April 26, 2021

Editor’s Note: This content is contributed by Awanish Verma, Principal Architect and Director in Technical Marketing at Xilinx

Next-generation network security implementation is under constant evolution and going through an architectural shift from lookaside implementation to inline implementation. With the beginning of 5G deployments and multifold increase in the number of connected devices, the architecture for security implementation needs to be re-visited and modified. 5G throughput and latency requirements are changing the access networks while requiring the need for extra security. This evolution is driving the following changes for network security

• Higher throughput for Layer-2 (MACSec) and Layer-3 Security
• Requirement of policy-based analysis at edge/access
• More throughput and connection requirements for application-based security
• Predictive analytics and malware identification using AI and ML
• Implementation of new Cipher Algorithms for Post Quantum Crypto

Along with above requirements, network technologies like SD-WAN and 5G-UPF are getting more and more adopted, which requires implementation of network slicing, more VPN tunnels, and deeper packet classification. In the current generation network security implementation, most of the application security is processed using the software running in CPU. While CPU capability has increased in terms of number of cores and processing power, the rising throughput requirements cannot be handled by the software-only implementation. 

Policy-based application security has changing requirements so most of the available off-the-shelf solutions can only a handle fixed set of traffic headers and crypto protocols. With these limitations in software and fixed ASIC-based implementations, the programmable and adaptable hardware provides the perfect solution to implement the policy-based application security and solves the latency challenges imposed by other programmable NPU-based architectures. Adaptable system-on-chip devices are a combination of a well-established hardened network interface and cipher IPs, and programmable logic and memory to implement millions of policy rules with stateful application processing such as transport layer security (TLS) and regular expression search engines.

This white paper describes implementation of L2-L7 security using the programmable architecture, which can be deployed for security acceleration at edge/access networks and next-generation firewalls (NGFW) in enterprise networks.

Download a white paper!