1

Next Generation Security for Modern Data Centers

This white paper has three main goals: to make the case that perimeter security is inadequate in modern data centers; to discussthe requirements for end-to-end security in addressing today’s heightened threat environment; and to describe how Fungible's Data Processing Unit (DPU) is architected to support a no-compromise, highly efficient centralized and distributed security models.

assumption that protection is only needed against traffic entering and exiting the data centers (commonly known as north-south traffic).

massive datasets and computation requirements which drive the need for aggregation of compute and storage resources.

About the Authors

Whitepaper

Data centers are the true underpinning of organizations today. With the value of data becoming increasingly important, so too is the task of safeguarding them from cyberattacks. This is especially crucial in today's amplified threat environment where the frequency of attacks and the impact and costs suffered by organizations are only increasing.

To ensure zero trust security can be fully implemented, data centers need to be fortified against all manners of threats. Understanding the different types of threats, their modus operandi and entry/exit points is paramount.

Perimeter Security is an Outdated Paradigm

The traditional approach to data center security was rooted on the assumption that protection is only needed against traffic entering and exiting the data centers (commonly known as north-south traffic).

Today, this approach is no longer adequate. Traffic patterns are shifting with the continual rise in east-west traffic propelled by the following factors:

Benny Siman-TovVP of Product & Business Development Benny Siman-Tov is responsible for managing Fungible's product portfolio and developing strategic GTM partnerships at Fungible.

Satish KikkeriSenior Director of Compute Product ManagementSatish Kikkeri is Senior Director of Compute Product Management at Fungible, responsible for managing and driving the success of Fungible’s data services product portfolio.

Satish was previously Director of Product Management and Marketing at Cavium (acquired by Marvell) for the LiquidIO SmartNIC line of business where he successfully developed and productized compute, network, and security solutions for Hyperscalers, Tier 2 Cloud, Telco and Financial companies. Prior to that, he was Director of Huawei Cloud Strategy and Marketing.

1. The broad adoption of tieredapplication services that federatetogether multiple microservices.This type of architecture requiresa fast and nimble network tosupport the interconnectivity ofthese highly dynamic entities.

2. The shift from hyper-convergedinfrastructure (HCI) tocomposable disaggregatedinfrastructure (CDI) wherecompute and storage aredisaggregated and connected viafast protocols such as NVMe overFabrics.

3. The explosion of AI/MLapplications, characterized bymassive datasets andcomputation requirements whichdrive the need for aggregation ofcompute and storage resources.

By 2021, east-west traffic within the data center will account for more than 85% of all data center traffic. If protection is only applied to the boundaries of the network, a compromise to the perimeter could wipe out an entire organization's IT infrastructure.

Copyright © 2020. All Rights Reserved. | www.fungible.com

Copyright © 2020. All Rights Reserved. | www.fungible.com 2

Whitepaper

The Holistic End-to-End Security Blueprint

Defending a private, public or hybrid cloud from today’s threats requires a layered security strategy. Attackers should not have to surmount only a single security layer at the perimeter to achieve their malicious aims.

Perimeter solutions using discrete physical devices such as next-generation firewall (NGFW) devices, web application firewalls (WAF), intrusion detection and prevention (IPS/IDS) systems, Distributed Denial of Service (DDoS) appliances, proxy servers will no doubt, still be necessary to address volumetric, protocol attacks, application-layer attacks etc. at the perimeter.

But, besides perimeter security, modern data centers also require security solutions that are distributed in every server in the data center to address the increase in east-west traffic discussed above.

For a holistic end-to-end view of security in modern data centers, the following aspects must be considered:

Root of trust: Managing access is a key aspect of security in modern data centers. To prevent illegal access, any firmware or software code running on compute, networking or storage systems needs to be authenticated and authorized before it is allowed to run. This is achieved through a root of trust, which is the foundation on which all secure operations of the system depend on. The root of trust contains the keys used for cryptographic functions and enables a secure boot process. It is inherently trusted, and therefore must be secure by design. While root of trusts can be implemented in software, it is highly vulnerable to attacks. The most secure implementation of a root of trust is a hardware-based root of trust. A hardware-based root of trust can be a stand-alone security module or it can be implemented as a security module within a processor.

