KR102078744B1 - Network interface card having hybrid architecture with multi-core processor and general purpose network controller - Google Patents

Abstract

A network interface card of a multi-core processor and a universal network controller hybrid architecture is disclosed. The network interface card according to an embodiment provides a multi-core processor by providing a network interface for packet transmission and reception through a network, a multi-core processor for accelerating network security and information protection, and compatibility with a plurality of operating systems and systems. It includes a universal network controller that does not require a separate device driver.

Description

Network interface card having hybrid architecture with multi-core processor and general purpose network controller

The present invention relates to traffic processing and management technology.

Recently, with the expansion of ICBM (IoT, Cloud, Big Data, Mobile), all things are networked and the demand for broadband communication service is soaring. In particular, in the field of network security and information protection, in order to cope with advanced cyber threats, a performance that can accurately process a large amount of traffic in real time is required. In addition, encryption traffic has increased by more than 50% due to the expansion of Web 2.0 Internet services, making real-time packet processing performance more and more problematic. However, most companies are competing in terms of performance competitiveness by supplying security software by building appliances using server systems that rely on multi-CPU performance.

Network Interface Cards (NICs) are computer hardware components called network interface controllers, network adapters, network cards, LAN adapters, and LAN adapters. Provides a communication function for connecting to As the recent 10 Gigabit Ethernet technology has become commonplace, the networking protocols of network adapters are being integrated based on Ethernet. Network equipment for network security systems such as Intrusion Prevention System (IPS) and Data Loss Prevention (DLP) systems. Packet processing performance has become an issue, and network interface cards dedicated to network security have been developed. The product has been released.

In the case of Internet services, data security protocols such as Secure Socket Layer (SSL) are used for data security. Many cyber attacks use encrypted network traffic as their primary attack route, and current security systems do not recognize or block threats within SSL traffic. SSL encryption / decryption technology is developed as a standalone appliance, mirroring decrypted traffic to prevent intrusion detection systems (IDS), intrusion prevention systems (IPS), and data loss prevention (DLP). The products are supplied by transmitting them to security equipment such as systems and forensic systems. The standalone appliance SSL encryption and decryption solution has high installation and configuration complexity and increased failure points. Therefore, although efforts have been made to develop a solution that integrates SSL encryption / decryption technology, a new solution is needed due to a performance issue caused by SSL encryption / decryption technology that uses high CPU and memory.

According to an embodiment, to solve the performance degradation problem of a network security solution, a network interface card of a multi-core processor and a general-purpose network controller hybrid structure is proposed.

The network interface card according to an embodiment provides a multi-core processor by providing a network interface for packet transmission and reception through a network, a multi-core processor for accelerating network security and information protection, and compatibility with a plurality of operating systems and systems. It includes a universal network controller that does not require a separate device driver.

The network interface can support 10 Gbps Ethernet 4 ports.

The multi-core processor may include an encryption and decryption accelerator for accelerating the decryption function of the traffic, a pattern matching accelerator for accelerating the pattern matching function, and a security filter accelerator for accelerating the security filter function.

General-purpose network controllers can provide network virtualization to reduce the load on multi-core processors. In this case, the general-purpose network controller may provide a network virtualization acceleration function based on Single Root I / O Virtualization (SR-IOV).

The general purpose network controller may provide a high speed parallel packet processing acceleration function based on a Data Plane Development Kit (DPDK). General-purpose network controllers, via DPDK open software, can allow server-based network security and information security applications to access network interface cards directly through the kernel. The general purpose network controller may support a virtual Open vSwitch (OvS) acceleration function of a network interface of a cloud virtual server.

The network interface card offloads the security acceleration function to the multi-core processor to perform preprocessing including traffic decryption and pattern matching on the traffic transmitted and received through the network, and after preprocessing through the multi-core processor, Traffic post-processing, including DPDK optimization, can be used to offload high-speed packet processing via DPDK open software to send and receive traffic to and from network security and security applications.

