• Issue 1

Virtualized Security – The end of Big Irons

Virtualized, scalable and carrier grade performance/functionalities, a true game changer for CSP's.

Clavister Security VNFs

Turn-key solution to secure the future of SDN/NFV

Working closely together with leading industry players such as Nokia, Ericsson, Intel, Wind River, Red Hat and others has given us profound insight into the telecom market. As a small, agile and responsive company, we have listened to what the market request; the result — A security technology designed natively for SDN/NFV environments and an eco-system that ensures great interoperability and turn-key experience.

Clavister provides the first Security VNF in the industry having the capacity to replace, and even out-perform, legacy Big-Irons. Our Security VNF delivers:

  • The highest security performance on the market, even in a virtualized environment.
  • Full integration with SDN/NFV-MANO (Management and Orchestration) systems.
  • Support for a wide range of use cases within the same Security VNF, including LTE/5G Backhaul Security, Gi/SGi Firewalling, Roaming Security, Virtual CPE Security and Domain Security.

The key features that makes Clavister uniquely suitable for telecom operators who are migrating to SDN/NFV include:

Highest Security Performance on the market

The sophisticated design of the Clavister Security VNF has allowed us to set a new standard for performance and capacity in virtualized environments. In addition to high maximum performance, the Clavister Security VNF also provide high performance density, meaning performance scalability over available vCPUs as illustrated in figure "Benchmarking Result" below.

Benchmarking Results

( Click image for larger version )

About the benchmark test and test environment: Reference platform for the benchmark is an Intel® Server System R2208WTTYS hardware with dual Xeon E5-2687WV4 CPUs running KVM and Clavister VNFs. Performance and capacity tests are performed in accordance to RFC standards such as RFC2544. All performance numbers for VPN capacity is measured on traffic with 512 bytes packet size. Performance numbers for the ”other established vendor” are based on the public available data sheets.

benchmarking results

Multi-Core Architecture
Clavisters Security VNF is based on a true carrier-grade architecture with control plane / data plane separation and native multi-core support.

Clavister Security VNFs requires only one (1) vCPU and scales up to the maximum vCPUs available. For specific traffic model optimization, it is also possible to allocate vCPUs to boost selected functions such as tunnel setup, firewalling and VPN throughput.

Intel Optimization
The tight partnership and collaboration with Intel, including the premium membership of Intel Network Builders Alliance, ensures access to the latest technologies that boosts performance and increases interoperability. Some of the key technologies supported by the Clavister Security VNFs are:

  • Intel® Single Root I/O Virtualization (SR-IOV)
    Drastically lowers overhead of virtualization.
  • Intel® Single Root I/O Virtualization (SR-IOV)
    Drastically lowers overhead of virtualization.
  • Intel® AES-NI
     Hardware acceleration of AES encryption/decryption built into the CPUs.
  • Intel® DPDK
     Data Plane Development Kit (DPDK) greatly boosts packet processing performance and throughput.

Purpose built for Virtualization and SDN/NFV

Fully Virtualized
Clavisters Security VNF is completely software based and natively built for virtualization. This is a key difference from most other virtual security products on the market which has been re-worked from ASIC, FPGA or other proprietary hardware. To ensure maximum flexibility and freedom of choice, Clavisters Security VNF is compatible with most hypervisors on the market, including KVM and VMware.

Orchestration & Management
The Clavister Security VNF executes seamlessly within the Openstack framework, including support for orchestration using the Heat Orchestration Template (HOT) standard.

For more advanced configuration and integration with SDN controllers and NFV orchestrators, the centralized management system, Clavister Hawkeye, offers a robust and open REST API.

