Nvidia will integrate its Bluefield-2 DPU with Palo Alto Network's virtual firewall to boost performance and offer better security to handle the onslaught of cloud applications.
DPU technologies are gaining more attention among larger corporate IT shops. While Nvidia has captured much of the attention, it faces increasing competition.
This week, Nvidia integrated its Bluefield-2 data processing unit (DPU) with Palo Alto Networks' VM-Series NGFW to significantly speed up virtual firewall performance.
Last month, Intel debuted its infrastructure processing unit chip, a programmable networking device that enables cloud and communications providers to offload some processing duties carried by the CPU. This boosts the performance of overly burdened CPUs to strike a better balance between processing and storage or networking security.
Nvidia and Intel won't lack for competition in the DPU market, including Marvell Technology Inc., a company that entered the market before Nvidia and Intel.
"You'll have more players joining Nvidia, Intel, including Marvell and AWS with Nitro," said Dan Newman, principal analyst and founding partner of Futurum Research. "These companies will come to market with their own flavor, but they all allow general CPUs to do more of what they are good at by offloading workloads from the CPU like security, storage and networking. There's simply too much strain put on CPUs by new technologies emerging."
Despite Intel's relatively late arrival to the DPU market, Newman said it is too early to count the company out.
"Intel is doing a lot of things right lately, plus Pat [Gelsinger, Intel CEO] has only been in for a little over 100 days," Newman said. "They need a bit more time until they come more transparent in revealing their roadmap."
The Bluefield chip assists in accelerating packet filtering by offloading traffic from the host processor to dedicated hardware that functions separately from the server's CPU. This is what delivers intrusion prevention and advanced security of Palo Alto's offering to all servers without degrading network performance.
Deals such as the one Nvidia and Palo Alto struck are important because they provide more understanding about what the specific advantages DPUs can provide.
"My feeling is that these types of deals offer the market a comprehensive understanding of the technology," Newman said. "Palo Alto is not exactly Microsoft, but they will gain some attention with this."
The VM-Series NGFW, the first Bluefield-enabled NGFW product to reach the market, enables application-aware segmentation, prevents malware, detects new threats and stops data exfiltration, according to Palo Alto Networks. The VM-Series NGFW ascribes to zero-trust network principles.
The added DPU acceleration of the firewall gives corporate users and telecom companies the "agility and automation of the cloud, without compromising performance," said Muninder Singh Sambi, senior vice president of products at Palo Alto Networks, in a prepared statement.
Nvidia expects the integrated offering to initially appeal primarily to telecommunications companies and large cloud service providers. But as more users deploy disaggregated applications delivered as microservices in place of old school monolithic applications, existing firewalls can be overwhelmed with traffic.
Early adopters will be telcos and cloud service providers. But we expect it to be broadly adopted as people move from protecting the perimeter of the data center to a world where every server must have a next-generation firewall.
Kevin DeierlingSenior vice president of networking, Nvidia
What those users will need is a "computer in front of the computer," which is the role the combined Nvidia-Palo Alto offering can play, said Kevin Deierling, senior vice president of networking at Nvidia.
"The early adopters will likely be telcos and cloud service providers," Deierling said. "But we expect it to be broadly adopted as people move from just protecting the perimeter of the data center with traditional appliances to a world where every server must have a next-generation firewall."
Some 80%of network traffic in a data center doesn't need to be or can't be properly inspected by a firewall, officials from both companies said. This is what inspired the joint development of the Intelligent Traffic Offload (ITO) service intended to examine network traffic and then determine what sessions will benefit from a security inspection.
If the firewall decides a session does not benefit from a security inspection, the ITO service lets the BlueField-2 DPU know it should forward all packets in that session straight to their destination and not to the firewall.
Deierling said Nvidia will also target other industries that put a high priority on data security, including the financial and health care communities.
Nvidia focused on three aspects -- offloading, accelerating and isolation. The offloading piece takes functions that were the responsibility of the x86 chip and runs them on the DPU. The greater acceleration results from the CPU and DPU sharing processing duties. The isolation piece involves creating a new infrastructure layer of processing on the DPU on the GPU isolated from the applications layer.
"We decoupled applications processing and infrastructure processing for the purposes of achieving software-defined networking, security and storage," Deierling said. "The x86 CPUs are not very good at parsing packets, doing lookups of those packets and making decisions based on the bits inside the packets."