According to another embodiment of the present invention, a network security and information protection appliance system provides a compatibility with a plurality of operating systems and systems with a multi-core processor that accelerates network security and information protection so that a separate device driver is not required for the multi-core processor. A hybrid network interface card including a general purpose network controller and a network security and information security application server equipped with the network interface card are included.

The network security and security appliance server removes the load by parallelizing the packets coming from the network interface using DPDK open software, and uses the non-uniform memory access (NUMA) to process the packets by core. Can be distributed processing.

By providing a network interface card with a hybrid architecture of multi-core processors and general-purpose network controllers, it offloads network security acceleration features such as traffic decryption and pattern matching that require high performance, and offloads high-speed packet parallelism. As a result, the network packet processing performance load can be reduced.

The field to which the present invention is applied is as follows. For network security product providers, network intrusion detection / blocking (IDS / IPS) systems, distributed denial of service attack defense (Anti-DDoS) systems, unified threat management (UTM) systems, and next generation firewalls It can provide PCRE pattern matching acceleration NIC function. Provide network information security product providers with SSL encryption and decryption acceleration NIC features such as internal data loss prevention (DLP) systems, web firewall systems, email filter systems, and database security systems. For telecommunication operators and service providers, URLs such as traffic collection, measurement, control, and management systems for large-capacity ISP networks, QoS control and management systems for flow or application services, Internet application identification systems, and precision billing information collection and measurement systems, It can provide ACL acceleration NIC function. Furthermore, the network virtualization-based cloud data center may provide a network security acceleration NIC function of a cloud server system.

1 is a conceptual diagram of a NIC for network security and information security acceleration according to an embodiment of the present invention;
2 is a hardware structural diagram of a NIC according to an embodiment of the present invention;
3 is a hardware appearance diagram of a NIC according to an embodiment of the present invention;
4 is a structural diagram of a multi-core processor according to an embodiment of the present invention;
5 is an internal structure diagram of a general purpose network controller according to an embodiment of the present invention;
6 is a reference diagram illustrating a fast packet transmission and reception process between a NIC and a security application using a DPDK and NUMA according to an embodiment of the present invention;
7 is a reference diagram for explaining a packet load balancing technique for supporting high speed parallel packet processing performance according to an embodiment of the present invention;
8 is a structural diagram of a network security and information protection appliance system equipped with a NIC with a multi-core processor for network security acceleration according to an embodiment of the present invention;
9 is a structural diagram of an HTTPS proxy acceleration protocol stack for SSL encryption and decryption according to an embodiment of the present invention;
10 is a structure diagram of a PCRE / YARA Construct for explaining PCRE / YARA pattern matching acceleration according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of a virtual open switch (OvS) acceleration offload structure for a virtual machine according to one embodiment of the present invention; FIG.
12 is a reference diagram illustrating an application structure and a function using DPDK open software according to an embodiment of the present invention;
13 is a reference diagram comparing an SSL encryption / decryption function embedded NIC according to an embodiment of the present invention with a conventional SSL encryption / decryption function independent device.

Advantages and features of the present invention, and methods for achieving them will be apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be embodied in various different forms, and the present embodiments are only provided to complete the disclosure of the present invention and to provide general knowledge in the art to which the present invention pertains. It is provided to fully convey the scope of the invention to those skilled in the art, and the present invention is defined only by the scope of the claims. Like reference numerals refer to like elements throughout.

In describing the embodiments of the present disclosure, when it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present disclosure, the detailed description thereof will be omitted, and the following terms are used in the embodiments of the present disclosure. Terms are defined in consideration of the function of the may vary depending on the user or operator's intention or custom. Therefore, the definition should be made based on the contents throughout the specification.

Combinations of each block of the block diagrams and respective steps of the flowcharts may be performed by computer program instructions (execution engine), which may be executed on a processor of a general purpose computer, special purpose computer or other programmable data processing equipment. As such, instructions executed through a processor of a computer or other programmable data processing equipment create means for performing the functions described in each block of the block diagram or in each step of the flowchart.

