All posts by Yael Shenhav

About Yael Shenhav

Yael Asseraf Shenhav has extensive high tech experience, first in the Space Telecom Industry and then later at Intel. For the past 16 years, she has worked at Mellanox in various technology roles. As part of the early core development team at Mellanox, Yael contributed to the conception, design, SW development architecture and support of the all of the Mellanox host adapters through their evolution. She was a member of the team that secured the first Mellanox patent for the Network Adapter. In more recent years, as head of Application Engineering and ROW Presales, she has developed diverse experience in both R&D and market and customers interface across regions with an in-depth understanding of Mellanox technologies, abilities, resources and products. Yael Shenhav is currently the Vice President of Product Marketing at Mellanox Technologies.

Tiny Chips Can Hack Big – How Mellanox NICs and SmartNICs Can Help Secure Your Data Center

Introduction

Cyberattacks are gaining in complexity and sophistication. Recent attacks such as Throwhammer, Nethammer, NetSpectre, Faxploit, and Malware Guard Extension attest to the increasingly complex methods devised by hackers to take control over remote networks and to spread malware.  Today’s cyber reality surpasses by far the fertile imagination of Hollywood cyber fiction films.

Another hacking invention was recently exposed in Bloomberg Businessweek’s “Big Hack” news story (published on October 2018), which described how a maliciously planted tiny chip on a server board can pose serious security risks to organizations. The information revealed in that story has managed to disturb the waters in the tech and security industries and communities, as it described alleged infiltrations of data centers of some major corporate and governmental organizations.

The stage for infiltration was set, according to the news story, by tampering with hardware of leading server vendors.  Allegedly, tiny IC devices (chips) were planted on server boards at one stage in the supply chain. These infected boards were later installed in servers that were deployed in major corporate and governmental data centers. Via the on-board planted chip, hackers can gain remote access to the data center and compromise its assets and steal users’ and companies’ sensitive information.

Mellanox’s products and advanced NIC and smartNIC technologies offer various levels of protection that detect and prevent security breach scenarios, including those enabled by the hardware-based hack described by Bloomberg.

Let’s take a closer look.

 

Mellanox Intelligent Network Adapters – A Glimpse Behind the Locked Doors

First – How Does the Alleged Bloomberg Big Hack Work?

Bloomberg claims that tampering chips (identified as a small red box in the illustration below) were planted on server boards between the Baseboard Management Controller (BMC) and its flash. As the BMC has access to both the external network and the internal server resources, malware implanted in the BMC execution space can allow a malevolent adversary to remotely access and compromise the integrity of the server it is connected to.

 

ConnectX® and BlueField™ NICs – Unauthorized Entrance Prohibited!

Mellanox’s family of intelligent adapters embed security features in the hardware that prevent using the adapters as a backdoor to the server data, and block adversaries from attacking the adapters to steal sensitive information.

Secure Firmware Update

Mellanox ConnectX and BlueField based adapters (ConnectX-4 Lx, ConnectX-5, ConnectX-6, BlueField) implement a secure firmware update check, which means that the devices verify – using digital signatures – the firmware binaries prior to their installation on the adapters. This ensures that only officially authentic images produced by Mellanox can be installed, regardless whether the installation happens from the host, the network, or a BMC.

Adversaries attempting to remotely upload malicious firmware images will not be able to do so since the secure firmware update mechanism will reject it; a modified code will not have the matching digital signature and will therefore fail the verification process.

 

Secure/Verified Boot

Secure Boot is a process which allows ConnectX and BlueField adapters (ConnectX-6, BlueField) to verify the authenticity of each element in the boot process, and to halt if an unauthorized element is found.  Secure Boot starts from the anchor of the device: un-modifiable ROM code that acts as the root-of-trust uses an on-chip embedded public key to authenticate the initial code that is loaded from an external storage. The authentication relies on strong cryptographic suites and digital signatures.

As no external intervention in the authentication process is allowed, any potentially planted tampering chip cannot compromise the adapter’s boot process: the network adapter will not run unauthorized boot loaders planted on the flash; by simply not booting, the adapter prevents using it for backdoor access to server resources

Mellanox SmartNIC– More Ways to Secure Your Data Center  

In the above sections, we focused on smart technologies that prevent utilizing Mellanox adapters as a backdoor to the data center. But the big question remains: What if someone does manage to access the server through yet another backdoor – through a fax machine, through BMC, or through another mechanism? In the following, we will describe how Mellanox products can help data center administrators protect their network and its data.

As no external intervention in the authentication process is allowed, any potentially planted tampering chip cannot compromise the adapter’s boot process: the network adapter will not run unauthorized boot loaders planted on the flash; by simply not booting, the adapter prevents using it for backdoor access to server resources.

From Ancient Egypt Hieroglyphs to Today’s Modern Encryption

Well first – you can protect your data by encrypting it!

Cryptography has greatly progressed since its debut as early as 1900 BCE in Ancient Egypt, where non-standard hieroglyphs were found carved into the wall of a tomb. Nowadays, complex cryptographic protocols and cyphers have become a standard for cloud-based applications where these are used to protect the confidentiality and integrity of data passed between locations. It is also progressively used to protect lateral traffic within the data center. But encryption and decryption of data is a CPU intensive activity. Mellanox SmartNIC security solutions (Innova IPsec, BlueField smartNIC, Block storage crypto on ConnectX-6) offer to offload the cryptographic actions to the NIC hardware, freeing up the CPU to handle the applications and enabling scalable cryptographic solutions.

