Cybercrime cost the American public more than $4 billion in reported losses over the course of 2020, according to the FBI.
To stay ahead of emerging threats, Palo Alto Networks, a global cybersecurity leader, has developed the first virtual next-generation firewall (NGFW) designed to be accelerated by NVIDIA’s BlueField data processing unit (DPU).
The DPU accelerates packet filtering and forwarding by offloading traffic from the host processor to dedicated hardware that is separate from the server CPU. The solution delivers the intrusion prevention and advanced security capabilities of Palo Alto Networks’ virtual NGFWs to every server without sacrificing network performance. It also allows network flows that were previously impossible or impractical to inspect by intelligently screening the relevant parts of the flow and offloading the rest to the DPU.
This hardware-accelerated software NGFW is a milestone in boosting software firewall performance and maximizing data center security coverage and efficiency by being first to market to be accelerated by a DPU.
The recently announced DPU-enabled Palo Alto Networks VM-Series NGFW uses zero trust network security principles. The DPU operates as an intelligent network filter to parse, classify and steer traffic flows with zero ReCPU overhead, which enables the NGFW to support close to 100Gb/s throughput for typical use cases. This is a 5x performance boost versus running the VM-Series firewall on a CPU alone — and up to 150 percent capex savings compared to legacy hardware.
“As enterprises and telcos build cloud-like data centers, they need the agility and automation of the cloud without compromising performance. Together with NVIDIA, we are turbocharging our VM-Series virtual ML-powered NGFWs,” said Muninder Singh Sambi, senior vice president of Products at Palo Alto Networks. “The industry-leading NVIDIA BlueField DPU is ideal for cybersecurity solutions operating in cloud-like environments.”
The first BlueField-enabled NGFW to market, the VM-Series enables application-aware segmentation, prevents malware, detects new threats and stops data exfiltration with the BlueField DPU offloading the host processor to accelerate packet filtering and forwarding functionality.
Intelligent Traffic Offload Service
In certain customer environments, the majority of traffic either does not need inspection (for example, streaming traffic such as video, gaming and video conferencing) or can’t be inspected, such as encrypted traffic for which the customer is unable to assign corresponding decryption policy on firewall. In such environments, Intelligent Traffic Offload will ensure that firewall resources are optimally utilized to inspect only those flows that benefit from continuous security inspection.
Up to 80 percent of network traffic, including media and encrypted data in a data center, doesn’t need to be — or can’t be — inspected by a firewall. To address this, the NVIDIA and Palo Alto Networks joint solution includes the Intelligent Traffic Offload (ITO) service, which examines network traffic to determine whether or not each session will benefit from security inspection.
The ITO service examines every session of the traffic to determine whether or not that session will benefit from security inspection. If the firewall determines that the session will not benefit from security inspection, ITO instructs the BlueField-2 DPU to forward all subsequent packets in that session directly to their destination without sending them to the firewall. (See the chart below.)
By only examining flows that can benefit from security inspection and offloading the rest to the DPU, the overall load on the firewall and the host CPU is reduced and performance increases without sacrificing security.
The ITO empowers enterprise, telco and cloud operators to protect end-users with an NGFW that can run on every host in a zero trust environment, helping expedite their digital transformation while keeping them safe from a myriad of cyberthreats.
Expanding Developer Ecosystem Around NVIDIA DOCA SDK
Palo Alto Networks began development of the NGFW on the BlueField DPU by using the gRPC open source remote procedure call framework (a project of the Cloud Native Computing Foundation) and NVIDIA ASAP2, an open-source driven hardware acceleration framework.
The gRPC interface to BlueField and ASAP2 are now merged into the NVIDIA DOCA SDK, the data center infrastructure-on-a-chip architecture that gives developers an open platform for building software-defined, hardware-accelerated networking, storage, security and management applications running on BlueField DPUs.
DOCA is part of NVIDIA’s commitment to building a broad developer community that revolutionizes data center infrastructure applications and services powered by NVIDIA GPUs and BlueField DPUs.