These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory. It is also possible for the instructions stored therein to produce an article of manufacture containing instruction means for performing the functions described in each block of the block diagram or in each step of the flowchart.

And computer program instructions can also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps can be performed on the computer or other programmable data processing equipment to create a computer-implemented process that can be executed by the computer or other programmable data. Instructions for performing data processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.

In addition, each block or step may represent a portion of a module, segment or code that includes one or more executable instructions for executing specific logical functions, and in some alternative embodiments referred to in blocks or steps It should be noted that the functions may occur out of order. For example, two blocks or steps shown in succession may in fact be executed substantially concurrently, and the blocks or steps may also be performed in the reverse order of the corresponding function as required.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, embodiments of the present invention illustrated in the following may be modified in many different forms, the scope of the present invention is not limited to the embodiments described in the following. Embodiments of the present invention are provided to more fully explain the present invention to those skilled in the art.

1 is a conceptual diagram of a network interface card (Network Interface Card: NIC, hereinafter referred to as NIC) for network security and information security acceleration according to an embodiment of the present invention.

The NIC 1 according to an embodiment includes a network interface 10, a multi-core processor 12, and a general-purpose network controller 14, and includes a hybrid structure including a multi-core processor 12 and a general-purpose network controller 14. Has

The network interface 10 is connected inline with a network to receive traffic from the network, and accommodates a multi 10 Gigabit (Gbps) network inline circuit. For example, the network interface 10 has a network redundancy and a 10 Gbps Ethernet 2 line (4 ports) applicable to a large capacity asymmetric line.

The multi-core processor 12 is a processor for security acceleration and is embedded in the NIC 1 to accelerate network security and information protection functions. Examples of high performance network security and information protection acceleration include traffic encryption and decryption acceleration, pattern matching acceleration, and security filter acceleration. For network security and information acceleration, the NIC 1 embeds a network security acceleration engine in the multi-core processor 12 with traffic decryption, pattern matching, and security acceleration.

The general purpose network controller 14 provides a Software Development Kit (SDK), which supports a Data Plane Development Kit (DPDK), hereinafter referred to as DPDK. The general purpose network controller 14 supports DPDK optimization for high speed parallel packet processing based on the industry standard DPDK.

Network security and information security applications (2) are used in a server processor environment based on parallel processing technology of multi-core processors such as Non-Uniform Memory Access (NUMA, hereinafter referred to as 'NUMA'). It provides a load balancing technology based on the DPDK open library 30, which is an open software that can distribute the packets from the core by core.

The present invention can ensure high performance network security through the above-described functions, and can provide the core functions of the information protection appliance. The NIC 1 can support high-performance network security acceleration by applying the concept of intelligence unlike the low-cost general NIC that performs only simple network access functions by integrating the security acceleration function. Furthermore, it can be applied as a core component of various network application appliance products based on the server system, thereby improving the packet processing performance and function of the system.

2 is a hardware structural diagram of a NIC according to an embodiment of the present invention, Figure 3 is a hardware appearance of the NIC.

2 and 3, the NIC 1 accommodates 1-10 multi-line network inline circuits. For example, the NIC 1 can accommodate 10 Gbps 2 lines (4 ports) applicable to network redundancy and large capacity asymmetric lines. The network interface 10 supports IEEE-802.3, 10 Gbps Ethernet 4 port, and the network interface type is SFP +. The host access method uses PCIe (PCI Express) Gen2 / 3 × 8 / × 4 / × 1 lanes.

② The NIC 1 according to an embodiment provides a network security and information protection acceleration function through the multi-core processor 12. Examples of network security and information security acceleration features include Secure Socket Layer (SSL) encryption acceleration based on L2 / 3/4 and L7 deep packet analysis of packets, Perl Compatible Regular Expressions (PCRE) / YARA pattern matching acceleration, and ACL ( Supports Access Control List (URL) / Uniform Resource Locator (URL) filter acceleration. As an example of the network virtualization acceleration function, the virtual open switch (OvS, hereinafter OvS) acceleration function of the network interface of the cloud virtual server is supported.

