High throughput, low power requirement

4 mins read

For cloud and IoT applications, there is a rising need for flexible GbE firewalls in corporate network infrastructures. With integrated Open Source and x86-based AMD Embedded G-Series SoCs, Deciso’s OPNsense firewall appliance offers double the flexibility. It enables high throughput with low power consumption making it suitable for both enterprise and IoT appliances.

Up until recently, internet connections were significantly slower than companies’ internal networks. Today, however, providers are offering much higher bandwidths at much lower rates. The result: performance levels are balancing out between internal and internet connections which are making way for completely new applications. In the corporate sector, new applications are being driven by the growing need for fast, direct access to company data and processes at any given time and from any given place. Both companies’ own and public cloud solutions are being deployed for Software as a Service (SaaS) and Internet of Things (IoT) or Industry 4.0 applications. Although, whichever high-bandwidth applications are to be run based on these networked platforms, the increasing bandwidth calls for flexible firewalls appliances with extended security and monitoring features for all central and especially decentralised and small installations, as found at SMBs or with IoT Edge devices.

Open Source

Numerous GbE router and firewall products are available on the market, but these address large companies – and are complex and high cost – or, if not, they lack individually configurable functions. Plus, nearly all the products are designed for the IT sector and not for industrial deployment. The ongoing trend towards IoT sees the need emerging for new security appliances, which can cope with GbE bandwidth and are robust. At the same time, they ideally also have to be inexpensive and thus affordable for SMBs. Additionally, for these new challenging applications they should also be flexibly configurable for individual requirements, so that OEMs can optimise them for their applications in Industry 4.0 and IoT environments. In particular, features such as Stateful Inspection Firewall, IPv4 and IPv6 support, VPN support, integrated DNS and DHCP are in demand. Additionally, tasks such as Intrusion Detection, Traffic Shaping or Captive Portal have to be available. An intuitive configuration interface and extensive reporting and monitoring tools should also be included. In the past, providing GbE throughput and high security as part of the total package meant using server technology, but as the required footprint and the thermal envelope have become increasingly smaller, latest state of the art solutions can be developed which deliver full GbE power at 15W processor performance. With the corresponding thermal designs, the development of completely sealed systems is possible.

When the thermal envelope is limited, a particular core issue for high performance with relatively few watts is the intra-chip communication, if a total of four gigabit Ethernet chips are to be connected to the CPU delivering maximum data rates and lowest possible latencies. In such cases, PCI bridges or outsourced PCI Express controllers have to be avoided to minimise bottlenecks and energy consumption.

Today, highly-integrated solutions such as the AMD Embedded G-Series SoC processors, integrate a powerful multi-core CPU, GPU as well as an I/O controller hub on a single die. On these SoCs, the PCIe lanes are connected directly, not via a separate Southbridge. This allows for optimum intra-chip communication. Dedicated Gigabit Ethernet controllers can be connected directly - without bridges - to the processor which helps minimise latencies. This highly integrated single-chip solution also has a small footprint and a reduced number of pins compared to two-chip solutions, optimising board space requirements and reducing development costs. Base for high data bandwidths: On SoC processors, like the AMD Embedded G-Series, I/Os and PCI Express Lanes are connected directly to the CPU.

Benchmarks

The AMD Embedded G-Series SoC platform comes with all the technical requirements for outstanding networking performance. But do these actually translate into high network performance? Well-recognised benchmarks suggest that it does and Deciso’s openssl test finally confirmed it. It has shown that the AMD Embedded G-Series SoC with a maximum clock speed of 1.6GHz achieves significantly higher encryption throughput per clock cycle than alternative 2.4GHz processors.

The 1.6GHz AMD Embedded G-Series delivers – compared to alternative 2.4GHz processors - significantly higher encryption throughput per clock cycle (measured with openssl).

Low power consumption

Despite this high performance, the benchmarked AMD Embedded G-Series processor showed a maximum power consumption of only 15W at full load. And further to this, compared to competing x86 processors, the AMD processor impresses with its optional ‘headless’ variant without graphics. In most cases firewall appliances do not need graphics output, but are managed via a web interface from another computer, so that the GPU can be omitted. This results both in cost savings and greater energy efficiency. This component not being present in the first place is more advantageous than gating the graphics unit via the processor-integrated power management. Hence, without any restrictions, a second important design feature for firewalls is achievable, i.e. an extremely low power requirement for the whole appliance of below 30 or 15W for the processor. So with the right sophisticated technical construction, fanless designs can be realised which is a major advantage for industrial applications.

High data throughput

How well though does a solution perform in real life network traffic? Is the targeted wire-speed for gigabit networks really achieved? To measure this, two different benchmarks were carried out with the Open Source software OPNsense on the Deciso’s Netboard A10. In ideal conditions and a packet size of 1460bytes, the Netboard A10 Rack equipped with AMD Embedded G-Series SoC and using all four GbE ports achieved a throughput of approx. 3.5Gbit/s or 300,000 packets per second.

As packet sizes can greatly affect the overall performance of a firewall and in ‘real life’ ideal conditions are hardly ever available, the throughput was carried out according to the more realistic Internet Mix test. The simple IMIX test assumes the average packet size is 340bytes. In these conditions, the Netboard A10 rack with OPNsense achieved a total throughput of 817Mbit/s, which is more than sufficient for most gigabit connections. During all the tests, power consumption constantly remained below 30W. So, the ambitious goal of a flexible, reliable and economical appliance that delivers full gigabit bandwidth can indeed be achieved.

Benchmark results: The Deciso Netboard A10 security appliance achieves a total firewall throughput of 1Gbit for packet sizes larger than 400bytes and rises up to 3.5Gbit/s.

The Open Source software OPNsense can be provided to OEM customers on the Netboard A10 as a ready-made evaluation platform. Both the software and the hardware can be customised. Compared to proprietary solutions, with Open Source solutions like OPNsense, one of the advantages is that there are no vendor locks, which ensures long-term availability. OEMs can use this platform in particular to develop their own infrastructure nodes and other network appliances, saving on high initial costs or license fees. With OPNsense, anyone wanting to develop, for example, an intelligent SoHo or SMB appliance or an Internet Edge Node server for embedded applications, immediately has the right firewall software to hand, which just has to be adapted to suit individual requirements. Thanks to the ‘open source’ approach, these firewalls are verifiable and secure. The risk of built-in backdoors is therefore reduced to an absolute minimum.

The Deciso Netboard A10 appliance with OPNsense firewall provides a user-friendly management and monitoring GUI.

Author profile:
Jos Schellevis is chief technical officer at Deciso B.V.