by Austin Hipes, Director of Field Engineering for NEI.
As the data plane load from mobile devices, cloud storage, and cloud computing increases on network servers, the need for deep packet inspection also increases as a means of providing encrypted data security for all information passing across a network. Data encryption is now an important part of people’s everyday lives at home and at work, whether it’s a family member backing up information from a personal laptop to a cloud storage system or an IT administrator remotely accessing a corporate server from a tablet. With the enormous growth in encryption-driven network services like these, deep packet inspection and data encryption are typically linked together. DPI is used to encrypt and decrypt data in real time on the network to analyze packet contents and determine the appropriate routing based on intelligent traffic and security rules.
In the past, the only way to do high-performance deep packet inspection and encryption was to use Network Processing Units (NPUs) that were designed specifically for this purpose. NPUs are commonly found in network devices ranging from network monitoring systems and session border controllers to intrusion detection and prevention systems (IDPS). On top of one or more NPUs, many platforms also provide complete system-level functionality for the control plane by incorporating CPU-based server hardware.
NPUs have certain advantages when performing deep packet inspection and encryption, but they also have several important disadvantages. Primarily, NPUs incorporate proprietary architecture that makes programming the devices difficult, requiring specialized skills. In addition, the code required for NPU programming is not typically compatible with networking hardware code, which dramatically decreases system flexibility and means that two separate programming teams are required any time these systems must be commissioned or modified – one for the NPU software and another for the CPU software. Coordinating these two unique teams can pose a real challenge to system owners and operators.
Beyond the software disparities, the hardware itself can also be a disadvantage. NPUs complicate the design of hardware systems and significantly increase the cost. Plus, NPU hardware goes longer between silicon refreshes than other processors and peripherals, meaning that OEMs often find themselves stuck with comparatively antiquated technology. Because of the recent innovations in server hardware design, however, OEMs can now perform deep packet inspection at multi-gigabit speeds without the need for costly, specialized NPUs.
[Excerpted from the whitepaper entitled Accelerating Deep Packet Inspection with Latest Intel® Server Technologies. Download the full white paper.]