③ The NIC 1 according to an embodiment supports high-speed parallel packet processing based on an industry standard DPDK through a general-purpose network controller 14 for DPDK optimization. The general purpose network controller 14 is a commercial Ethernet chip (IEEE 802.3 Ethernet MAC), which provides a DPDK based virtual network and host interface. For example, the NIC 1 transmits and receives packets at high speed with the network security and information protection application 2 through the DPDK open library 30.

4 is a structural diagram of a multi-core processor according to an embodiment of the present invention.

Referring to FIG. 4, the multi-core processor 12 embedded in the NIC satisfies the high performance network security offload requirement of a flexible structure based on embedded software. The multi-core processor 12 accommodates 10 Gbps 4 ports and has processor performance capable of analyzing traffic of up to 40 Gbps in real time.

The multi-core processor 12 includes a network security acceleration engine 120. The network security accelerator engine 120 according to an embodiment includes an encryption / decryption accelerator 122, a pattern matching accelerator 124, and a security filter accelerator 126.

Decryption accelerator 122 accelerates Encrypt / Decrypt SSL traffic. For example, decryption accelerator 122 provides SSL decryption acceleration functionality. Pattern matching accelerator 124 accelerates PCRE / YARA pattern matching. The pattern matching accelerator 124 uses pattern matching acceleration technology that is compliant with the PCRE / YARA standard to retrieve user-defined signature patterns in real time. PCRE / YARA pattern matching acceleration of the pattern matching accelerator 124 will be described later with reference to FIG. 10.

The security filter accelerator 126 supports ACL / URL filter acceleration. The network security system should perform detailed packet analysis on the L2 / L3 / L4 / L7 layer on the incoming traffic to determine whether the packet is infected with malicious code or access to harmful sites. You need to implement a policy, such as a mirror. In the present invention, the security filter accelerator 126 of the multi-core processor 12 provides a large ACL and URL / IP filter acceleration function of more than 1 million entries. The multi-core processor 12 may ensure the stability and performance of network security acceleration.

5 is a diagram illustrating an internal structure of a general purpose network controller according to an exemplary embodiment.

Referring to FIG. 5, the general purpose network controller 14 employs a commercially available Ethernet chipset to provide PCIe input / output (I / O) acceleration. To maximize the network performance of high-performance multi-CPU servers, it supports physical function (PF) and virtual function (VF) for high speed parallel packet processing. The general purpose network controller 14 provides a PCIe interface that is compatible with the industry standard DPDK to provide a PCIe I / O high speed parallel packet processing host interface. As a result, security acceleration can be applied without the need for additional NIC-specific device drivers and SDKs required for network security applications using the DPDK. Recently, with the development of server system and multi-core CPU technology, the DPDK open library has become the industry standard as a parallel packet processing library utilizing the multi-core of the server system. The present invention enables high-speed parallel packet processing as the security application can directly access the NIC by passing the kernel through the DPDK open library in the user plane.

Universal network controller 14 according to an embodiment SR-IOV PCIe end that supports network virtualization based on PCIe Single Root I / O Virtualization (SR-IOV, hereinafter referred to as SR-IOV) An endpoint 140. The SR-IOV PCIe endpoint 140 connects to the host memory 20 through the PCIe Gen2 / 3 x8 / x4 / x1 lanes, whereby the PF object and the virtual object of the host memory 20 are virtual. Access the function object (VF Object). In virtualization, SR-IOV is a specification that can isolate PCIe resources for manageability and performance reasons. A single physical PCIe can be shared in a virtual environment using the SR-IOV specification. SR-IOV provides different virtual functions to different virtual components (such as network adapters) on the physical server computer. SR-IOV allows multiple virtual machines (VMs) in a virtual environment to share a single PCIe hardware interface.

