Got a Byte?

Reeling in system-on-a-chip processing helps solve VPN performance problems

UNAUTHORIZED access to networks has recently increased within the past few years, and replacing DoS as the second-most significant contributor to computer crime losses, according to the Computer Security Institute and FBI. Theft of proprietary information also showed a significant increase in average loss per respondent. Both threats can be addressed with virtual private network (VPN) technology to protect data transmissions and access to proprietary data assets. As a result, the market for remote access and site-to-site VPN technologies to secure data transmissions over potentially unsafe networks has grown significantly over the past 10 years.

To meet requirements for secure data communication, organizations deploy a wide range of security measures within networks. Typical network appliances that require strong security include enterprise switch and router products, networked office automation solutions and printers and storage area networking devices.

There are three fundamental requirements for data protection on the network. One is confidentiality. Integrity is another requirement, and the third requirement is authentication and authorization. Identities need to be protected to make sure information is only exchanged between the intended parties, and the information or service is only available to a user if that person has the appropriate rights to access the information or use the service.

To meet requirements for secure data communication, organizations deploy a wide range of security measures within networks. Typical network appliances that require strong security include enterprise switch and router products, networked office automation solutions and printers and storage area networking devices (iSCSI, FC-SP).

With the rise of real-time, data-intensive applications, such as VoIP and streaming video, VPN security technologies, such as IPsec and SSL, have become bottlenecks to the overall performance of business applications.

Security in Silicon
VPN security systems rely on cryptography to ensure confidentiality, authentication and data integrity of communications over potentially unsafe networks. Encryption is the foundation for all security protocols such as Internet protocol security (IPSec), secure sockets layer (SSL) and secure multi-protocol label switching (MPLS).

Various cryptographic algorithms have been developed to address the increasing demand for security. Hashing algorithms, such as SHA-256, help preserve data integrity and are used for digital signatures. Public-key cryptography is mainly used for key generation, exchange, key confidentiality, signing and signature verification. Symmetric crypto algorithms are mainly used for data confidentiality.

Because of the complexity, cryptographic security algorithms are generally computation-intensive. Symmetric encryption and decryption algorithms like DES and Triple-DES require many bit-manipulating operations. Traditional security system designs using cryptographic software running on a general-purpose processor are often inefficient performing the operations. The many instructions needed to calculate cryptographic operations simply overwhelm today's CPUs, adversely affecting overall system performance and scalability, and making software-based cryptography an unsuitable option for high-performance security processing.

The more effective alternative to software is dedicated cryptographic hardware acceleration in silicon. Dedicated hardware allows for efficient, high-performance implementations of cryptographic operations because hardware logic is specifically designed to perform cryptographic algorithms efficiently, greatly outperforming software. While a general-purpose CPU processor requires many instructions to execute a software-based crypto operation, dedicated hardware crypto implementations offload, processing to silicon cells designed to perform only cryptographic operations, greatly improving performance. The efficiency of dedicated hardware also brings the advantage of reduced power consumption compared to software-based crypto.

Another benefit of hardware implementations is reduced vulnerability to security threats. While it may not be very difficult to alter security software running on a general-purpose CPU processor, it is far more complex and expensive to tamper with a cryptographic security engine embedded in a chip.

Small-Packet Challenge
While IPsec security processing of large IP packets (1,500 bytes) has been accelerated to multi-Gigabit performance in many VPN systems, achieving the same performance levels for small packets (64 bytes) has proven to be a challenge. Because the percentage of overhead data and associated packet processing is much higher for a given data stream of small packets than it is for big packets, the performance of small-packet security processing has been a problem for security system designers. And throwing massive computing power at the problem is often not a cost-effective solution.

The architectural bottleneck to higher performance comes from the fact that each packet needs to be processed by a general-purpose CPU before and after it gets offloaded for security processing to the embedded security accelerator. For small packets, this CPU processing burden is higher compared to larger packets. The situation is becoming increasingly critical with the rise of small packets in data traffic, mostly driven by real-time applications such as VoIP.

In traditional VPN security architectures, hardware acceleration is usually limited to dedicated modules/security processors that perform cryptographic security processing under full control of an embedded, general-purpose CPU. In these architectures, the general-purpose processor still needs to process each IP packet.

Especially at high data rates and for small packet sizes, the approach creates a significant burden on the processor, resulting in an overall throughput bottleneck.

Inline Security Processing
The latest development in security processing, and an excellent solution for the small packet performance challenge, is a security architecture that completely, autonomously processes packets inline, offloading security processing to the CPU. In contrast to previous "look-aside" security architectures, the new concept of inline security processing eliminates any data plane processing interaction with the general-purpose CPU core (e.g. packet classification, filtering and flow processing) and completely processes all the security functions to the dedicated, inline security system. Unlike traditional security-enabled communications processors and dual-chip solutions (dedicated CPU and security coprocessor), the inline security architecture is not involved in processing packets that belong to an existing data flow (a connection using the same protocol, addressing and source). This allows the embedded CPU to dedicate its cycles to only control plane VPN functions such as flow setup, flow destruction and potential higher-level data plane processing tasks.

The result is superior data rates across packet sizes and a significant reduction of general-purpose processor utilization for security functions.

Data Plane Offloading
To overcome the bottleneck, inline security systems implement the complete data plane functionality into a dedicated, efficient system-on-a-chip hardware system -- the Inline Security Engine. The Inline Security Engine?s value lies in its capability to maximize data plane offloading from a host processor to dedicated inline security hardware.

As a key element of the Inline Security Engine, packet classification and flow processor modules ensure time-consuming packet-by-packet security processing is fully offloaded from the host processor along with any cryptographic processing implemented by the Inline Packet Engine module.

The microengines operate in parallel configurations, allowing complex security operations to be performed on the packet and administration data at the highest speeds, making the inline security system more efficient than any general-purpose processor-based, look-aside system. With the engine, the general-purpose processor is not involved in processing packets that belong to an existing data flow. This allows the processor to dedicate its cycles to data flow setups and other processing tasks. The result is a high-performance security solution that delivers Gigabit-rate processing.

For every packet, classifiers and flow processors perform a sanity check, deciding how the packet needs to be processed (either by the host processor or by the packet engine) or whether it needs to be discarded (filtering). Then the engines take care of the associated administration tasks, such as transforms and flow information updates. In the system, the packet classifiers and flow processors autonomously instruct the engine as to which operation needs to be performed on the packet.

The Inline Security Engine implements various data manipulation functions on incoming data as instructed by the packet classifier and flow processor, including data insertion, data removal, data replacement, data retrieval, and crypto, hash and checksum operations. In order to achieve Gigabit-rate throughputs, the engine uses a three-stage processing pipeline.

Inline security processing takes a step beyond traditional security architectures by deploying dedicated security hardware for full-data plane-packet classification, filtering and flow processing for every packet. The result is superior data rates across all packet sizes and a reduction of general-purpose processor use for VPN security functions. Its performance for small packets make the engine an ideal solution for securing real-time, high data rate Internet applications over IPsec VPNs.

This article originally appeared in the December 2006 issue of Security Products, pgs. 44-46.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.