Cybercrime cost the American public more than $4 billion in reported losses over the course of 2020, according to the FBI. To stay ahead of emerging threats, Palo Alto Networks, a global cybersecurity leader, has developed the first virtual next-generation firewall (NGFW) designed to be accelerated by NVIDIA’s BlueField data processing unit (DPU).
The DPU accelerates packet filtering and forwarding by offloading traffic from the host processor to dedicated hardware that is separate from the server CPU. The solution delivers the intrusion prevention and advanced security capabilities of Palo Alto Networks’ virtual NGFWs to every server without sacrificing network performance. It also allows network flows that were previously impossible or impractical to inspect by intelligently screening the relevant parts of the flow and offloading the rest to the DPU.
This hardware-accelerated software NGFW is a milestone in boosting software firewall performance and maximizing data center security coverage and efficiency by being first to market to be accelerated by a DPU.
The recently announced DPU-enabled Palo Alto Networks VM-Series NGFW uses zero trust network security principles. The DPU operates as an intelligent network filter to parse, classify and steer traffic flows with zero ReCPU overhead, which enables the NGFW to support close to 100 Gb/s throughput for typical use cases. This is a 5x performance boost versus running the VM-Series firewall on a CPU alone — and up to 150 percent capex savings compared to legacy hardware.“As enterprises and telcos build cloud-like data centers, they need the agility and automation of the cloud without compromising performance. Together with NVIDIA, we are turbocharging our VM-Series virtual ML-powered NGFWs,” said Mr Muninder Singh Sambi, Sr VP of Products at Palo Alto Networks. “The industry-leading NVIDIA BlueField DPU is ideal for cybersecurity solutions operating in cloud-like environments.”
The first BlueField-enabled NGFW to market, the VM-Series enables application-aware segmentation, prevents malware, detects new threats and stops data exfiltration with the BlueField DPU offloading the host processor to accelerate packet filtering and forwarding functionality.
In certain customer environments, the majority of traffic either does not need inspection (for example, streaming traffic such as video, gaming and video conferencing) or can’t be inspected, such as encrypted traffic for which the customer is unable to assign corresponding decryption policy on firewall. In such environments, Intelligent Traffic Offload will ensure that firewall resources are optimally utilized to inspect only those flows that benefit from continuous security inspection.
Up to 80 percent of network traffic, including media and encrypted data in a data center, doesn’t need to be — or can’t be — inspected by a firewall. To address this, the NVIDIA and Palo Alto Networks joint solution includes the Intelligent Traffic Offload (ITO) service, which examines network traffic to determine whether or not each session will benefit from security inspection.
The ITO service examines every session of the traffic to determine whether or not that session will benefit from security inspection. If the firewall determines that the session will not benefit from security inspection, ITO instructs the BlueField-2 DPU to forward all subsequent packets in that session directly to their destination without sending them to the firewall.
By only examining flows that can benefit from security inspection and offloading the rest to the DPU, the overall load on the firewall and the host CPU is reduced and performance increases without sacrificing security.
The ITO empowers enterprise, telco and cloud operators to protect end-users with an NGFW that can run on every host in a zero trust environment, helping expedite their digital transformation while keeping them safe from a myriad of cyberthreats. Palo Alto Networks’ integration with the NVIDIA BlueFIeld DPU allows the ITO service to intelligently offload traffic that does not benefit from further security inspection.