6 is a reference diagram illustrating a fast packet transmission and reception process between a NIC and a security application using a DPDK and NUMA according to an embodiment of the present invention. In detail, FIG. 6A illustrates a packet transmission and reception process between a conventional NIC and a security application. 6B illustrates a high-speed packet transmission / reception process between a NIC and a security application in which a multi-core processor is installed according to an embodiment of the present invention.

Referring to FIG. 6, a network system according to an embodiment uses DPDK open software to improve performance of a network security appliance by making full use of processor resources of a multi-CPU server system. DPDK open source software includes the DPDK open library. In order to send and receive the packet received from the network to the security application, it removes the load such as scheduling, memory copy, interrupt of the system (for example, Linux operating system), and distributes the packet by NUMA method that allocates memory and CPU to the security application. Processing for maximum performance.

The network system may be classified into a hardware space, an operating system kernel space, and a user space. The hardware space includes a NIC, the operating system kernel space includes a networking module and a device driver, and the user space includes a server-based application. (For example, security applications).

As shown in (a) of FIG. 6, the conventional NIC has (1) device driver overhead, (2) protocol stack overhead, and (3) kernel / user (when transmitting / receiving packets with a security application). User) Memory copy overhead occurs. As a result, there is a limit in the packet processing performance of the server CPU. On the contrary, as shown in FIG. 6B, the NIC 1 according to an embodiment loads PCIe I / O, kernel scheduling, memory copy, and interrupt through a packet processing engine of a general-purpose network controller. Remove it. The NIC 1 offloads the packet processing load through the network security acceleration engine of the multi-core processor. Network Security Acceleration Engines include filtering, coloring, sampling, pattern matching, TCP / IP offload, and deep packet inspection (DPI, Hereinafter referred to as 'DPI') offload (DPI offload) and the like. At this time, core network security technologies such as SSL encryption and decryption based on DPI technology and PCRE pattern matching are offloaded to semi-finished products such as NICs to increase appliance system performance and capacity for finished products.

The DPDK is a system software for high performance packet processing optimization. It is mainly composed of a DPDK open library and a set of DPDK device drivers for packet processing optimization. The DPDK does not go through packet processing in the kernel like the existing Linux-based packet processing (see (a) of FIG. 6), but the security application 2 uses the DPDK open library 30 and EAL (Environment Abstraction Layer) in user space. ) To pass through the kernel and directly access the NIC (1). The DPDK provides a DPDK device driver optimized for packet processing as well as the DPDK open library 30 in the user plane (see FIG. 6B).

The network system according to an embodiment may obtain maximum performance by distributing packets by a NUMA method of fixedly allocating a memory and a CPU to the security application 2. As shown in (b) of FIG. 6, by distributing packets using DPDK and NUMA, (1) device driver and protocol stack overhead can be eliminated, and (2) NUMA memory management structure can be applied. have.

7 is a reference diagram illustrating a packet load balancing technique for supporting high speed parallel packet processing performance according to an embodiment of the present invention.

Referring to FIG. 7, a NIC according to an embodiment provides a high speed parallel packet processing network interface using a DPDK. For high-speed parallel packet processing using a multi-core processor in a multi-CPU server system, the NIC provides RSS (Receiver Side Scaling) (FIG. 7 (a)) and Data Center Bridging (DCB) (FIG. 7B) functions. It must be able to distribute packets received from the network to multi-core processors in the server system. RSS uses the L4 parser within the NIC to compute the 5-tuple hash value and specifies the receiving core for each flow.

8 is a structural diagram of a network security and information protection appliance system equipped with a NIC having a multi-core processor for network security acceleration according to an embodiment of the present invention.

