Imagine: Massively scalable multi-core security

Desktops and servers are being transformed by virtualization and multi-core CPUs, but that effect is a bit harder to see in security. Multi-core CPUs especially hold the possibility of completely transforming how and where we do security. One of the effects is to shift more of the security functions into the network. Another may be to radically change the software architecture within and across security appliances.

MORE ON SECURITY: US military learning cybersecurity lessons from businesses

To really grasp the implications we have to think a few generations of hardware ahead: not about a security appliance with four cores, but about one with 256, 1,024 or even 32,768 cores. It's a whole different ballgame.

A common feature promoted by vendors of certain security appliances is about "cracking the packet only once," then applying lots of security functions in parallel. The idea is that you can reduce latency by reducing the number of times the packet has to be copied and decoded by a protocol analyzer. This type of thinking reflects the training developers receive to operate in a CPU-constrained world. But multi-core changes all that, as eloquently described by Intel's James Reinders in a recent interview.

Programming in a multi-core environment forces developers to rethink traditional programming practices and optimize for data location rather than CPU cycles. In a multi-core world, "cracking the packet" and redoing all the protocol analysis, on each core in parallel, is more efficient than doing it once and then sharing the results among cores. That's because CPU cycles become abundant and the bottleneck shifts from computation to data replication between cores. In other words, if you need the results of a calculation, it is "cheaper" to recalculate it in every core than to shuttle a variable around.

Now, imagine a security appliance with thousands of cores and how it could be used to do computationally intensive security such as protocol analysis, pattern matching, heuristics, modeling, sandboxing (emulation), etc. Many of these functions have relied on ASICs or FPGAs and enormous R&D cost to customize hardware to the needs of specific security functions. But multi-core systems offer a different approach: simple commodity hardware with sophisticated parallel-processing software instead of simple software on custom hardware.

As in many other areas of security, the bad guys figured this out first. Using graphics chips (GPUs) instead of CPUs, hackers are able to crunch thousands of passwords, for example, by taking advantage of the GPUs' ability to do matrix and vector manipulation at extreme speeds. Turns out that the mathematics of ray-tracing or perspective-shifting that are used in games are remarkably similar to the math used in cryptography and hash functions like AES and SHA. So the bad guys use graphics chips to make password-cracking supercomputers.

A network of multi-core security appliances would not only have abundant processing capability to do computationally expensive tasks, but it would also leave a lot of spare capacity "out of hours" that will go to waste. That is, unless we take a page from cloud computing, virtualization and spare-cycle scavenging projects like SETI@Home. The security appliance of the future could be switching workloads (security VMotion, anyone?), acting as a pool of resources for security. Pattern matching IDS sigs in the daytime, then crunching logs and doing correlation perhaps during the night.

A massively scalable multi-core future is coming and it will transform security just like it has data centers, desktops and business intelligence/analytics. What would you do with a 32k-core security device?

Read more about wide area network in Network World's Wide Area Network section.

Tags intelmulti-core

Show Comments