Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Memory/Storage

Hardware, software for SME security gear

Posted: 03 Nov 2003 ?? ?Print Version ?Bookmark and Share

Keywords:sme? soho? software? hardware? ipsec?

To design a next-generation SME converged security appliance, a number of security hardware, software and algorithm technology trajectories must be considered.

When the designers of next-generation security boxes evaluate the challenges, they must first consider the target market. How many users will have to be supported? How much secure bandwidth must be delivered?

Those requirements must be satisfied in systems that can range from the type of box found in a large company's headquarters down to a small office/home office (SOHO) gateway designed to serve only a handful of users. Clearly, the two would try to solve technical challenges in different ways. The focus of this discussion will be on SME security equipment, which typically specifies support for up to a hundred users simultaneously and provides up to 100Mbps of full-duplex secure bandwidth.

A second design consideration is the decision to use single-chip or 2-chip architecture. Some semiconductor vendors have introduced integrated processors with on-chip security engines to address the SOHO market. While there are specific applications for which these single-chip solutions are most appropriate - SOHO is one - this category of security appliance has historically been designed using a 2-chip embedded architecture comprising an integrated communications processor working with a dedicated security co-processor device to provide Internet Protocol Secure (IPSec) acceleration used as the basis for virtual private network tunneling technology. The integrated communications processor provides the key on-chip interfaces to connect to the various network ports and external devices.

A 2-chip solution can provide flexibility and a higher degree of security in the applications where it is required. It also allows the designer to choose the best-in-class solution; while the integrated single-chip approach must compromise on some aspect of performance.

Additionally, the 2-chip architecture may be a more secure approach to designing a security appliance. The National Institute of Standards and Technology, a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration, has defined security requirements, known as the Federal Information Posting Standards (FIPS) 140-2, and has established a validation program for cryptographic modules.

The standard has been adopted by all federal agencies and has gained wide popularity among financial, legal and medical institutions that are concerned about conducting secure data communications and ensuring that consistent security design practices are in place.

The 2-chip embedded architecture provides the boundary needed to meet the FIPS 140-2 criteria. By isolating the security functions and providing for storage of critical security parameters on the external security co-processor's internal memory, the design can meet the highest levels of security defined by FIPS 140-2.

A single-chip architecture often will not meet the FIPS criteria, because of the difficulty of partitioning the security functions away from the OS, the typical vulnerability that is targeted by hackers. If one of the primary goals of the security appliance is to achieve a high level of security certification, those concerns must be addressed.

Once the hardware specifications have been considered, the next objective is to put together a software architecture that meets the goal of handling today's and tomorrow's security requirements. However, there are several layers of security to consider.

The embedded OS is one of the most critical pieces to enabling a secure system. OS flaws are one of the most popular routes for hackers to take when compromising a system and then the corporate network. There are several trade-offs to consider, however. Software engineers typically want to use a flexible OS that can act as a generic platform to integrate new applications.

On the other hand, security system architects want to use an OS that emphasizes security. In fact, many companies that develop proprietary OS consider them the most valuable piece of IP when developing a security appliance. Designers who decide to license their OS will have to determine the most important security criteria for their designs.

- Alex Soohoo

Technical Applications Manager, Internetworking Products Division

Integrated Device Technology Inc.

Article Comments - Hardware, software for SME security ...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top