Net edge security adaptable server gateways

A server is at center stage for the enterprise's data management and distribution, particularly for data and voice, file, and information storage management. It is the link from the network core to the edge. It is also the gatekeeper for inter-networking access to public domains. Consequently, top security is essential for servers, regardless of function and location of various applications.

Network system designers find that software is the most expedient approach for deploying server security. The downside: it lacks efficient security packet data processing, thus creating a performance bottleneck while the security process is being executed.

That bottleneck occurs as a result of the intensive processing required by symmetric key hashing, authentication, security packet header transforming and packet payload encryption/decryption algorithm processing.

Granted, software is most often quite efficient at handling the complicated handshake process and protocol management. However, the system designer must keep in mind that during the security tunnel setup process, procedures such as symmetric key hashing, security header transform, and the payload decryption process are in fact allocating most of the processor bandwidth to be the dedicated resource. This implies that the overall server performance drops significantly due to the security service. More performance issues arise if the server is used for data center file transfer, high volume data access, or real-time voice over the Internet protocol (VoIP) control.

While servers and network edge equipment have some similarities, there are more differences in functions such as the data flow mechanism, the central control scheme, and security packet processing over the security landscape. In these instances, hardware acceleration can provide the extra processing muscle these security functions demand.

While software effectively handles the complicated handshake process and protocol management. However, these functions are but a part of the entire security session process. In an IPSec-based VPN (virtual private network), the real overhead is the security packet processing. This includes key hashing, IP header transform, and encryption/decryption algorithm processing. These functions involve intensive mathematical iterations, and in this instance, a hardware implementation far outperforms its software equivalent. Moreover, these functions consume a major portion of a server's processing bandwidth.

Control processes in both network edge equipment and servers include a policy handshake, Internet key exchange (IKE), and security tunnel setup. These are performed on the host processor of network edge equipment or in a server's main CPU. The security protocol stack or software that runs on the control processor is the only solution to perform this task. A hardware-based solution cannot cost effectively replace a software-based security protocol stack.

Other processes like security header transforming, from IPSec to IP or from IP to IPSec, and secure socket layer (SSL) record parsing on data path processing are usually performed by software. But it's done differently in network edge equipment and servers. In network edge equipment, a network processor on the interface line card handles header transform and record parsing, but in a server, the main CPU processes those functions.

Manipulating data processing on security packet data is simple since most of the network edge equipments have fast speed switching capability and capacity. One scheme is to switch the IP packets that need to have encryption/decryption to the security subsystem through the high-speed data path interface or switching backplane. This kind of architecture implementation, based on a hardware acceleration subsystem, saves development resources on architecture re-designs for existing systems.

Unlike network edge equipment, most servers don't have high-speed switching, therefore, the same data path scheme cannot be done in the same way as that of network edge equipments. Therefore, the design question is: how do you deploy security functionality on a server to keep up with line speed throughput? This is an important issue for today's designers.

Hardware acceleration

A hardware-based security subsystem can go into the following types of servers: Web application, storage network application, mail, file transfer protocol (FTP), and voice mail. However, each must be able to support one to two Gbits/second of security data processing throughput to meet the interface throughput requirement.

Hardware acceleration is the only way to fully resolve this special throughput demand. The major performance bottleneck is created by IP packet header transforming and payload algorithm processing.

Consider that each enterprise server generally needs to handle 1,000 to 1,500 sessions per second to keep up with internal e-mail, voice mail, and file transfer protocol (FTP) for document downloading and uploading. This traffic load usually requires about 9,500 MIPS that equals to 100 percent bandwidth of a 6.5 GHz two-way super-scalar RISC processor.

This is why VPN or SSL security performance is unacceptable when it is performed in software or even with partial hardware acceleration. The symmetric key hashing process requires about eight to 10 MIPS for each session on Secure Hash Algorithm-1 (SHA-1). For 2.5 Gbit/sec data throughput, authentication and header transform, plus security encryption/decryption algorithm processing takes about 500 to 700 MIPS.

Therefore, 1,000 sessions setup/tear down, with 2.5 Gbit/sec data throughput, demand about 9,000 MIPS CPU horsepower. But when the network system designer deploys an efficient hardware accelerator, the server's CPU is promptly freed up to process its normal tasks.

It is important to note the server implementation is different from edge network equipments. In edge network equipments, the network processor found in an on-line card handles security packet classification, while the switch fabric takes care of routing security packets to and from the security processor.

In a server application, security packet classification and packet arbitration functions must be performed on the on-line card, which has multiple serial gigabit interfaces. Therefore, the way to handle data path needs is to be more integrated. The designer must initially consider that PCI is a standard bus for handling data and control through a direct memory access (DMA) mechanism. It definitely cannot satisfy gigabit throughput rates. With a 64-bit, 66 MHz PCI interface, the normal throughput performance is about 1 to 1.5 Gbit/sec.

One has to keep in mind that data has to be shared with the control protocol transfer on the bus. To achieve gigabit data throughput rates is virtually impossible. Consequently, an internal high-speed interface is required to keep up with gigabit data throughput rates.

Today's industry standard interfaces, such as Packet Over Sonet Physical Layer (POS-PHY), SPI, Rapid IO, PCI-X, and HT (Hyper Transport) are highly deployed in network edge equipments, but not in servers, although they can be. It is therefore important for the network system designer to decide on and architect a high-speed interface for the internal data path, which paves the way for a server to perform 2.5 Gbit/second security data throughput.

A comprehensive hardware security accelerator supports such a high-speed interface and compensates for software-based security shortcomings in a server. In this case, the accelerator performs high-speed symmetric key hashing, authentication, security packet header transforming, and algorithm processing. The accelerator also features data compression processing when required. It can also integrate easily with a high-speed interface and has an efficient data flow controller, powerful local processors for classification and security session management, and a substantial security processor for authentication, header transforming, and algorithm processing.

With a full-fledged hardware accelerator deployed, the server CPU is not only relieved from having to augment server security functions, but also considerably more security sessions can be simultaneously set-up and torn down to give server security is major boost in performance.