Referring to FIG. 8, a network security and information protection appliance system includes a NIC 1 and a network security and information protection application server 2. The NIC 1 includes a multi-core processor 12 and a general purpose network controller 14 for security acceleration. 8 illustrates a network security appliance expansion structure of up to 80 gigabytes with up to two NICs 1 mounted therein.

The NIC 1 can accommodate 10 Gbps 8 ports. The multi-core processor 12 of the NIC 1 offloads security acceleration functions such as SSL decryption and PCRE pattern matching. The general purpose network controller 14 supports SR-IOV and is optimized for DPDK. By using the multi-core processor of the network security and information protection application server 2 to process the received packets in parallel, an optimal performance structure can be satisfied. The network security and information protection application server 2 is for network security and information protection, and processes received packets in parallel using a multi-core processor. At this time, each multi-core processor distributes packets using DPDK and NUMA.

9 is a structural diagram of an HTTPS proxy acceleration protocol stack for SSL encryption and decryption according to an embodiment of the present invention.

Referring to FIG. 9, a multi-core processor for security acceleration embedded in a NIC includes symmetric cryptography such as Advanced Encryption Standard (AES), Data Encryption Standard (DES), and 3DES, and MD-5, SHA, and Kasumi. SSL encryption and decryption acceleration is provided by using a cryptographic accelerator that accelerates a hashing algorithm. In addition, the present invention provides an HTTPS proxy having a high performance TCP / IP stack operating in a user space for securing web performance. The HTTPS proxy acts as a proxy between the client (eg SSL client) and the web server (eg SSL server). For example, the SSL-encrypted HTTPS communication is represented between the client and the web server.

SSL is an encryption protocol developed by "Netscape" and is currently the de facto standard protocol for secure data communication such as financial transaction information and personal information such as Internet e-commerce. Since SSL3.0, it has been standardized by the Internet Engineering Task Force (IETF) and named Transport Layer Security (TLS). In other words, SSL 3.0 and TLS 1.0 are the same protocol. SSL can be used for all application protocols based on TCP / IP, but HTTPS is a representative application protocol mainly used in recent years. HTTPS is a type of HTTP transformation protocol that encrypts and transmits data communication packets of the conventional HTTP protocol in a transport layer using SSL.

FIG. 10 is a structure diagram illustrating a PCRE / YARA construct for explaining PCRE / YARA pattern matching acceleration according to an embodiment of the present invention.

Network security systems, such as intrusion detection systems (IPS / IDS), information security, or APT, require the ability to detect user-defined signature patterns in real time to defend against zero-day attacks. The present invention proposes a pattern matching acceleration technique that is compatible with the PCRE / YARA standard so that user-defined patterns can be searched in real time at 10 Gbps. Generally, DFA (Deterministic Finite Automata) and NFA (Nondeterminstic Finite Automata) algorithms are used for pattern matching. In the present invention, a high speed real-time PCRE / YARA pattern matching performance is supported using a Hyper Finite Automata (HFA) pattern matching dedicated processor embedded in a multi-core processor. The present invention supports PCRE Construct (FIG. 10 (a)) and YARA Construct (FIG. 10 (b)) used as industry standards.

FIG. 11 is a schematic diagram of a virtual open switch (OvS) acceleration offload structure for a virtual machine according to an embodiment of the present invention.

The NIC 1 according to an embodiment shares a core and a memory with a virtual machine (VM) running in a hypervisor environment for system virtualization. At this time, the kernel-based OvS function that generates a performance load is offloaded using the SR-IOV hardware technology and the multi-core processor built in the NIC 1 to provide the following functions. NIC 1 provides distributed virtual switch functionality. That is, they connect with virtual devices (VMs) located in different physical servers. In addition, the NIC 1 supports remote control based on an Open Flow Protocol, supports traffic isolation for each virtual device (VM), and supports a tunneling protocol. For example, GRE, VXLAN, and IPsec are supported. It also supports monitoring function. For example, NetFlow, sFlow, and IPFIX are supported.

12 is a reference diagram illustrating an application structure and a function using DPDK open software according to an embodiment of the present invention.

