Until Now Micro-Segmentation Was Only Enforced in Software on a Server
One of the key hardware features of Solarflare’s XtremeScale X1 family of network interface cards (NICs) is it’s built in ServerLock hardware firewall. ServerLock is a critical part of the SolarSecure solution, and it works in concert with a centralized domain controller called Domain Fortress. When an XtremeScale X1 NIC is bound to a Domain Fortress ServerLock is engaged. At that point all traffic entering and leaving every IP address hosted on that ServerLock NIC is monitored, and filtered.
With over 5,000 filters, and 1,000 flow counters, the controller can read the first 300 bytes and decide to drop, copy, or switch packets back out the other interface
Administrators can secure their servers while also leveraging ServerLock to enable application segmentation. This is the practice of defining a network by the applications that run on it, and managing the network at this level. Traditionally when it comes to the server there are only two ways this segmentation can be achieved, both are in software, by the hypervisor or the kernel. With the introduction of Solarflare’s XtremeScale X1 network interface cards (NICs) we now have a more secure hardware firewall that executes in firmware on the NIC. This firewall not only filters inbound packets, but it can also filter off malicious outbound network traffic. Unlike IPTables or NFTables, ServerLock runs in hardware directly on the NIC, and provides several unique advantages.
Firewall in Hardware
The key feature of ServerLock is the fact that it represents a firewall executing within the NIC firmware. This firmware is untouchable from the server itself, and even users with root access are unable to modify ServerLock or the filters and counters contained within it. Nothing else available on a server today could be more secure. ServerLock is also blazingly fast, transiting packets through the filters between 50 and 250 nanoseconds. Traditional high end commercial firewall appliances often take 2,000-3,000 nanoseconds to apply similar filters. Internally ServerLock has support for thousands of filters and counters.
Today ServerLock represents the state-of-the-art in hardware based network server security.
Once an XtremeScale X1 NIC is bound over a TLS link to a Domain Fortress the ASIC on the NIC then maintains that TLS connection. ServerLock quickly begins reporting all its active network flows over that TLS link to the Domain Fortress. From that point on Domain Fortress builds a graphical map showing all the active connections for every IP address hosted on that ServerLock NIC. From there an administrator on the Domain Fortress system can assign or create security roles from these network flows and assign them to application specific policies.
Three Operational Modes
ServerLock NICs support three operational modes: Learning, Monitor and Enforce. By default, once ServerLock is engaged it begins the previously mentioned flow reporting, this is Learning mode, and Learning mode is ALWAYS on. If a Domain Fortress administrator is ready to begin testing security policies they’ve created they can place those policies in Monitor mode. In Monitor mode flows that violate defined security policies will raise alerts, but the traffic will remain untouched. With Enforce mode flows that don’t align to a security policy will be blocked and an alert will be generated.
Ingress & Egress Filtering
ServerLock running within an XtremeScale X1 NIC is capable of filtering both inbound and outbound packets. This means that it will not only protect a server under attack, but it could also limit or fully block important data from leaving a server that has been compromised. With Flow Reporting as outlined above, and Enforce mode engaged ONLY valid traffic flows into and out of the server would be permitted. This means that even if an authorized admin came into a server over a permitted connection once they attempted to steal data by using say FTP to transfer it to an external server that connection would be blocked, and generate an alert. Once generated an alert can’t be deleted, and so the admin would then have some explaining to do.
While filtering and blocking traffic in both directions is useful as it prevents the Barbarians from breaking down the gate, and the Trojans from carrying off your valuable data, that’s only part of the solution. Preventing theft and dynamically reporting who’s stealing, what they’re stealing, and where they’re stealing it are two dramatically different things. Once a policy on a ServerLock NIC is switched into Monitor or Enforce mode alerts will be generated for traffic that violates that policy. Alerts are fully configurable in Domain Fortress from simple on screen graphics notifications to emails and text messages.
Filter Table by Local IP Address
ServerLock maintains a unique filter table for every address hosted on a ServerLock enabled NIC. This prevents application based filters applied to one virtual machine (VM) from conflicting with filters needed by another VM on the same physical server. Each filter table can be either a black list, drop packets matching a filter, or a white list enabling only packets aligning with a filter. This allows policies on one IP address to be running in Enforce mode while other IP addresses on the same server may still be in Learning or Monitor modes.