Search for: All records

Over the last decade, network applications have grown exponentially, demanding high-speed interconnects. Unfortunately, chip manufacturers are approaching the upper limits of silicon-based computing with slow improvements in computational performance and energy efficiency. This trend has forced the industry to shift paradigms, moving from monolithic architectures to heterogeneous, domain-specific designs. Moreover, the ever-evolving threats compromise digital services and demand more scalable and flexible solutions to ensure service continuity in production networks. Smart Network Interface Cards (SmartNICs) are a product of this new paradigm, integrating domain-specific engines and general-purpose cores to offload various network infrastructure tasks, including those related to security. This paper provides a comprehensive overview of SmartNICs, with a particular focus on their role in strengthening network defenses. It introduces SmartNIC technology and presents a taxonomy of security applications offloaded to SmartNICs, categorized into Intrusion Detection and Prevention Systems (IDS/IPS), defenses against volumetric attacks, and data confidentiality mechanisms. Additionally, the paper explores vulnerabilities associated with adopting SmartNICs in the cloud, examining the threat model and reviewing proposed remediations in the literature. Finally, it discusses challenges and future trends in SmartNIC security applications, highlighting current initiatives and open research areas. 

One of the main roles of the Domain Name System (DNS) is to map domain names to IP addresses. Despite the importance of this function, DNS traffic often passes without being analyzed, thus making the DNS a center of attacks that keep evolving and growing. Software-based mitigation approaches and dedicated state-of-the-art firewalls can become a bottleneck and are subject to saturation attacks, especially in high-speed networks. The emerging P4-programmable data plane can implement a variety of network security mitigation approaches at high-speed rates without disrupting legitimate traffic. This paper describes a system that relies on programmable switches and their stateful processing capabilities to parse and analyze DNS traffic solely in the data plane, and subsequently apply security policies on domains according to the network administrator. In particular, Deep Packet Inspection (DPI) is leveraged to extract the domain name consisting of any number of labels and hence, apply filtering rules (e.g., blocking malicious domains). Evaluation results show that the proposed approach can parse more domain labels than any state-of-the-art P4-based approach. Additionally, a significant performance gain is attained when comparing it to a traditional software firewall -pfsense-, in terms of throughput, delay, and packet loss. The resources occupied by the implemented P4 program are minimal, which allows for more security functionalities to be added. 

Ever since the inception of the networking industry, routing and switching devices have been limited to tightly-coupled hardware and software components. Vendors provide closed source proprietary stacks, restraining network operators from utilizing customized features, and hence hindering innovation. This aggregated model is costly, time consuming, and unscalable as changes in the devices require vendor's intervention. As a result, the industry started manufacturing white-box switches and developing Network Operating Systems (NOSs) that support multiple vendors and Application Specific Integrated Circuits (ASICs). This model is referred to as ”disaggregated” as the software and hardware are decoupled; essentially, vendors' switching silicons (e.g., Broadcom) are compatible with different NOS (e.g., SONiC). In this paper, we discuss the lessons learned while designing and implementing a testbed that consists of disaggregated network devices. We iterate over several open source Internet Protocol (IP) routing suites and NOSs that are vendor-agnostic. Additionally, we highlight a novel type of forwarding data planes that are programmable and explore their features. The testbed consists of two white-box switches provided by Edgecore that use programmable switching silicon (Tofino) manufactured by Barefoot Networks, an Intel Company. We installed SONiC NOS on top of the switches and tested static and BGP routing protocols. We report the configuration process and the prerequisites needed to deploy a working disaggregated environment. Finally, we discuss how open source NOSs and programmable switches can be extended to support campus networks, rather than being data center-oriented only.