Zero-Trust Security for Cloud Data Centers – How Much Does it Cost?

By Netronome | Aug 09, 2016

The Need for Zero-Trust Security

The rapid evolution of cloud-based data centers to support virtualized services and applications has created significant challenges for data center security architectures. Traditional data center security strategies have typically relied on perimeter-based security appliances, while assuming that the interior of the data center could be trusted. But in today’s multi-tenant environments, tenants and applications cannot be trusted, and the potential for threat injection inside the data center is significant. Add to that the dramatic increase in intra-data center connectivity in the form of east-west traffic, and you have a recipe for disaster. To properly protect tenants and application workloads in this “zero-trust” environment, security functions must be distributed and associated with the tenants and workloads directly with fine-grained control. This improved model, sometimes referred to as security micro-segmentation, is shown in the figure below:

Zero-trust illustration

How Can We Implement Zero-Trust Security with OpenStack

With OpenStack a feature known as Security Groups is used to support stateful security in the form of connection tracking on a per VM basis. The connection tracking (Conntrack) function itself is implemented in the Linux iptables module, which is called from a Linux bridge. But since most cloud data center deployments use Open vSwitch (OVS) for network overlay processing and other tasks, this has resulted in a very cumbersome implementation, because a separate Linux bridge needed to be instantiated and connected to the OVS bridge, in order to get the stateful Conntrack function. These extra hops and processing steps increase the CPU load, resulting in poor performance. More recently, the connection tracking functionality has been integrated into OVS 2.5, eliminating the need for the extra Linux bridge and resulting in some improvement.

Connection tracking

But How Much Will it Cost Me?

It turns out that, even with the improvement in OVS 2.5, the Conntrack function itself is still quite CPU intensive, because every packet must be checked against security rules and a stateful connection table. This adds to the workload already needed for basic packet parsing, tunnel processing, QoS, statistics and forwarding operations. We recently did some testing in our lab using a dual-socket Dell R730 Server containing 24 total CPU cores. What we found was that we had to dedicate half of the 24 CPU cores to vSwitch and stateful security processing just to get 10Gb/s of throughput for 512 byte average packet sizes. This means that 50% of the server resources are stranded, and cannot be used to run application workloads or generate revenue. Would you agree to fork over half the value of your house to install a home security system? I did not think so.

Bringing Down the Cost with Intelligent Offload

It can be shown that it is possible and practical to accelerate server-based networking in environments requiring stateful security. For example, Netronome’s Agilio SmartNICs already offload OVS processing, and have demonstrated significantly higher throughput and CPU savings. Now, Netronome is introducing a new software offering called Agilio OVS Firewall that adds stateful security processing to the offloaded datapath. There is a two-fold benefit when offloading the security workload to Agilio adapters: First, the networking I/O bottleneck is eliminated, allowing VMs or containers to receive as much data as they can process. Second, there is significant CPU savings realized by taking the OVS and security workload and executing it on the Agilio adapter instead of the server CPUs.


As we have noted, native OVS and Conntrack running on servers with traditional NICs struggle with packet processing operations that tie-up valuable server CPU resources and create a bottleneck that starves applications. Our benchmarks have shown that Agilio SmartNICs can reclaim up to 50% of the server CPU resources previously dedicated to OVS and security, while at the same time delivering up to 4X or more of the packet data throughput to application workloads. The server hardware was comprised of a Dell R730 dual-socket Xeon totaling 24 physical CPU cores. The results of the benchmark testing are shown in the graphs below:

Graph of Agilio OVS Firewall Performance


Just as you can protect your home by adding a security system for a fraction of its value, Agilio SmartNICs can protect your server workloads for a small incremental cost over traditional server adapters (and nowhere near half the cost of your server). By offloading overlay tunneling, access control, and stateful firewalling, the Agilio SmartNICs are an optimal solution for zero-trust stateful security with OpenStack. The resulting ability to run more VMs and containers, while delivering more data to the application workloads at the same time, is critically important to realizing the vision and economic benefits of cloud-scale networking.