Secure services: Network segmentation have also been used to control access and isolate assets. Older approaches such as using fixed access control list (ACL)-based policies bound to hardware devices have been replaced by newer, more fine-grained approaches

like microsegmentation. Application-level micro-segmentation enables policies to be applied to VMs, containers and individual microservices based workloads, reducing surface attack area. If a device or workload moves, the security policies move with it. This approach complements perimeter-based security solutions by providing east-west protection between servers in the data center.

Application-level policy enforcement is typically managed by host-based firewalls. These host-based firewalls run alongside VMs, vNICs, and application assets i.e. the very resources they are designed to protect. Further, most host-based firewalls are software-based, carrying with them risks associated with software solutions e.g. missing security patches. If a host is penetrated, a hacker can then alter policy rules in order to gain admittance to the wider network. The Spectre and Meltdown cybersecurity outbreaks is a telling indication why using host-based software firewalls to secure virtual machines, applications, data and network infrastructure are largely ineffective.

When malevolent sources and security policy platforms belong to the same server-based trust domain, there is a high risk of security breach. The guaranteed way to protect the infrastructure is to define a clear boundary between the server and the security policy platform. This will require hardware-based security processors that are seamlessly integrated with compute, storage and networking hardware functionality.

Secure data-in-motion: Attacks on data privacy have risen in complexity and frequency, resulting in the broad use of encryption to protect the confidentiality and integrity of data. Security protocols such as IPsec or TLS are used to secure data movement over an insecure underlay network by authenticating and encrypting the data. However, IPsec and TLS public-key encryption is inherently a compute-intensive process. This imposes a significant burden on general-purpose processors. Further, advancements in the protocols to improve robustness, for example larger key sizes have resulted in even higher computation requirements. To improve performance-cost efficiencies, hardware accelerated solutions such as crypto processors are used. These processors can be used in a look-aside or in-line mode.

3

Whitepaper

In the traditional look-aside mode, the encryption and decryption tasks are offloaded to the crypto processor, but the host processor continues to handle key negotiation. In contrast, in in-line mode, the crypto processor takes on a much more active role, subsuming front-line communications as well. In this mode, the crypto processor enables secure boot, and completely offloads encryption/decryption tasks including the Key Management System (KMS) from the host processor. The in-line mode requires the crypto processor to be able to process all these security functions at line rate.

Secure data-at-rest: Protecting data stored in persistent storage is viewed as table stakes today. The longer data is left unprotected in storage, the higher the likelihood of unsanctioned access. A secure data center must ensure data isolation and preservation of privacy not only against malicious attacks but, also amongst various users. To achieve this, robust authentication and encryption services must be in place. Further, with data-in-motion coming into a storage server encrypted, the storage server needs to pull double duty decrypting the data as it enters and re-encrypting it (typically using a stronger key) before it is being stored, and vice versa. Running all these functions together present significant compute requirements and burden on general-purpose processor-based storage systems.

Copyright © 2020. All Rights Reserved. | www.fungible.com

Visibility: Security is unfortunately a double edge sword. While the use of encryption is required to provide secure end-to-end communications, attackers are also riding on these techniques to evade detection. Thus, dynamic, granular visibility into network traffic is needed to thwart or nullify masked attacks.

A robust security solution must support instantaneous visibility into traffic and prompt execution of network policies. Customizable Test Access Points (TAPs) are examples of solutions that enable seamless monitoring and analytics of traffic streams.

Deep Packet Inspection (DPI) is another technology that enables the identification of the various types of traffic that flows in the network and the determination of the actual application type in each packet. This requires inspecting the packet payload as opposed to just the packet header information. It can also enable network traffic-based analytics using advanced filtering and analysis to quickly identify, segregate and address even the most complex security problems.

