Editor’s Note: This content is contributed by Awanish Verma, Principal Architect and Director in Technical Marketing at Xilinx
Next-generation network security implementation is under constant evolution and going through an architectural shift from lookaside implementation to inline implementation. With the beginning of 5G deployments and multifold increase in the number of connected devices, the architecture for security implementation needs to be re-visited and modified. 5G throughput and latency requirements are changing the access networks while requiring the need for extra security. This evolution is driving the following changes for network security
Higher throughput for Layer-2 (MACSec) and Layer-3 Security
Requirement of policy-based analysis at edge/access
More throughput and connection requirements for application-based security
Predictive analytics and malware identification using AI and ML
Implementation of new Cipher Algorithms for Post Quantum Crypto
Along with above requirements, network technologies like SD-WAN and 5G-UPF are getting more and more adopted, which requires implementation of network slicing, more VPN tunnels, and deeper packet classification. In the current generation network security implementation, most of the application security is processed using the software running in CPU. While CPU capability has increased in terms of number of cores and processing power, the rising throughput requirements cannot be handled by the software-only implementation.
Policy-based application security has changing requirements so most of the available off-the-shelf solutions can only a handle fixed set of traffic headers and crypto protocols. With these limitations in software and fixed ASIC-based implementations, the programmable and adaptable hardware provides the perfect solution to implement the policy-based application security and solves the latency challenges imposed by other programmable NPU-based architectures. Adaptable system-on-chip devices are a combination of a well-established hardened network interface and cipher IPs, and programmable logic and memory to implement millions of policy rules with stateful application processing such as transport layer security (TLS) and regular expression search engines.
Adaptable Inline Security
This white paper describes implementation of L2-L7 security using the programmable architecture, which can be deployed for security acceleration at edge/access networks and next-generation firewalls (NGFW) in enterprise networks.