Nvidia and Palo Alto Promise Huge Virtual Firewall Performance Bump with BlueField DPU
The cybersecurity company says offloading to the accelerator means switching to virtual firewalls no longer comes with a performance tax.
Palo Alto Networks, a heavyweight in the enterprise cybersecurity space, is jumping on the accelerator train. The company will make its next-generation virtual firewalls run on Nvidia’s BlueField-2 DPU, promising a five-fold performance increase to enterprises and service providers.
That would be a huge leap in performance for enterprises with hundreds to thousands of virtual software firewalls in their private cloud environments and for service providers that rely on firewalls to secure their large networks, Muninder Singh Sambi, Palo Alto’s senior VP of products, told DCK. Switching from a dedicated hardware firewall to a virtual one would no longer mean having to accept slower network speed.
“It’s better security without compromising performance,” Sambi said.
Nvidia’s recently introduced BlueField-2 family of DPUs are dedicated infrastructure processors designed to offload processing tasks like security and network and storage management to lighten the load on CPUs, leaving more resources for main application processing.
With BlueField DPU, Nvidia Is Ahead of Rivals in a New Market
Chipmakers have been racing to develop their entries for the emerging DPU accelerator market. These processors improve data center performance, efficiency, and cost effectiveness, Jim McGregor, a principal analyst at TIRIAS Research, told DCK.
Palo Alto Networks and Nvidia have collaborated on the DPU-enabled VM-Series next-generation firewall for about a year, said Sambi, adding that the product is meant for service providers and enterprises with hyperscale security needs.
Palo Alto turned to DPUs because its customers were asking for the technology, and it partnered with Nvidia because the chipmaker developed a DPU that fit its needs, according to him.
“The timing was right,” he said. “We see a growing need for this.”
Nvidia began shipping the BlueField-2 DPU in April; Intel unveiled its own DPU, called the Infrastructure Processing Unit, in June; Marvell (also in June) announced ts OCTEON 10 DPU; and Xilinx, which has made a deal to be acquired by AMD, announced its Versal HBM accelerator last week.
“All these guys are coming at it from different angles and slightly different ways,” McGregor said, but Nvidia is a pioneer in the space and has an early market lead. “The one out front is Nvidia, but it’s still a nascent market.”
Nvidia also has an advantage in its software tools that enable developers to optimize their applications to run on its DPUs, he said. They can use Nvidia’s DOCA software development kit to write applications that take advantage of the processor’s capabilities.
Its partnership with Palo Alto Networks is the latest sign that Nvidia DPUs are gaining traction. Server manufacturers such as Dell Technologies, Fujitsu, Inspur, Lenovo, and Supermicro integrating Nvidia DPUs into their servers.
Enterprise data center software companies including VMware, Red Hat, Canonical, and Check Point Software Technologies all support Nvidia DPUs as well. As part of its Project Monterey initiative, VMware is working with Nvidia to offload not just networking, security, and storage management tasks to the DPU, but also the hypervisor itself.
Nvidia DPUs are based on SmartNIC cards by Mellanox, which Nvidia acquired for $7 billion in 2019; silicon by Arm, the British processor giant that agreed to be acquired by Nvidia for $40 billion in 2020; and Nvidia’s own GPU accelerators.
“The combination of the (Mellanox) ConnectX adapter, Arm cores, and accelerators is super powerful,” Kevin Deierling, Nvidia’s senior VP of networking, told DCK.
How Nvidia BlueField DPU Speeds Up Palo Alto’s Virtual Firewall
Nvidia and Palo Alto Networks together build the Intelligent Traffic Offload (ITO) service, which identifies network traffic that needs security inspection, according to a blog post by Nvidia.
About 80 percent of network traffic either doesn’t have to or cannot be inspected by a firewall. That includes streaming traffic, such as video, games, and video conferencing, and encrypted traffic, the blog post said.
If the firewall decides a session doesn’t benefit from inspection, the ITO tells the BlueField-2 DPU to forward all the subsequent packets in that session directly to their destination, without sending them to the firewall.
For example, if an enterprise user is on a video conference and the x86 CPU determines that the traffic isn’t malicious, it offloads the rest of the video conference to DPU, Nvidia’s Deierling explained. With 80 percent of the network traffic offloaded to the DPU, the remaining 20 percent goes to the x86 CPU for deeper packet inspection.
“By only examining flows that can benefit from security inspection and offloading the rest to the DPU, the overall load on the firewall and the host CPU is reduced and performance increases without sacrificing security,” the blog post said.
Faster speed also means enterprises and service providers can meet their firewall needs with fewer servers, resulting in up to 150 percent capex savings, the two companies estimated.
Palo Alto Networks’ partnership with Nvidia is not exclusive. The cybersecurity company is also prototyping DPUs from other vendors. “We think this is just the start of the journey. More things are coming our way,” Palo Alto’s Sambi said.
About the Author
You May Also Like