NIC 1 according to an embodiment is a hybrid of a multi-core processor and a general-purpose network controller. The NIC 1 adopts a hybrid of a multi-core processor and a general purpose network controller for security acceleration, and has the following competitive advantages. For example, it supports traffic processing dualization supporting 40Gbps performance. That is, a multi-core processor is provided to preprocess the traffic (for example, encrypted packet processing and traffic monitoring), and postprocess the traffic using a general-purpose network controller (for example, DPDK optimization) to interwork with the host system. In addition, the NIC 1 offloads the SSL encryption / decryption, PCRE pattern matching, and open flow controller functions necessary for network security to the NIC 1, thereby saving installation space and ensuring fast response speed. Furthermore, regardless of operating system such as Linux or Windows, it can be installed and integrated without installing or changing drivers.

The present invention provides an embedded multi-core processor-based network security hardware acceleration technology embedded in the NIC (1). The core technology of the present invention is a technology for offloading security functions by embedding network security functions such as SSL encryption and decryption and PCRE pattern matching into a multicore processor of a NIC mounted in a system. The network security acceleration function of the present invention traces a TCP stateful flow including an SSL encrypted packet input in an inline mode, and decrypts and decrypts, if necessary, a pattern that detects in real time whether a PCRE / YARA signature expressed in RegEx exists in the transmitted content. The logic that performs the matching function is combined with the accelerator of the embedded multi-core processor to provide high speed packet processing performance.

The present invention provides a high speed parallel packet processing application software technology based on DPDK open software 3. Recent advances in server systems and multi-core CPU technology have made DPDK open software (3) the industry standard for parallel packet processing libraries that take advantage of the system's multi-core. In the present invention, the NIC adopts a commercial Ethernet chipset as a general-purpose network controller to provide a PCIe interface compatible with DPDK, thereby accelerating security without additional development of NIC-only device driver and SDK in network security and information protection application (2) using the existing DPDK. Function is available. Through the DPDK open library 30 of the DPDK open software 3, as shown in FIG. 12, the server-based network security and information protection application 2 can access the NIC 1 directly through the kernel. To be able.

13 is a reference diagram comparing an SSL encryption / decryption function embedded NIC with an existing SSL encryption / decryption function independent device according to an embodiment of the present invention.

Referring to FIG. 13, in the existing network system, as shown in FIG. 13A, the SSL encryption / decryption equipment is separately separated. However, in the network system according to an exemplary embodiment, as shown in FIG. 13B, the SSL encryption / decryption function is embedded in the NIC. For example, SSL encrypted traffic is decrypted using a multicore processor embedded in the NIC. To do this, the SSL decryption function is offloaded to the NIC. The present invention supports the SSL encryption and decryption in the NIC to provide a method that is integrated support in one appliance.

The NIC according to another embodiment achieves multi-core processor-based security acceleration. For example, a network security technology that supports PCRE / YARA-based pattern matching acceleration for multiple 10 Gigabit Ethernet networks is implemented using embedded multi-core processor technology within a single NIC. NICs that accelerate various network security functions will be competitive in network security.

As described above with reference to Figures 1 to 13, the present invention can achieve the following effects.

As next-generation NIC, it has the effect of developing high value-added technology. According to the present invention, advanced technical specifications such as SSL encryption and decryption, PCRE pattern matching, and I / O acceleration for PCIe I / O lossless data transfer are provided within the NIC. This acceleration causes excessive load on the main processor, which offloads the function to the NIC. As a result, it is expected to be a next generation product with a new concept that is different from the NIC that supports only a simple network connection function. It will be used in the family of high-performance network security appliances in the high value-added area of network security.

The main reason for the deterioration of network security and information security products is because they rely only on server system structure and software. The present invention is to solve this through the performance acceleration technology by the hardware technology mounted on the NIC. The present invention is a high-capacity high-speed network interface technology that can accommodate up to two lines of 10-gigabit network, reducing the development overhead of web firewall, IDS, IPS, DLP, firewall equipment. Competitiveness in performance and functionality gives you a competitive advantage with high value-added network security appliance equipment.