Fungible's Data Processing Unit (DPU) Enables Next-Gen Security for Modern Data Centers

Fungible's foundational thesis for security is driven by two key propositions:

First, next generation security solutions must address the need for distributed security and be seamlessly integrated into compute, storage and networking entities within the data center. While security appliances will continue to play a role in protecting the perimeter of the data center, this solution is ill-suited for intra-data center protection. Backhauling traffic from each server to these appliances lead to cumbersome deployments, unnecessary performance, latency and cost penalties, resulting in overall inefficiencies. In many cases, this would be a limiting factor for IT architects to fully embrace security needs, especially at larger scales.

Second, today's security solutions are mainly software-based (i.e. run on general purpose processors). In a distributed security model, to fully implement all the necessary security functions, a high number of processor cores have to be used. IT architects often find

IP Security (IPsec) is a suite of Internet Protocol (IP) standards for cryptographically securing communications at the IP Packet Layer, thereby ensuring confidentiality, integrity, and authenticity of data communications across Virtual Private Networks (VPNs). Virtual Private Network (VPN) Gateways enable secure communications among cloud data centers or remote users and cloud data centers using a public WAN.

Transport Layer Security (TLS) is an industry standard encryption protocol for securing HTTP traffic traveling across the Internet. An example of its application is to secure web-based transactions to enable e-commerce and online banking. Through the use of TLS, sensitive info, such as a user’s login ID for an online banking session or perhaps a credit card number is protected and kept out of the hands of hackers and criminal organizations.

4

Whitepaper

themselves making painful trade-offs to implement security functions, while maintaining desired performance and latencies for application processing. Further, software-based application segmentation presents a susceptible attack surface since techniques for disabling standard OS-based firewalls are already well understood.

To address the requirements of the modern security model, Fungible has developed a microprocessor known as the Fungible Data Processing Unit or Fungible DPU. The DPU is designed to offer uncompromising and comprehensive programmable hardware-based security processing, supporting complete offload and in-line acceleration of security services at line rate, thus freeing up server CPU resources for application processing.

Root of trust: The DPU supports a secure root of trust including secure private key storage and mechanisms for anti-cloning and signed binaries. This hardware root of trust provides the foundation to fully shield all aspects of the server platform including the hardware, operating system and/or hypervisor, applications, firmware, command-and-control framework etc.

Secure services: The DPU supports application level policy management by offering policy driven L4-L7 network and security services in in-line mode, intelligently offloading the general purpose CPUs in the host servers. Dedicated high performant accelerators are integrated to run specific security services to ensure in-line, line rate support is achievable without consequential impact to application performance.

The DPU also supports hardware-based application segmentation utilizing inherently scalable and flexible SDN-enabled distributed architectures. A DPU-based solution will not create traffic bottlenecks that will impact application performance.

Copyright © 2020. All Rights Reserved. | www.fungible.com

Secure data-in-motion: The DPU supports pervasive, end-to-end hardware-based authentication and in-line encryption for network communications. Specifically, it includes cryptographic units for encrypting and decrypting packets using industry-standard schemes including processing of IPsec, TLS payloads and associated Key Management System (KMS) functionality.

Secure data-at-rest: The DPU supports authentication and full encryption/decryption of data at-rest in storage systems using industry standard encryption schemes.

Visibility: The DPU supports hardware-based DPI, facilitating dynamic monitoring and logging of multiple layers of packets in east-west and north-south packet streams without imposing any CPU processing requirements. This is made possible by dedicated Regular Expression (RegEx) processing engines which enables highly efficient malware detection in high-throughput data center environments.

In a nutshell, Fungible’s Data Processing Unit excels in addressing security requirements at both the entry/exit points as well as within the data centers by providing pervasive, highly efficient, hardware-based security capabilities along a number of important aspects.

Fungible, Inc.3201 Scott Blvd.Santa Clara, CA 95054669-292-5522

While security is never absolute, by understanding the exposure risks, security solutions can be intelligently tailored to deliver highly robust and efficient threat prevention, detection and remediation.