic

 

“Our business is modernizing data security for scale-out environments,” said Mark Schreiber, General Manager at CDL. “With software defined network processing on every server, SolarSecure provides both the granularity and scalability we need in a security platform to cloak data lakes from prying eyes.”

“The whole challenge in providing a low-latency trading platform is to make the infrastructure as thin as possible, said Dan Feldman, vice president of systems and network engineering at Trading Technologies. “Adding firewall appliances adds hops and latency. By placing a Smart NIC with SolarSecure in line with the transactions, we eliminate hops and deliver a similar security narrative.”

SolarSecure Product Overview

SolarSecure is a portfolio of security services which are shipped with every XtremeScale™ 8000 Series Solarflare NIC. Using the SolarSecure Manager, security policies can be micro segmented, packet surveillance can be initiated, and firewalls can be configured for each local TCP/IP address including learn and enforce modes, white listing or black listing; alerts, and cloaking a server by dropping packets.

Summary of Features & Benefits

An Important New Best Practice —Driven by hyperscale CSPs, the deployment of server firewalls is a new best practice for securing traffic inside the data center.

Secure Every Server—Because SolarSecure resides on a NIC that’s in every server, it’s time to think in terms of firewalling every server in the data center with its own monitoring, alerting and locking policy.

Tamper-Resistant—The hardware based solution requires no software on the application servers, making SolarSecure highly tamper resistant, even to hackers with server and switch OS root permissions.

Packet-Level Security Analytics—The XtremePacket Engine inside Solarflare NIC ASICs inspects every packet in real-time, and the network flow data is used by SolarSecure and third party software for packet-level security analytics.

Ultra Low Latency— Inspecting every packet adds less than 250ns of latency, 10x faster than firewall appliances. SolarSecure is also interoperable with Solarflare Onload™ kernel bypass software for application acceleration.

Highly Scalable—Scales to thousands of servers by simply enabling firewalls on your Solarfare NICs.

Open Architecture—Use SolarSecure management and analytics, or integrate with your framework of choice.

XtremePacket Engine Makes Machine Learning Possible

With extensive information about traffic flows provided by the XtremePacket Engine inside every XtremeScale Ethernet controller chip, Solarflare provides a software defined machine learning platform for third-party security analytics applications. SolarSecure offers the unique ability to supply a security data lake with a comprehensive set of data about 100% of the packet traffic in a data center using a low-power, low-cost, standard form-factor NIC. Security data scientists have access to the data and traffic engineering tools through open APIs.

SolarSecure Specifications

Firewall Capability

  • Implement unique whitelist or blacklist filters per local IP address.
  • Filter millions of headers every second, deciding whether to allow or drop each packet.
  • Filter for IP address, port number, IP protocol and Ethernet protocol.
  • Filter on IP address subnets.
  • Supports 5,000 filters and 1,000 counters.
  • Low latency data path – filtering adds less than 250ns.
  • Allows separate filtering for TCP client and TCP server applications (to support “Established” firewall rule semantics).
  • Isolate a server by switching quickly to an alternative rule set.

Management Capabilities

  • Manage security policies for the network, breaking down policies into individual firewall rules.
  • New application flows are discovered and reported.
  • Secure binding of NIC cards to ServerLock Manager establishes an encrypted control channel.
  • User alerts.
  • Security event management.

Configurations Supported

  • Bare-metal, containers and virtualization configurations supported.
  • Driver support for Linux, Windows, VMware, KVM and Hyper-V.
  • Compatible with other Solarflare products, including Onload, TCP Direct and Precision Timing Protocol software.
  • Runs on SFN8000 series NICs, and beyond.