Embedded Appliances for IPSec Offload: High-Performance Virtual Private Networking with Reduced Total Cost of Ownership (TCO)
SD-WAN at Scale

By Krut Patel – Hardware Design Engineer

18 October 2018

As cyber-attacks increase in sophistication and effectiveness, growing concerns over traffic interception, as well as the collection and use of unencrypted information, have kindled a global desire for privacy protection. This has led to a massive increase in the use of encryption at the server access layer (such as firewall, load balancing, virtual switching, and virtual routing) and the exponential growth in network communication processing. Indeed, encryption is the new standard for cloud-based applications where it protects the confidentiality and integrity of data passed between locations.

A Virtual Private Network (VPN) device provides a means by which remote computers communicate securely across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IP Security (IPsec) tunnel.  IPsec is a suite of related Internet protocol standards for cryptographically securing communications at the IP Packet Layer.

 

IPSec Overview

IPsec is a framework of open standards for ensuring cryptographic secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPsec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy. IPsec protects IP datagrams by defining a method of specifying what traffic to protect, how that traffic is to be protected, and to whom to send the traffic.

The benefits of IPsec are as follows:

  • When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter.
  • IPsec is below the transport layer (TCP, UDP), so is transparent to applications.
  • IPsec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization.
  • IPsec can provide security for individual users or clients if needed.

 

 

IPSec VPN Use Cases

IPsec VPNs encrypt data and secure traffic for the following scenarios:
Site-To-Site VPN: In site-to-site scenarios, IPSec VPN gateways are used in order to encrypt traffic between two, or more, locations protecting the confidentiality and integrity of the data passed between the locations. Each VPN gateway acts as an aggregator, encrypting data coming from different clients (tunnels) within a site. Similarly, on the other end of the VPN connection, a VPN gateway decrypts the network traffic to be delivered to the destination clients. Multiple IPSec VPN gateways can be deployed to increase the overall IPsec bandwidth for the site-to-site VPN.

Client(s) to VPN Gateway: As mobile computing platforms mature and gain in processing power, network bandwidth, and usability features, they become viable platforms for the increasing demands of business applications. This is a welcome development for enterprises that seek to enhance productivity by taking advantage of the mobility of their workforce. In the client to VPN gateway scenario, an IPSec VPN gateway is deployed as an aggregation point for incoming VPN connections from clients such as mobile devices.

IPSec Offload Processing

The IPsec protocol suite authenticates and encrypts each IP packet of a communication session. IPSec encryption/decryption is a compute-intensive application and, thus, software CPU-based encryption VPN gateway solutions deliver an order of magnitude higher Total Cost of Ownership (TCO) versus IPSec gateways supporting IPSec encryption hardware offload.

For site-to-site VPN scenarios, VPN gateways with IPSec hardware offload can offload the encryption/decryption of network traffic to specialized adapters, relieving the system CPU to perform other security and management tasks. Using one, or multiple, such adapters per VPN gateway increases the overall IPsec bandwidth available and, thus, reduces the TCO of such solutions as fewer software-based VPN gateways will be required.

Similarly, a hardware offload-based IPSec VPN gateway serving as an aggregation point for incoming VPN connections offloads encryption/decryption tasks to specialized hardware and frees up CPU cycles on the VPN gateway. A typical software-based VPN tunnel aggregator may support a few thousands of VPN tunnels, with each connected to a different client device and typically requires a high-end server to manage the task. An IPSec VPN gateway with offload processing on the other hand may be capable of supporting order of magnitude higher number of connections while supporting line-rate aggregate bandwidth.

Interface Master Technologies’ embedded network appliances with hardware-based IPSec offload processing enable high-performance VPN site-to-site and site-to-client for network communication at reduced TCO. Beyond industry-leading performance, the Interface Masters appliance-based IPSec VPN gateway both increases network security and significantly minimizes deployment and operational costs by removing costly user and network configuration. The embedded appliance with IPSec acceleration was designed for security and network appliance manufacturers, enterprise IT organizations and system integrators to provide industry-leading performance at a fraction of the cost of other solutions. Without compromising any aspect of enterprise security capabilities, the embedded appliances with IPSec acceleration allow network appliances with the highest levels of data privacy to be deployed while still maintaining multi-gigabit, line-rate network performance.

Interface Masters Technologies’ embedded network appliances are scalable network security platforms capable of providing the hardware/software foundation for IPSec offload processing. The Interface Masters appliances feature off-the-shelf server hardware technologies to enable fully integrated network security appliances to support high-performance threat protection including real-time memory and deep packet inspection capabilities.  The embedded appliance platform portfolio also includes foundational software and open interfaces for management and orchestration, which simplifies operation and enables easier integration. From a deployment perspective, the Interface Masters platforms can be equipped to support network security appliance deployments in enterprise, small-business or branch office environments.

Interface Masters Technologies has for over 20 years been providing off-the-shelf innovative networking solutions with customization services to OEMs, Fortune 100 and startup companies. We are headquartered in San Jose, California in the heart of Silicon Valley where we proudly design and manufacture all of our products.  Based on MIPS, ARM, PowerPC and x86 processors, Interface Masters appliance models enable OEMs to significantly reduce time-to-market with reliable, pre-tested and pre-integrated appliance solutions that can meet the most challenging networking requirements.

Copyright © 2018 | Interface Masters Technologies