NPC: Network chip makers focus on security

With the market for network processors stalled in the doldrums of slow investment by enterprises and carriers, some vendors of the chips for handling network tasks have turned to one of the few topics that is getting potential customers’ attention these days: security.

While one established maker of chips for network security unveiled six products this week at Network Processor Conference West (NPC West), in San Jose, California, other vendors were highlighting security capabilities of other chip offerings.

As consumers and enterprises gradually rely more on the Internet for doing business and the groundwork is laid for Web services, which will let applications talk to each other over the Internet, security increasingly will require deep inspection of data packets, analysts said. Among other things, the senders of data will have to be authenticated, and Web services data that crosses the network as HTTP (Hypertext Transfer Protocol) traffic will have to be verified as safe. As packets flow across networks faster, that kind of advanced work will have to be done at higher speed.

“General-purpose CPUs aren’t really going to keep up with this type of processing,” said Linley Gwennap, principal analyst at The Linley Group, in Mountain View, Calif.

“Security is a hot application right now and people are designing hardware to meet those various types of security,” he said.

Hifn Inc. this week introduced six new security processors, designed for products ranging from home Internet access devices to large enterprise and service-provider devices, that offer faster processing and support for a variety of encryption algorithms.

For high-speed enterprise and service-provider equipment, including server NICs (network interface cards), Hifn on Tuesday introduced two “bump on a line” encryption processors. These chips can be installed at the edge of a device, such as between a physical port and an Ethernet MAC (media access control) component, allowing system makers to add encryption and authentication functions to a system without modifying any other part of the hardware. Based on policies that can be set by a network administrator, the “FlowThrough” chips can perform these functions both inbound and outbound, said Russell Dietz, CTO of Hifn. The 8300 performs IPSec (Internet Protocol Security) encryption at 600Mbps and the 8350 takes that speed up to 4Gbps. Early samples should be available in the second quarter of 2003, Hifn said.

Hifn’s 7955 and 7956 processors can offload encryption algorithms from the central processors of network devices for remote offices, branch offices, small businesses and medium-sized enterprises. The 7955 can perform 3DES (triple Data Encryption Standard) and other encryption algorithms at speeds as high as 307Mbps and the 7956 can do the same at up to 632Mbps. They are designed for devices such as VPN (virtual private network) broadband routers, wireless access points, and other network and customer premises equipment with typical speeds of up to T-3 (45Mbps). Aimed at relatively low-cost devices, these chips leave packet processing to a central processor. Sample chips should ship in the first quarter of 2003.

The Hifn 7815 and 7855 processors, designed for higher speed enterprise routers and VPN gateways, can handle both encryption algorithms and packet processing. They are designed to be less expensive than their predecessors by 30 per cent, according to Hifn. Samples will be available to system makers next quarter.

Also at the conference, Seaway Networks Inc. unveiled some details of its Streamwise architecture, intended to make network devices including firewalls and IDSes (intrusion detection systems) work faster and more efficiently.

The architecture uses a chip called a network content processor, which can break up a packet and distribute portions of it to co-processors or a CPU for processing. Seaway’s method is designed to conserve both CPU cycles and the connections between hardware components, said David Lapp, CTO of Seaway, in Ottawa.

Seaway set out to solve the problem of more devices on the network having to perform high-level functions while networks simultaneously get faster. In the past, most devices on a network performed nothing more complex than routing traffic, but that is changing with the advent of appliances that perform application-level tasks on packets passing through. Key among those are security functions such as content encryption, sender authentication, virus detection, and inspection of packets to prevent denial of service attacks, Lapp said.

“The things that are being asked of these boxes…are getting more complex,” Lapp said during a session Wednesday at the conference. As network speeds also increase, processors and data buses within devices won’t be able to keep up with the demands, he said. NPUs (network processing units) are not optimized for these higher level functions, according to Lapp.

Seaway’s network content processor will have 5Gbps full-duplex throughput, Lapp said. He would not comment on when it will be available.

A new chip architecture detailed this week by iReady Corp. that offloads TCP/IP (Transmission Control Protocol/Internet Protocol) processing from a CPU on to a network interface card also builds high-speed IPSec encryption and decryption into the interface card. In addition, just last week Intel Corp. announced it has integrated encryption capability into its IXP2850 programmable NPU.

Vendors’ moves toward handling security come as the network chip business labours through a slump that may get worse before it gets better.

“2003 could actually be a worse time for this particular market space than 2002 was,” said Doug Spreng, a board member and former president and chief executive officer of Applied Micro Circuits Corp., in San Diego, in a keynote address at the conference Wednesday.