Imagine: Massively scalable multi-core security

Desktops and servers are being transformed by and multi-core CPUs, but that effect is a bit harder to see in . Multi-core CPUs especially hold the possibility of completely transforming how and where we do security. One of the effects is to shift more of the security functions into the network. Another may be to radically change the software architecture within and across security appliances.


To really grasp the implications we have to think a few generations of hardware ahead: not about a security appliance with four cores, but about one with 256, 1,024 or even 32,768 cores. It's a whole different ballgame.

A common feature promoted by vendors of certain security appliances is about "cracking the packet only once," then applying lots of security functions in parallel. The idea is that you can reduce latency by reducing the number of times the packet has to be copied and decoded by a protocol analyzer. This type of thinking reflects the training developers receive to operate in a CPU-constrained world. But multi-core changes all that, as eloquently described by Intel's James Reinders in a recent interview. 

Programming in a multi-core environment forces developers to rethink traditional programming practices and optimize for data location rather than CPU cycles. In a multi-core world, "cracking the packet" and redoing all the protocol analysis, on each core in parallel, is more efficient than doing it once and then sharing the results among cores. That's because CPU cycles become abundant and the bottleneck shifts from computation to data replication between cores. In other words, if you need the results of a calculation, it is "cheaper" to recalculate it in every core than to shuttle a variable around.

Now, imagine a security appliance with thousands of cores and how it could be used to do computationally intensive security such as protocol analysis, pattern matching, heuristics, modeling, sandboxing (emulation), etc. Many of these functions have relied on ASICs or FPGAs and enormous R&D cost to customize hardware to the needs of specific security functions. But multi-core systems offer a different approach: simple commodity hardware with sophisticated parallel-processing software instead of simple software on custom hardware.