Broadcom has announced a new ASIC in the Trident family that can monitor flows in real time to identify anomalies that may indicate DDoS attacks, port scans, data exfiltration, and other threats. The new Trident 4C ASIC, designed to run in the core of enterprise data center networks, provides 12.8Tbps throughput in addition to anomaly monitoring.
The Trident 4C includes a dedicated engine to analyze IPFIX-based flows for security anomalies. Broadcom says the engine can handle 500,000 active flows, inspect 5.4 billion packets per second, and track 4 million state flow metrics counters. The company uses a dedicated engine for anomaly analytics to ensure that switch performance won’t be impacted. Broadcom says customers can still get the full switching throughput of 12.8Tbps even with the anomaly engine running full bore.
However, while the analytics engine is available on the ASIC, Broadcom hasn’t announced any security partners that are taking advantage of it.
Not A Firewall
While the Trident 4C can analyze traffic for anomalies that might indicate threats, it doesn’t function as a firewall or IPS. It’s not meant to block traffic, and Broadcom isn’t writing its own threat detection signatures.
Instead, Broadcom says it will partner with third-party security companies. These partners will program the analytics engine with their own threat detection signatures. In addition, the new ASIC can send packets or packet metadata to third-party security collectors for additional analysis and remediation.
“Whenever the fingerprinting says there’s something in this flow that raises an alarm, you export it to a third-party AI/ML server for analysis,” said Fred Olsson, Product Management Director for Ethernet Switching at Broadcom, in an interview.
Customers can send packets or packet data from a single Trident 4C to up to eight different collectors, such as a DDoS mitigation system, malware scanner, or other security device.
“A DDoS collector might only want headers, but a malware scanner might want the first thousand full packets,” said Olsson. “So it’s programmable and can be set up based on the requirements of the analysis.” The Trident uses the open NPL language for programmability.
At present, Broadcom has not officially announced any security partners that are using the threat analysis capability. Broadcom says the security feature is enabled by the network OS, so it’s controlled by the vendors who sell the switches to enterprise customers.
Inner Vision
There’s a case to be made for adding threat detection in data center switches. In a typical network, traffic has to be sent to specialized devices at specific points in the network for threat analysis and inspection, such as the border between the public Internet and the corporate network, or a cluster of security appliances at the data center edge. Once attackers get past typical security zones they can move with relative freedom.
Adding anomaly detection on the switch itself gives network and security teams additional visibility into network activity that could represent a threat. And because the Trident 4C can analyze every packet at line rate, organizations may improve their chances of spotting stealthy activity that might be missed by traffic sampling.
However, the analytics function is moot until Broadcom or the switch OEM vendors bring on security partners to take advantage of it.
