How will data center security change with the hot new processor "NVIDIA DPU"?

The limits of "perimeter security", which is deeply rooted in the world of IT/networks, are starting to show their limits, and "zero trust security" is emerging as a new concept to replace it.

The concept of zero trust, which assumes that it is impossible to prevent malware from entering the boundaries protected by firewalls, etc., and that all devices and communications are not trusted, is network security. fundamentally change the mechanism of This is because it will be necessary to equip each device and node connected to the network with a defense function.

Data centers (DCs) are no exception, of course. DC security is also facing major changes. Mr. Daito Sakuma, Manager of Section 2, Technology Section 3, Technology Management Department, Macnica Kravis Company, said as follows.

Mr. Daito Sakuma, Manager, Section 2, Technology Section 3, Technology Management Department, Macnica Kravis Company

The problem here is the processing power of the host CPU. "You can't do that with a CPU," he said. Now that the amount of communication-related processing is increasing, increasing the load on the host CPU will have a significant negative impact on application processing, which is the "original work."

Therefore, the existence of the "data processing unit (DPU)" that takes the place of the host CPU and performs network/security processing is highlighted. "A DPU placed at the entrance/exit of a server is a perfect device for performing security functions," said Mr. Sakuma. As shown in the chart below, if the next-generation firewall (NGFW) function can be offloaded, the CPU can concentrate on application processing.

Chart 1 Firewall function DPU offload image

Current status of the host CPU that "no longer has time to spare"
The host CPU is now in a very "busy" situation. One big factor is the increase in security-related processing.

The idea that we must defend against cyberattacks that use horizontal communication between servers is surprisingly old, and has gradually spread since the early 2010s. Encryption and communication monitoring have been performed not only for communication with the outside but also for communication between servers.

SmartNIC, an accelerator that accelerates processing such as encryption/decryption and packet transfer, has been adopted to take over the processing that CPUs are not good at. This method has spread to inter-DC communication among cloud providers that operate many distributed DCs.

DPU is a further evolution of SmartNIC. The biggest difference is that the DPU is "programmable". In addition, DPUs have excellent features in terms of capacity to handle rapidly increasing traffic.