From a networking ыусгкшен perspective, there are various methods implemented today on the various OSI model layers. All methods require intensive computing resources, and the need for those resources will only grow, as 5G networks come with new high-speed, low-latency challenges; even more so in a distributed approach. This means more elements are communicating within the software environment, and all these new connections all must be protected.
Ethernity Networks offers its patented ENET Flow Processor, armed with high-speed IPSec tunnel support, multiple-tuple firewall with one million entries, and can provide packet capturing capability as part of a DDoS mechanism that enables better assistance with attack detection and prevention.
The Ethernity security solution includes a portfolio of ACE-NIC SmartNICs and ENET SoC co-processors that offload security functions to Ethernity’s programmable FPGA firmware, achieving high throughput while relieving the CPU of overhead from especially compute-intensive operations. Ethernity’s IPSec suite works smoothly with other overlay and tunneling technologies commonly used by telecom and enterprise customers both in the cloud and at the network edge, including VxLAN and NVGRE. It provides encryption/decryption and user isolation that fulfill the AES 128/256-bit requirements for mobile networks.
Ethernity’s virtual firewall implementation comes with external DDR support based on our patented technology, which can serve millions of entries with 11-tuple fields, including fields covered by Open Flow 1.3.
The DDoS attack mechanism is based on high-speed per-flow packet capturing capability for traffic to a specific PoP. Any new session is fetched and added to the table for measurement, and already-existing flows are counted. Various polices can be applied to flows, using either metering or flags. Rate limit, send controller (sFlow), lock port, and suspend flow can all be applied. The rate limiting mechanism can also be applied to CPU control and path reservation to prevent CPU denial of service. Packet capturing also allows observation of IP, UDP, ICMP, and TCP to protect against different types of attacks.
|IPSec Tunneling with/without overlay
|AES CBC 128/192/256||SHA1 / SHA256 / SHA384 / SHA512|
|AES CTR 128/192/256||AES XCBC|
|AES CCM 128||AES CMAC|
|AES GCM 128/192/256||AES GMAC 128/192/256|
|GCM up to 10/20/40Gbps|
|Firewall||1M entries with 11-tuple|
|CPU Traffic Guard||Supports preemption of CPU denial of service|