The Need for on-demand Network Security
As pointed out by Gartner report in 2016, more than 30% of advanced cyber threats, such as DDoS, data breach, and ransomware, will aim at the most vulnerable edge networks of SME or remote business branches, where IT managements are more concerned with budget, service flexibility and manageability. To build up sustainable measures against latest emerging cyber threats, they need a flexible, on-demand, and software-defined security to achieve total zone defense for their networks. With the trends of NFV and vCPE network virtualization infrastructures, SMEs and branch offices shall employ x86 open compute vCPE platforms and SD-Security to simplify their edge security operations and deliver service agility while maintaining OPEX efficiency and elasticity.
Deployment of vCPE devices at Edge Network
Due to budget concerns by SMEs and branch offices, it is a both optimal and flexible option to adopt open-architectures vCPE appliances at edge network to meet the requirements of on-demand network security against cyber attacks. The open compute nature allows SD-security deployment that offers higher service agility through remote management in software approach. With the proper configuration of security VNF, IT personnel are able to remotely deploy the security measures, such as URL filtering and IPS/ISD, to the vCPE devices at branch offices and mitigate lately emerging cyber threats.
Due to the possible lack or absence of on-site IT staff for small-and-medium corporate environments, MSP (Managed Service Providers) may also be leveraged by SMEs and enterprise to remotely manage and control their networks. Therefore, remote management and accessibility as well as software configuration are highly required by MSP and MSSP.
An optimal virtual CPE hardware solution should consist of the following characteristics:
Multi-Core Processor with Virtualization Engine
The open vCPE platform must be empowered with the processors programmed with virtualization engine to support virtualized network functions. Therefore, CPU with multiple processing cores is highly beneficial for virtualized network applications as it assists in VNF load-balancing and performance enhancement.
Hardware-Assisted Cryptographic Engine
Cryptographic technology is essential in cyber security applications and built-in hardware cryptography will accelerate the performance in such aspect.
Advanced LAN Bypass
LAN bypass is a critical fault-tolerance design that allows uninterrupted network traffic even if a single in-line appliance is shut down or hangs. The bypass functionality has constantly been improved for greater reliability and control.
Multi-Gigabit Throughput and Bandwidth
The required system shall provide multiple GbE LAN outputs designed with an efficient PHY control to run vCPE operations. Consider the possible growth of user counts in the branch office, scalable network I/O expansion capability is also a must for future-proof design.
Fig. On-Demand SD-Security Architecture Diagram
Lanner Solutions for vCPE Network Appliances
FW-7573A + IXM204: 6x GbE RJ45 ports + 2x 10GbE SFP+ cages
Lanner’s FW-7573A is a cost-effective DDoS and data breach mitigation appliance primarily oriented to small and medium size enterprises, branch offices, remote sites, MSSPs (Managed Security Service Providers) and service-provider CPE (Customer Premise Equipment). FW-7573A is built in 1U rackmount system empowered by Intel® Atom™ 2758 8-core CPU, 6 x RJ-45 GbE LANs (additional 2 x 10GbE SFPs by NCS-IXM204 module), hardware crypto engine, LAN bypass and a NIC expansion module slot for bandwidth scalability options of 1G, 10G, or 40G in copper or fiber cabling.
FW-7573A utilizes the cutting-edge capabilities of the Intel® Atom™ C2758 8-core SoC (formerly Rangeley). The CPU offers up to 8 cores and virtualization technology that are beneficial for vCPE and software-defined firewalls. The Intel® Atom™ processor also comes with built-in Intel® QuickAssist Crypto acceleration, boosting various on-demand security applications for SMB to Enterprise environments.
Regarding bandwidth for vCPE in SME and branch environments, FW-7573A supports six RJ-45 GbE LAN ports by default and additionally two 10GbE SFP ports by NCS-IXM204 module. System deployment professional may also choose the configuration of 14 RJ-45 GbE LAN ports (6 by default, and 8 from the PCIex8 3rd generation interface NIC module) for higher port density.
Other hardware features include two ECC/non-ECC DDR3 1333/1600MHz UDIMM sockets, one cooling fan, and an ATX power supply.