Embedded Cybersecurity Mitigation
Embedded Cybersecurity in NoviFlow Switches
Separation of Mitigation from Analysis
The old paradigm for Cybersecurity is a dedicated system, or a cluster of security systems, placed at key points in the network. These systems provide both the analytic functionality to detect threats and the mitigation actions to address threats. All traffic that needs to be secured must flow through these security point. This solution is expensive and is difficult to scale for today’s throughput requirements.
A better solution is to move the security mitigation action into the network fabric. NoviFlow switches, with programmable capabilities, enable mitigation actions to implemented in one or more tables in the packet processing pipeline.
In this new paradigm of SDN based Cybersecurity, the analytics engines finds threats and the programmable network fabric implements the mitigation actions.
The NoviSwitch : Off-loading x86 based Mitigation to NPU Silicon
Most Cybersecurity products are based on Intel x86 processors running software-based packet processing. This is an excellent environment for the security analytics engines, but a very poor environment for handling mitigation actions. Software based mitigation filtering provides limited throughput and is an expensive solution.
Moving the mitigation action to the programmable pipeline in NoviFlow switches moves the execution of the mitigation rules to a Network Processor (NPU). This is a silicon based solution that is 2 to 3 orders of magnitude faster than x86 process.
- Programmable pipeline enables security mitigation, ACLs, and Blacklists actions to be executed in the NoviFlow SDN switches
- Supports millions of security action rules at the detailed flow level
- Supports up to 50,000 mitigation action updates per second
- Packet processing done on NPU silicon not x86 software
- Cybersecurity API to inject, manage and monitor security actions
- Security filtering runs at line-rate as part of network fabric
- Cybersecurity becomes an integral part of the network fabric
- Mitigation actions can be injected at any, or every, point in the network enabling the securing of East-West traffic
- Multi-layer security filtering and mitigation execute at line-rate as part of the network fabric
- Detailed responses – security actions on millions of individual flows – cande taken to address large scale cyber attacks
Security Gateway Example
This example shows Security Cluster generating detailed Mitigation events that are implanted in the top Gateway switch. The match+action multi-table programmable pipeline in the NoviSwitch enables the security analytics engine to generate millions of detailed (at a specific flow level) mitigation “block” rules in the case of a large-scale attack. Even with the largest mitigation rule sets the NoviSwitch will process packets at line-rate.
The example also shows a NoviSwitch providing services to the Security Cluster. This switch enforces “Shunt” events which block elephant flows after the first few packet, and provided load balancing of the traffic coming into the Security Cluster servers.
Leave your email address or your telephone number below and we’ll contact you as soon as possible.