Cisco embeds security services in new line of programmable switches – News

Cisco Systems Inc. today announced a family of data center switches that enable services to be embedded directly into the switching layer, beginning with security services.

Cisco’s Nexus 9300 Series Smart Switches (pictured) combine the company’s Silicon One E100 network processors and programmable data processing units from Advanced Micro Devices Inc. The switch functions as a high-capacity, multifunctional service-hosting device. Cisco said they’re an attempt to simplify data center infrastructure design as organizations increasingly adopt artificial intelligence applications, which may run at the center or edge of the network.

Traditional data center architectures require a specific device for each new service, creating complexity. In addition, security policies must be configured for each new service or workload.

In contrast, the Nexus Smart Switches embed services directly into the data center fabric. They include two processing engines: a Cisco Silicon One network processor for data transfer and a network services sidecar for security processing. Traffic is intelligently steered between the two engines for optimal performance.

“The security services run on top of the DPU, and Silicon One provides smart routing,” said Murali Gandluru, vice president of product management and data center networking at Cisco. “This value proposition is unique because it can intelligently forward traffic that needs to be forwarded and traffic that doesn’t need forwarding goes to DPU.”

Security first

The first embedded service to be offered is Cisco Hypershield, an artificial intelligence-based native security system that embeds protection across applications and servers in both public and private cloud environments. It employs extended Berkeley Packet Filter, a Linux kernel feature that makes it possible to run sandbox programs within the kernel. DPUs provide distributed security, enabling features such as autonomous segmentation, real-time exploit protection and continuous updates.

Hypershield embedded in the switching layer reduces the number of appliances and allows data center operators to create a “micro perimeter” around each service that makes up a workload, Cisco said. Updates can be applied automatically to the right enforcement points and organizations can apply self-qualifying policy updates before deployment. Policies are managed by a Cisco Hybrid Mesh Firewall.

Gandluru described Smart Switch as a “top of rack solution,” with a 1u form factor that sits at the top of the server rack and aggregates all communication traffic going in and out of servers. “You have the ability enable security services seamlessly across that whole data center fabric,” he said. “We announced last year the ability for Hypershield to provide policy in the virtual machine, container and bare metal use cases. Now we’re bringing it into the network to drive simplicity from an architecture perspective, efficiency from power and cooling, total cost of ownership and point-to-point visibility.”

Gandluru said Cisco was sensitive to respect the operations that are typical of an enterprise data center. “The sec ops team gets access to the data processing unit and the ability to turn on security services while the network team manages the lifecycle of the switches, so we are fitting into the existing paradigm that operators have,” he said.

Cisco didn’t say what other services you plan to provide on the switches in the future but Gandluru said network address translation is a natural next step. “These will be network-focused use cases,” he said. “We not going to turn them into [graphic processing unit] processors.”

A 24-port 100 gigabits per second model will be available in the spring with 48-port 25G, six-port 400G and two-port 100G models coming in the summer. Pricing wasn’t disclosed.

Photo: Cisco