SolarSecure Provides Network Protection and Application Segmentation with a Hardware Firewall on Every Server
By providing the first and last line of defense at the threshold to the server, SolarSecure stops threats from penetrating and navigating around the data center. Avoiding the shortcomings of software-only solutions which can be compromised via code vulnerabilities.
Built on Solarflare Network Interface Cards (NICs)
SolarSecure is delivered as a turn-key solution, comprising of two tightly integrated parts: The ServerLock NIC which provides a hardware firewall in every server and Domain Fortress which is the centralized command & control software, and user interface.
Hardware application segmentation has unique advantages
Every packet, every server
Validates every packet in the data center – SolarSecure’s distributed, hardware architecture is inherently high capacity and scalable; giving specific protection to every server
Ultra low latency firewall
No compromise on latency – firewalling adds less than 250ns to NIC latency, which is 10x faster than any firewall appliance
Secure by design
Hardware based solution has no software on the host server - cannot be attacked or disabled, even with root permission
Packets filtered in hardware
The hardware filter looks at millions of headers every second, deciding whether to allow or drop each packet. Filtering is offloaded onto the NIC and does not have a software component on the host server that might add a security risk or might compromise latency performance.
Software configurable filtering tables
Filter Tx and Rx packets, based on layer 2, layer 3 and layer 4 header fields
Filter for IP address, port number, IP protocol and Ethernet protocol
Filter on IP address subnets
ServerLock delivers a dedicated firewall in every server. Thousands of firewall rules can be configured to enforce whitelist or blacklist rules, at ultra-low latency.
Implement whitelist and/or blacklist filters
Configurable to enforce firewalling (drop packets) and/or monitor traffic
Supports 5,000 filters and 1,000 counters
Low latency data path -- filtering less than 250ns
Allows separate filtering for TCP client and TCP server applications (to support “Established” firewall rule semantics)
New network flows are discovered and reported
Isolate a server by switching quickly to an alternative rule set
ServerLock works with a range of different configurations, as all Solarflare products.
Supports VLANs, bonded ports and multiple adapters per server
Supported configurations include bare-metal, containers and virtualization
Driver support for Linux, Windows, VMware, KVM and Hyper-V
Compatible with other Solarflare products, including Onload, TCP Direct, and Precision Timing Protocol software
Runs on SFN8000 series NICs, and beyond
Domain Fortress is the user interface and controller for ServerLock. It identifies and eliminates threats that hide in the mass of data center traffic.
Learning and Setup
Traffic flows within the data center can be so numerous that threats can hide within plain sight. Domain Fortress learns about valid application flows and guides you to match them to security policies. Easy visualization helps you to manage hundreds of server firewalls in minutes. Unmanaged flows are highlighted as exceptions to the established setup.
Protect and Monitor
When traffic does not match the security policy, it is listed in the security event log and displayed visually. For example, a financial trading server attempts to establish an SSH connection to another network layer, trying unsuccessfully to connect to a number of machines. This is immediately highlighted to the security team for review – it may be a legitimate system administrator action, or it may well be the start of an attack.
Graphical User Interface guides you through a standard work-flow
Organize servers into groups of similar functions
Out-of-policy traffic flows highlighted as risks for review by security team
Build and test security policies based on least permission required by applications
Configurable security stance to monitor traffic, enforce firewalling or isolate a compromised server
Command Line Interface to enable integration with your automated work-flows
Command and Control Functions
Discover application traffic flows
Identify servers on the network
Bind ServerLock NICs to Domain Fortress - establish a domain of trust that is extended to every server in your network
Scales to protect thousands of servers
Auditable activity logs
Version control for security policies
NIST approved cryptographic algorithms – architecture validated by third party security researchers
Secure by Design
ServerLock is designed to be the most secure NIC available for commercial deployments.
ServerLock has no software running on the local server – there is zero attack surface on the host
Attacker with root permission cannot modify or disable ServerLock
Regular in-field updates to fix issues and upgrade features
Firmware updates are signed by Solarflare - malicious code cannot be executed by the NIC
Secure command and control framework, uses TLS1.2
Authentication of both sides, using digital certificates encrypted with ECDSA algorithm with ECC secp384r1 curve
Communications encrypted using AES
Binding of ServerLock to Solarflare’s secure control software enforces remote control only, and disables local control over the PCIe interface
NIC private key generated during manufacture and never revealed
Tamper-resistant fuse technology stores secure secrets on our communications ASIC
Integrity check for information stored in flash, including executable code and configuration data