Product Attributes

　Security appliances continue to evolve

The next generation of network security implementations is continuing to evolve and undergo an architectural shift from backup to inline implementations. With the start of 5G deployments and the exponential increase in the number of connected devices, there is an urgent need for organizations to revisit and modify the architecture used for security implementations. 5G throughput and latency requirements are transforming access networks, while at the same time requiring additional security. This evolution is driving the following changes in network security.

1. higher L2 (MACSec) and L3 security throughputs.

2. the need for policy-based analysis at the edge/access side

3. application-based security requiring higher throughput and connectivity.

4. the use of AI and machine learning for predictive analytics and malware identification

5. the implementation of new cryptographic algorithms driving the development of post-quantum cryptography (QPC).

Along with the above requirements, network technologies such as SD-WAN and 5G-UPF are increasingly being adopted, which requires the implementation of network slicing, more VPN channels, and deeper packet classification. In the current generation of network security implementations, most application security is handled using software running on the CPU. While CPU performance has increased in terms of the number of cores and processing power, the increasing throughput requirements still cannot be solved by a pure software implementation.

Policy-based application security requirements are constantly changing, so most available off-the-shelf solutions can only handle a fixed set of traffic headers and encryption protocols. Due to these limitations of software and fixed ASIC-based implementations, programmable and flexible hardware provides the perfect solution for implementing policy-based application security and solves the latency challenges of other programmable NPU-based architectures.

The flexible SoC has a fully hardened network interface, cryptographic IP, and programmable logic and memory to implement millions of policy rules through stateful application processing such as TLS and regular expression search engines.

Adaptive devices are the ideal choice

Using Xilinx devices in next-generation security devices not only addresses throughput and latency issues, but other benefits include enabling new technologies such as machine learning models, Secure Access Service Edge (SASE), and post-quantum encryption.

Xilinx devices provide the ideal platform for hardware acceleration for these technologies, as performance requirements cannot be met with software-only implementations. Xilinx is continuously developing and upgrading IP, tools, software, and reference designs for existing and next-generation network security solutions.

In addition, Xilinx devices offer industry-leading memory architectures with flow classification soft search IP, making them the best choice for network security and firewall applications.

Using FPGAs as traffic processors for network security

Traffic to and from security devices (firewalls) is encrypted at multiple levels, and L2 encryption/decryption (MACSec) is processed at the link layer (L2) network nodes (switches and routers). Processing beyond the L2 (MAC layer) typically includes deeper parsing, L3 tunnel decryption (IPSec), and encrypted SSL traffic with TCP/UDP traffic. Packet processing involves the parsing and classification of incoming packets and the processing of large traffic volumes (1-20M) with high throughput (25-400Gb/s).

Due to the large number of computing resources (cores) required, NPUs can be used for relatively higher speed packet processing, but low latency, high-performance scalable traffic processing is not possible because traffic is processed using MIPS/RISC cores and scheduling such cores based on their availability is difficult. The use of FPGA-based security appliances can effectively eliminate these limitations of CPU and NPU-based architectures.