Clavister HawkEye also offers complete end-to-end management of the Clavister Security VNFs, including holistic security management of multiple VNF instances. This drastically improves security while also lowering administrative efforts.

benchmarking results

Eco-System
To help ease the transition towards SDN/NFV, Clavister works with a wide range of eco-system partners and technologies. This ensures that CSPs achieves best possible integration and fast time-to-market. The Eco-System partners and technologies includes:

benchmarking results

Staged integration phases
To ensure a smooth transition towards SDN/NFV, Clavister's Security VNFs can be used both as stand-alone virtual appliances or as fully integrated VNFs, without impacting performance. Possible stages of integrations possible using Clavisters Security VNFs include:

  • Phase 1: Migrating from legacy appliances to virtual appliances on dedicate COTS hardware.
  • Phase 2: Use virtual appliances in a pool of shared hardware.
  • Phase 3: Use virtual appliance integrated into a dynamic and orchestrated SDN/NFV environment.

The option of staged migration allows CSPs to start replacing legacy security equipment already today.

Service Function Chaining (SFC) and Service Automation
The Clavister Security VNFs offers a wide range of capabilities that ensures successful adoption of Service Function Chaining and Service Automation.

  • Deployment
    Clavister Security VNFs integrates with the Openstack framework and supports Heat Orchestration Templates (HOT) which enables fully automated deployments of new VNFs.
  • Policy Configuration and Management
    Clavister's Centralized Management System, Clavister Hawkeye, enables integration with SDN Controllers and Service Classifier systems using REST APIs.
  • Capacity Scaling – Scale Up and Scale-out
    Clavister Security VNFs offers market leading capacity per VNF and per vCPU, this include for instance maximum Firewall and VPN throughput, VPN tunnels, Concurrent Connections. Thanks to the carrier-grade and multi-core architecture it is easy to scale capacity based on current needs.

service changing

Designed for Telecom

The Clavister Security VNFs has been purpose built and optimized for telecom networks. In close collaboration with several leading industry partners, robustness, features and integration capabilities has been fine tuned for an optimal solution.

The Clavister Security VNFs provides a unified approach for securing a wide range of telecom use cases, including:

  • LTE Backhaul Security
  • Gi/SGi Firewalling
  • Roaming Security
  • Domain Security
  • Virtual CPE
  • WiFi Optimization

Through compliance and support for several industry standards such as 3GPP and ETSI-NFV the Clavister Security VNFs integrates seamlessly.

Scalable and Flexible Business Model

To achieve optimal flexibility in a dynamic and cloud based infrastructures, Clavister offers a unique business model that enables scale-up and scale-out in a cost effective manner. No matter if your network security architecture requires one or one hundred Security VNFs, you only pay for the maximum capacity needed throughout the entire network. Clavister Hawkeye – in combination with the Clavister Security VNFs – keeps track of maximum available capacity and simplifies license management. Compared to physical network security appliances, this means both lowered entry-level investments and total cost of ownership.

Summary and Conclusion

Almost 70% of all CSPs are anticipated to adopt SDN/NFV already by 2018 in order to meet subscribers demands for the high quality, massive growth of IoT devices and overall improved operational efficiency.

Unfortunately, security is often taken for granted, or simply neglected, during the planning phase. To avoid costly re-designs at a later stage it is crucial that key challenges are identified and addressed as early as possible.

The key challenges for security break down into four distinct areas, namely:

  • Performance and Scalability
  • Integration and Interoperability
  • Support for main telecom use-cases

Additionally, it is of high importance to choose technologies and products that offers a smooth migration path and also scales when deployments evolve from Proof Of Concepts to Commercial installations.

To summarize, the telecom industry is at a pivotal point of transition from legacy systems to a more dynamic environment. There are significant commercial and operational benefits to be gained, but also considerable challenges as described within this document. To maximize the value of SDN/NFV and to capitalize on the new revenue opportunities presented by service chaining and service automation, security must be deployed as integrated virtual functions. Clavisters Security VNF, with market leading performance and elasticity, natively designed for virtualized telecom environments is well positioned to ensure a successful outcome of these initiatives.

Source: Clavister

Return to Home