NVIDIA bluefield-2 helps Palo Alto networks’ new generation of virtual firewall realize 5 times acceleration.
According to the data of the Federal Bureau of investigation (FBI), the losses caused by cybercrime to the American public in 2020 will reach more than $4 billion.
In the face of various new threats, Palo Alto networks, the global network security leader, has developed the first virtual NGFW (next generation firewall) accelerated by NVIDIA Bluefield DPU (data processor) in order to defend in advance.
DPU can speed up packet filtering and forwarding by offloading traffic from host processor to dedicated hardware independent of server CPU. This solution enables each server to have the intrusion prevention and advanced security functions of virtual NGFW of Palo Alto networks, and does not sacrifice the network performance. It can also intelligently filter the relevant parts of the network flow, and unload the remaining operations to DPU, so as to check the network flow that is impossible or impossible before.
As the first DPU accelerated product in the market, this hardware accelerated software NGFW is a milestone in Palo Alto networks’ process of improving the performance of software firewall and maximizing the security coverage and efficiency of data center.
The recently released NGFW of Palo Alto networks VM series based on DPU adopts the principle of zero trust network security. As an intelligent network filter, DPU can parse, classify and guide network flows in a way that does not consume CPU, so that NGFW can achieve nearly 100GB / s throughput in various typical use cases. Compared with VM series firewall which only runs on CPU, its performance is improved 5 times; Compared with the traditional hardware solution, it can save up to 150% of capital expenditure.
“Enterprises and telecom companies are building cloud like data centers, so they need cloud agility and automation without affecting performance,” said muninder Singh Sambi, senior vice president of products at Palo Alto networks. Our cooperation with NVIDIA has greatly improved the performance of our VM series virtual NGFW based on machine learning. For network security solutions running in cloud like environments, the industry-leading NVIDIA Bluefield DPU is your ideal choice. “
As the first NGFW to support Bluefield DPU in the market, VM series products can accelerate hardware by offloading packet filtering and forwarding functions from host processor to Bluefield DPU, which can help businesses such as application aware segmentation, preventing malware, detecting new threats and preventing data leakage.
Intelligent traffic offload service
In some customer environments, most of the traffic either does not need to be checked (such as video, game, video conference and other streaming media traffic), or cannot be checked (such as the customer cannot specify the encryption traffic of the corresponding decryption policy on the firewall, etc.). In this case, intelligent traffic offloading technology can realize only those network flows that can benefit from continuous security check to ensure the optimal utilization of firewall resources.
Up to 80% of the network traffic, including multimedia and encrypted data in the data center, does not need or cannot be checked by the firewall. How to distinguish these traffic? The joint solution of NVIDIA and Palo Alto networks includes ITO (intelligent traffic offload) service, which can check the network traffic to distinguish whether each session benefits from security check.
The ITO (intelligent traffic offloading) service checks each session in the traffic to determine whether the session can benefit from the security check. If the firewall determines that the session cannot benefit from the security check, ITO will instruct bluefield-2 DPU to forward all subsequent packets in the session directly to the destination instead of sending them to the firewall (see the table below).
Only by checking the network flow that can benefit from the security check can the rest of the security operations be unloaded to DPU, which not only reduces the total load on the firewall and host CPU, but also improves the performance and security.
ITO (intelligent traffic offloading) enables enterprises, telecommunications and cloud operators to protect end users by running NGFW on each host in a zero trust environment, helping them speed up their digital transformation and avoid various network threats.
Ito service of Palo Alto networks can intelligently unload traffic without further security check through NVIDIA Bluefield DPU
Extending NVIDIA DOCA SDK developer ecosystem
In the early development of NGFW on Bluefield DPU, Palo Alto networks used the open source remote program in grpc to call the framework (a project of cloud native Computing Foundation) and NVIDIA’s asap2 (an open source hardware acceleration framework).
Now the grpc interface of Bluefield and asap2 has been incorporated into NVIDIA DOCA SDK. The data center infrastructure development platform based on chip architecture provides an open source platform for developers to build software defined and hardware accelerated network, storage, security and management applications running on Bluefield DPU.
NVIDIA is committed to building a large developer community to bring about a radical change in the application and service of data center infrastructure based on NVIDIA GPU and Bluefield DPU. DOCA is just one part of it.