Securing the Edge Cloud with FPGAs

By Barak Perlman

As observed by Gorkem Yigit, Senior Analyst at Analysys Mason, today’s network operators, cloud providers, and enterprises are embracing software-defined, automated, and cloud-native networks to enable quick, cost-effective responses to constantly evolving customer demands. “To build differentiated and future-proof WAN, cloud, and IoT connectivity, they need high-performance, programmable, secure, and open-source enabled solutions,” Yigit explains.

The key word in there is “secure.” As we all attempt to stay ahead of increasingly sophisticated hackers, the challenge is to maintain high performance while keeping valuable, often mission-critical, data out of their reach.

One way to achieve that is to move security functions off server CPUs and onto FPGAs. By isolating the traffic, packet editing, and encryption to the FPGA, the CPU – which is a potential point of vulnerability to breaches – is circumvented. In this “host bypass” approach, the FPGA handles all networking, flow monitoring, and security functions. This is the rationale behind Ethernity’s new ENET VPN Gateway, which integrates Libreswan security management software to implement the control plane with an FPGA SmartNIC data plane solution that can operate on lower-cost COTS servers.

One advantage of our approach to traffic handling is that the combination of open source security management software with the programmability of our FPGA SmartNIC provides superior performance via the hardware encryption engine while simultaneously ensuring future readiness. Whether there is a need to adopt new security algorithms (since they update so frequently), or to completely replace the open source control plane, the programmability of the FPGA SmartNIC ensures that security updates are handled rapidly and efficiently.

The FPGA crypto engine within the ENET VPN Gateway is implemented inline (between the network interfaces and the host CPU). This means there is no CPU intervention when encrypting/decrypting the data, which provides both greater efficiency and additional support for advanced features such as packet classification and flow aggregation with encapsulation.

Inline processing is much more efficient and secure than a “look-aside” approach that is common in other solutions. The “look-aside” processing method has the host handling packet editing and dispatching, while using dedicated, adjacent security hardware for packet encryption and decryption. This consumes significant CPU resources, whereas inline processing preserves those resources for other applications.

The ENET VPN Gateway also features the option of offloading overlay networks, extended switching and routing functionality, support for slicing and VNO modeling, quality of service features, a broad range of supported algorithms, and easy customization.

And as cities, utilities, and other organizations increasingly embrace the Internet of Things (IoT) and deploy IoT devices, the ENET VPN Gateway can be extended to aggregate many low-throughput VPN tunnels and can be easily incorporated as a subset of a high-speed SD-WAN infrastructure, providing significant acceleration of the appliance’s IPSec security.

It ties back to the four key aspects of a solution that analyst Gorkem Yigit pointed out: high performance, programmability, security, and open source enablement. These are the elements that make it possible for network operators, cloud providers, and enterprises most effectively meet ever-changing customer needs.