Cavium introduced its Octeon line of security chips earlier this year, and at the time Hifn officials said they had a similar program in the works (see Niche Chip Players Move Up the Stack). As promised, they gave up the goods at the Network Systems Design Conference this morning.
Hifn's answer, called Antero, is based on the PowerNP network processor acquired from IBM Corp. (NYSE: IBM) earlier this year (see Hifn Acquires IBM's PowerNP Products). The chips should be available in the first half of 2005, nearly matching Cavium's prediction of first-quarter sampling for Octeon.
Customers are already trying out an Antero predecessor that's also based on the PowerNP, says Russell Dietz, Hifn's chief technology officer. That chip is due to be formally released in the first quarter of 2005.
Both companies are pioneering a new direction for security chips: programmable, multiprocessor devices that handle combinations of security functions and Layers 4 through 7 processing. The concept is similar to a network processor, the difference being that network processors tend to focus on fast Layer 3 routing.
Such chips could handle multiple security functions, merging firewalls with antivirus protection and intrusion detection, for example. This would come in handy for companies such as Cisco Systems Inc. (Nasdaq: CSCO) that want to put security into the network itself, preferably by integrating these functions into a router rather than using multiple specialty appliances. In that case, the Octeon or Antero chips would sit on security blades to go into those routers.
One key function of the chips will be to handle the Layers 2 through 4 termination -- typical routing and switching stuff. An established company like Cisco wouldn't need those functions from Cavium or Hifn, but small startup OEMs might, because they want to free up engineers to concentrate on developing security applications. "This way, they don't have to learn about how to deal with packet operations," Dietz says.
Still, some competitors suspect the Octeon/Antero approach might ring hollow with some systems vendors. Specifically, both boast of being able to handle intrusion prevention, but some in the industry believe that function will remain in specialized appliances. For those cases, Octeon and Antero could be overkill.
"If I were building an intrusion prevention system, I'd say 60 percent [of what's on those chips] isn't part of my job," says Steve Russ, CEO of TeraShield, a startup working on security chips. The problem with intrusion prevention in particular is that it's unpredictable; the worst attacks come from methods that haven't been seen before, and that complexity makes intrusion prevention best suited for a separate appliance, he says.
— Craig Matsumoto, Senior Editor, Light Reading
For further education, visit the archives of related Light Reading Webinars:
- Security Processors: Driving the Secure Network
- Implementing Managed Security Services
- Intrusion Prevention: Preempting Network Attacks