Networks security requires a tremendous degree of flexibility. The nature of the threats, the diversity and volume of traffic, and even the underlying network architectures are all changing rapidly. Here’s how the latest network appliances can help you keep pace by providing a wide choice of processor, accelerator, and I/O configurations – all using Intel’s latest Haswell microarchitecture.
Performance from 2 to 24 cores
If maximum performance is your goal, the Nexcom NSA 7130 (Figure 1) is a good choice. This 2U appliance uses the just-announced Intel® Xeon® processor E5-2600 v3 family, which offers up to 24 cores in a dual-socket configuration. To put that number in context, that’s 20% more cores than the previous generation processor in the similar thermal design power (TDP).
Figure 1. The Nexcom NSA 7130 offers dual-socket performance in a 2U chassis.
The Intel Xeon processor E5-2600 v3 family also benefits from various upgrades in the Haswell microarchitecture. One particularly noteworthy new feature is the Intel® Advanced Vector Extensions (Intel® AVX) 2.02. This upgrade expands most integer operations from 128 bits to 256 bits, and it doubles multiply-add throughput with the fused multiply-add (FMA) operation. Suffice it to say this major update can significantly boost performance on data workloads.
Using this new processor, developers can expect an up to 3X boost in performance, giving you a powerful platform for compute-intensive security network functions like deep packet inspection. In addition, the platform achieves up to 24% better energy efficiency, helping lower operational costs. (A full list of benchmarks is available here.)
The Nexcom NSA 7130 takes full advantage of these upgrades, with dual-socket configurations scaling from 12 to 24 cores. Other notable features include up to 512GB of DDR4 memory, four 10GbE ports, eight 1GbE copper ports, and eight 1GbE fiber ports. The appliance can be configured through hot-pluggable PCI Express* (PCIe) modules – which we’ll look at more closely in a moment.
CASwell has taken a similar approach with its CAR-5040 2U rackmount system (Figure 2). With up to 24 cores, sixteen DDR4 DIMMs @ 2133MHz, and 54 network ports, the CAR-5040 is a powerful platform for network security in either conventional or software defined networking (SDN) and network function virtualization (NFV) settings . Customers can select various combinations of 3.5”/2.5” HDD/SSD, copper/fiber media, GbE/10GbE/40GbE and third-party hardware acceleration smart module. Notably, the smart N+1 hot swappable fan modules support operation for 72 hours should one CPU fan shut down.
Figure 2. The CASwell CAR-504 is a powerful security platform.
If you want a balance of performance and low power, CASwell’s recently refreshed CAR-4020 (Figure 3) is worth a look. This 1U appliance is available with a variety of single-socket configurations ranging from 2 to 4 cores through a choice of Intel® Xeon® processor E3-1200 v3 family, Intel® Core™ and Intel® Pentium® processors. All of these chips use the same Haswell microarchitecture as the Intel Xeon processor E5-2600 v3 family, making it easy to scale software across these platforms.
Figure 3. The CASwell CAR-4020 refresh is a 1U appliance notable for its configurability.
Notable features of the CAR-4020 include up to 32GB of dual-channel DDR3 1600 memory, modularized IPMI, and integrated LCM controls. Like the NSA 7130, the CAR-4020 is configurable through PCIe modules.
Strong virtualization support
The challenge for developers is crafting software that can take full advantage of this flexible performance. Creating software that excels in virtualized environments – such as the increasingly common SDN/NFV architectures – is particularly important. Fortunately, the hardware is up to the task – according to one benchmark, the new Intel® Xeon® processors can handle up to 79% more virtual machines. And there is plenty of software support available as well, starting with the Data Plane Development Kit (DPDK). This packet-processing library is optimized to provide bare-metal performance in a virtualized environment, ensuring maximum throughput.
Figure 4. The Data Plane development Kit (DPDK) provides a foundation for virtualized security functions. (Figure courtesy Brocade.)
Building on top of this foundation, Intel provides a variety of resources like the DPDK Accelerated Open vSwitch. This virtual switch takes full advantage of DPDK’s high-throughput packet switching, as well as its zero copy packet switching between switch and guest application. It also moves the switch from the Linux* kernel to user space to allow further enhancements.
Many software providers, including 6WIND and Wind River, are creating additional security functionality on top of DPDK. These offerings can significantly reduce development costs – and therefore, capex costs for the end customer.
DPDK can be used with Intel® QuickAssist Technology to further accelerate cryptography, data compression, and pattern matching – all critical tasks for network security. For example, Intel QuickAssist technology hardware accelerators can achieve up to 47Gbps IPsec throughput.
All of the CASwell and Nexcom appliances support Intel QuickAssist Technology through plug-in PCIe modules. These modules provide another degree of flexibility, as they allow you to choose the level of acceleration appropriate to your application. For example, the Nexcom appliance can be configured with:
- NSK-CTCK, which achieves 47Gbps bulk cryptography with the Intel® Communications Chipset 8925 (Intel® DH8925 PCH).
- NSK-CVCK, which offers 20Gbps bulk cryptography through the Intel® Communications Chipset 8920 (Intel® DH8920 PCH) along with 4 copper ports.
- A variety of other modules that offer I/O but no accelerators
In addition to offering flexible processor and accelerator configurations, the CASwell and Nexcom appliances support a high degree of configurability through plug-in PCIe modules. In the case of CAR-5040, for example, you get 6 slots that support a mix of 3.5”/2.5” HDD/SSD, copper/fiber media, GbE/10GbE/40GbE, and hardware acceleration modules.The modular design supports diverse network adapters from copper to fiber, dual ports to 8 ports, non-Bypass or Bypass, and 1GbE to 40GbE options. Similarly, Nexcom offers two PCIe* Gen 3 x8 slots for a mix of interface and HDD modules to facilitate scaling in, scaling up, and scaling out of applications.
All of this flexibility can give you a big advantage in dealing with the rapidly changing needs of network security. And the best new is that the solutions I’ve highlighted here are only a small sample of what’s available. You can find more security appliances based on Intel’s Haswell microarchitecture in our Solutions Directory. Check it out to see which solution is right for you!
Contact featured members:
Solutions in this blog:
Roving Reporter (Intel Contractor), Intel® IoT Solutions Alliance
Editor-In-Chief, Embedded Innovator magazine
Follow me on Twitter: @kentonwilliston