The present invention can be utilized as an encryption traffic visualization based technology of a network security solution. The present invention applies a high-speed encryption traffic decryption technology, it is possible to block the internal threat by decrypting the SSL encrypted traffic. Currently, many security systems do not recognize or block threats inside SSL traffic, and security services are provided by configuring SSL decryption solutions in the form of appliances rather than in-house solutions. Therefore, multi-gigabit NICs with SSL decryption will be used as an important foundation for existing network security solutions.

The present invention can be utilized as a foundation technology of a cloud-based network virtualization platform. The present invention provides a technique for offloading an Open vSwitch (OvS) function applicable to an infrastructure platform based on a Network Function Virtualization (NFV) architecture. It will play a key role within the infrastructure platform that implements virtualized network functions (VNFs) to reduce data center network operations costs and rapidly implement new value-added services.

So far, the present invention has been described with reference to the embodiments. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. Therefore, the disclosed embodiments should be considered in descriptive sense only and not for purposes of limitation. The scope of the present invention is shown in the appended claims rather than the foregoing description, and all differences within the scope will be construed as being included in the present invention.

Claims (11)

In the network interface card,
A network interface for packet transmission and reception through a network;
A multi-core processor for accelerating network security and information protection functions; And
Instead of using a device driver dedicated to the network interface card, use the Data Plane Development Kit (DPDK, hereinafter referred to as 'DPDK') publishing software and directly access the application through the DPDK publishing software. A universal network controller that provides compatibility for multiple operating systems and systems without the need for dedicated device drivers;
And a network interface card of a hybrid configuration in which a general-purpose network controller for DPDK open software-based processing is added to the network interface card. The method of claim 1, wherein the network interface
Network interface card, supporting 10Gbps Ethernet 4 ports. The method of claim 1, wherein the multi-core processor
A decryption accelerator for accelerating the decryption function of the traffic;
A pattern matching accelerator for accelerating a pattern matching function; And
A security filter accelerator for accelerating the security filter function;
Network interface card comprising a. The system of claim 1, wherein the general purpose network controller
A network interface card that provides network virtualization to reduce the load on multi-core processors. The method of claim 4, wherein the general purpose network controller
A network interface card that provides network virtualization acceleration based on Single Root I / O Virtualization (SR-IOV). The system of claim 1, wherein the general purpose network controller
A network interface card that provides DPDK-based high speed parallel packet processing acceleration. delete The system of claim 1, wherein the general purpose network controller
A network interface card, which supports virtual open vSwitch (OvS) acceleration of a network interface of a cloud virtual server. The network interface card of claim 1, wherein the network interface card is
Offloading the security acceleration function to the multi-core processor to perform preprocessing including traffic decryption and pattern matching for traffic transmitted and received through the network;
After the pre-processing through the multi-core processor, the general-purpose network controller performs traffic post-processing including DPDK optimization, and offloads high-speed packet processing through DPDK open software to send and receive traffic to and from network security and information protection applications. Characterized by a network interface card. A multi-core processor that accelerates network security and information protection, and a device driver dedicated to the network interface card is required by using DPDK open software instead of using a device driver dedicated to the network interface card and directly accessing the application through the DPDK open software. A hybrid interface network interface card including a universal network controller providing compatibility for a plurality of operating systems and systems without; And
A network security and information security application server equipped with the network interface card;
A network security and information protection appliance system comprising: providing a network interface card of a hybrid configuration in which a universal network controller for DPDK open software based processing is added to a network interface card. The network security and information protection appliance server of claim 10, wherein
Remove the load by parallel processing the packet input from the network interface using the DPDK open software, and the network characterized in that the packet is distributed by core using non-uniform memory access (NUMA) Security and privacy appliance system.

Images