A ransomware attack on Colonial Pipeline, a major US gasoline corporation that spans more than 5,500 miles, was forced to shut down all its fuel distribution networks. It was considered to be one of the largest attacks of the year, finally forcing Colonial Pipeline to cough up to $5 Million in Ransom to Hackers.
Experts believe that cybercrimes are only going to get sinister with every passing year. As per a Cybersecurity Ventures estimate, cybercrime may cost the world $10.5 trillion annually by 2025.
Palo Alto Networks has developed the first virtual next-generation firewall (NGFW) that leverages NVIDIA’s BlueField data processing unit (DPU) to stay ahead of emerging threats.
Learn how NVIDIA BlueField #DPUs enabled @PaloAltoNtwks to be the first to market with intelligent Next-Generation Firewall. https://t.co/FTmaIG5xYu#NGFW #NetworkSecurity pic.twitter.com/VdvjKrBdve
— NVIDIA Networking (@NVIDIANetworkng) July 12, 2021
NVIDIA’s NGFW
The first-of-its-kind DPU-accelerated NGFW is a milestone in boosting software firewall performance and maximising data centre security and efficiency.
DPU offloads traffic from the host processor and puts it on specialised hardware separate from the server CPU. Without sacrificing network performance, the solution delivers intrusion prevention and sophisticated protection capabilities of Palo Alto Networks’ virtual NGFWs to every server
The recently announced Palo Alto Networks VM-Series NGFW implements zero-trust network security concepts. By utilising a data processing unit (DPU), an intelligent network filter performs parsing, classifying, and steering traffic flows while incurring negligible CPU overhead, enabling the NGFW to handle up to 100Gb/s throughout most typical use cases. This results in a five-times performance improvement, along with a 150 per cent CAPEX reduction compared to legacy hardware.
The VM-Series, the first Bluefield-enabled NGFW to market, can perform application-aware segmentation, prevent malware, and block data exfiltration with the Bluefield DPU. In addition, the VM-Series is automated and can be deployed in any virtual or cloud environment without interruption.
In some client situations, most traffic either does not need inspection (e.g. video, gaming and video conferencing streaming) or cannot be examined, such as encrypted traffic that the customer cannot assign a suitable decryption policy on the firewall. In such circumstances, Smart Traffic Offload ensures optimal use of firewall resources to check only those flows which benefit from ongoing security inspection.
Intelligent traffic offload service
In Intelligent Traffic Offload (ITO), users can use the NVIDIA Bluefield-2 DPU in the VM-Series firewall security subscription, which offers greater throughput for the VM-Series firewall.
To inspect each packet of a flow for inspection or offload, the ITO initiates the inspection of the first couple of packets at the firewall to find out if the rest of the packets in the flow should be inspected or offloaded. This decision is based on the policy behind it. As a result, VM-Series firewall performance rises without sacrificing security while reducing the overall burden on the firewall.
Up to 80 per cent of the network traffic in a data centre — including the data’s media and encrypted content — doesn’t need to be inspected by a firewall. To this end, NVIDIA and Palo Alto Networks have developed a combined solution that comprises the Intelligent Traffic Offload (ITO) service, which analyses network traffic to see if each connection can benefit from security inspection.
Suppose the firewall finds that security inspection is unnecessary for the session. In that case, ITO instructs the Bluefield-2 DPU to route any subsequent packets in that session directly to their destination, bypassing the firewall.
Security inspection and offloading only focus on flows that benefit from it, reducing the total strain on the firewall and the host CPU. In turn, performance improves without a significant effect on security. As a result, the ITO empowers enterprises, telcos, and cloud providers to keep end-users secure while speeding up their digital transformation with an NGFW running on every host, regardless of the security perimeter.
With the help of the gRPC open source remote procedure call framework and NVIDIA ASAP2, a hardware acceleration framework, Palo Alto Networks began developing the NGFW on the Bluefield DPU. This provided a unified platform for constructing software-defined networking, storage, security, and management applications that ran on Bluefield DPUs using the NVIDIA DOC SDK, which includes a gRPC interface to Bluefield and ASAP2. Therefore, increasing performance and security demands of modern data centres.