Safe At Any Speed?

Content-inspection accelerators rev up application-layer security.

Here's the dilemma: How do you handle staggering traffic loads and maintain the gigabit-plus speeds required to keep your business running, and still combat application-layer threats in real time?

The answer may be in the new content-inspection accelerator market, whose three early entrants--NetLogic, Sensory Networks and Tarari--offer chips and boards that offload signature- and pattern-matching processes from CPUs.

"Increasing network data rates hit certain bottlenecks; the first was encryption," says Bob Wheeler, analyst for The Linley Group and coauthor of the report, "A Guide to Security and Content Processors." "These companies focus on a different bottleneck in apps such as antivirus, content filtering and antispam that look into the payload of every packet--a very memory-intensive processing task."

The key is accuracy and low-latency, says Ratinder Paul Singh Ahuja, COO/ CTO of Reconnex, whose iGuard appliances, using Tarari acceleration boards, inspect traffic for evidence of user policy violations. "It's computer intensive, and we need gigabit speed," he says.

Unified threat management (UTM) and intrusion prevention (IPS) are also driving this market from the security side, along with high-volume, high-speed requirements for content-based switching and load balancing in data centers.

"You can get there in software, but to address the performance requirement, hardware flattens out the curve--you can do 50 things really fast," says Vik Phatak, CTO, Ambiron TrustWave, whose ipANGEL line of IPS appliances (acquired from Lucid Security in June) incorporate Sensory Networks cards.

UTM is an attractive market for this technology, offering multiple security applications in one pass on a single appliance. "You get three apps at a baseline cost of one appliance, with a 10-to-20 percent premium per app," says Sab Gosal, Sensory Networks' VP of marketing.

These accelerators make highly sophisticated use of regular expressions and sophisticated pattern-matching algorithms that, relatively quickly, can be adapted to new applications as the security market changes. Vendors, meanwhile, can upgrade existing appliances through standard boards or adapt accelerator chips to develop new products without designing custom ASICs.

"The biggest challenge is that most OEMs or software vendors have an existing code base and are trying to accelerate one portion of an app using this hardware," says Linley Group's Wheeler. "The challenge is making the software port easy."

The future? These accelerators, starting with NetLogic's NetL7 chips, which are being used in development by enterprises, will be capable of 10 Gbps--and more through use of multiple chips and cards. Applications will include CPU-intensive XML processing, and customer services from Internet providers, who will save money by realizing economies of scale in providing, for example, free antivirus for customers using fewer, higher-performance appliances.