Hyperscale data centers have particular needs when it comes to storage, networking and security. Cloud-scale enterprises and telcos have found that a key strategy for allowing clouds and 5G to scale has been taking advantage of smart network interface (SmartNIC) and data processing units (DPUs) to offload networking functions. With the recently announced Intelligent Traffic Offload (ITO) service from Palo Alto Networks, enterprises and telcos can now utilize the same SmartNIC or DPU investments used for storage and networking to scale security capabilities. This is a fundamental shift in how security is done, moving from traditional firewalling at the perimeter, closer to distributed apps that live at the edge.
To enable customers to standardize SmartNICs and DPUs across their entire environment, which includes storage, networking and security, Palo Alto Networks has built an open, API-driven, extensible technology with leading SmartNIC and DPU vendors such as NVIDIA. This technology dramatically improves virtual firewall performance by up to 5x by offloading traffic that does not benefit from firewall inspection to SmartNICs and DPUs. The goal of this approach is to enable security functions on any Smart NIC or DPU; our APIs are publicly available on GitHub.
Ideally, organizations would virtualize firewalls at the same time that they virtualize the rest of their infrastructure. Unfortunately, virtual firewalls haven’t been able to handle the scale that service provider and hyperscale environments require. Service providers and cloud-scale enterprises have instead been forced into making an expensive choice between deploying massive hardware firewalls or massive numbers of virtual firewalls to ensure performance at scale – until now.
In certain service provider and hyperscale data center environments, up to 80% of traffic – including media and encrypted traffic – does not benefit from security inspection. For example, imagine streaming media traffic from a trusted source, such as an online class. This traffic consumes a tremendous amount of bandwidth, but it has very little security value. Thus, there is no security benefit for passing that traffic through a firewall.
When the ITO service is enabled on a VM-Series virtual NGFW, it can intelligently identify flows that will benefit from security inspection – and those that will not, such as our streaming media example. When a flow that won’t benefit from inspection is identified, ITO offloads the traffic to the SmartNIC or DPU, allowing it to bypass inspection. This ensures the 20% of traffic that will benefit from inspection is protected, without wasting resources on inspecting traffic that cannot benefit from inspection. The result? Capital expenditure savings of up to 150%.
Don’t just hear it from Palo Alto Networks. Hear it from Nvidia, who helped us build Intelligent Traffic Offload:
"Growing trends such as 5G, cloud native and hybrid cloud architectures demand that enterprise data centers assume a zero trust security posture to navigate emerging cyberthreats," said Ash Bhalgat, Senior Director, Cloud, Telco and Cybersecurity Market Development at NVIDIA. "NVIDIA BlueField DPUs drastically improve performance for security and other software-defined functions by offloading, accelerating and isolating them from the host CPU. Through our collaboration with Palo Alto Networks on the first BlueField2-enabled virtual NGFW available on the market, NVIDIA is enabling enterprise customers to supercharge their digital transformation with extreme efficiency while staying ahead of cyberthreats."
Read more details about ITO.