 

Host Introspection – Or How to Implement an Intrusion Detection System Using Mellanox BlueField

An additional challenge posed by security breaches is detecting them in real time.

Some recent cyberattacks have gone undetected for months, allowing for massive collection of data. eBay reported in May 2015 a breach during which hackers used credentials to gain access to inside data for 229 days!

Bloomberg reports the maliciously planted chip’s purpose was to modify the host server’s operating system.  The host introspection technology of Mellanox BlueField SmartNICs offers a platform which can help applications detect such cases in real time, and even shut down the connection to the network upon such occurrence – therefore instantly stopping the intrusion. An Intrusion Detection System (IDS) application may leverage this BlueField SmartNIC capability to protect data centers from such scenarios.

Running IDS over a BlueField SmartNIC allows gaining the best of both worlds: close visibility to what is happening inside the server, combined with proximity to the network. In a data center using the BlueField SmartNIC, hackers trying to access a “Big-Hack” tampered server would be identified and reported to the data center administrator before being able to cause damage.

BlueField’s host introspection capabilities can also be used to implement more security applications such as firewalls, antivirus, secure logging, malware analysis and others.

Best of all the BlueField SmartNIC can scan the host memory and offload any processing of the resulting data on the Arm cores, without placing any load on the host CPU or impacting application performance.

Mellanox Solutions – Secure Your Data Center!

It is widely known that traditional data center security technologies were mostly perimeter based and focused on securing the entrance and exit of the data center. Latest developments have proven that this model cannot sustain the attacks perpetrated by increasingly sophisticated hackers. Data center architects now realize that security must move from the perimeter to the heart of the multi-tenant data center to fend off sophisticated hack attempts.

 

Mellanox intelligent adapters can secure the end points, closer to the network. With a multi-layered security approach, Mellanox smart interconnect products are capable of bringing security from hardware up to application level.

When you need to lead – Mellanox Ethernet Solution helps you maximize your data center performance

Every year a flurry of new world records in various fields are set or broken. It appears that 2018 will be no exception to this trend. The New Year has hardly begun, yet records have already been shattered, starting with the coldest January in the Midwest reaching a record-breaking minus 58 degrees Fahrenheit (- 50 Celsius)!

Data centers, too, are experiencing their own wave of record-breaking hits. Just consider our global appetite for connectivity, reflected in both our businesses and personal lives. From connecting with others via Social Media, to capturing, storing and analyzing data from IoT devices, biz apps, streaming, e-commerce, smart phones and more – 2018 promises to be the biggest year for “Even Bigger” Data Analytics. According to IDC, the world will create 180 zettabytes of data (or 180 trillion gigabytes) in 2025 – that’s 18 times more data than the amount generated a mere 3 years ago, in 2015. And, it’s up to the modern data centers to cope with this explosion of data that tends to suck up huge amounts of compute and storage resources.

 

In the 2018 landscape of Big Data, Big Speed and Big “Everything,” your Ethernet data center’s performance will be a key driver of competitive advantage, with the potential to lead you toward the forefront of your industry. Start off the year by taking advantage of Mellanox Ethernet end-to-end solutions and remain confident that your data center will be able to handle any record-breaking amount of data passing through its pipes.

 

Mellanox Ethernet End to End Interconnect Solutions deliver a unique price-performance value proposition for network and storage solutions. Our comprehensive Ethernet portfolio enables end-to-end 10/25/40/50/56/100Gb/s and soon to come 200/400 Gb/s for diverse applications and systems across financial services, hyper-scale, public and private clouds, storage, artificial intelligence, and virtualized environments.

To help customers and partners cope with the record-breaking  onslaught of modern data center traffic,  network demands and unique customer needs, Mellanox Ethernet solutions are continuously evolving, offloading more tasks from the CPU and enabling greater reliability and power usage for optimal data center efficiency, performance and scalability.  Using Mellanox, you will gain the highest throughput and lowest latency at the lowest cost for the best return on investment.

 

Now let’s go one step further to understand how Mellanox solution delivers its promises:

 

Driving the feeds and speeds with ConnectX® Adapter Cards

Mellanox 10/25/40/50/56/100 (and soon to arrive) 200GbE ConnectX network adapters deliver industry-leading connectivity for performance-driven server and storage applications. ConnectX-5 dual port 100Gb/s Ethernet network adapter offers advanced accelerations, including RDMA over Converged Ethernet (RoCE), NVME over Fabrics and virtual switch offloads. ConnectX-5 network acceleration technology frees up the CPU’s resources for the compute tasks, allowing for higher scalability and efficiency within the data center. And talking about breaking records, ConnectX-5 is capable of a smashing 139 million packets per second (Mpps) of forwarding capabilities running the open source Data Path Development Kit (DPDK). How about that?

Our latest and coolest offering to enter the Mellanox playing field is BlueField Multicore System on Chip (SoC), which integrates a ConnectX®-5 controller, an array of high-performance 64-bit Arm A72 processor cores and a PCIe Gen3 and Gen4 switch. Arguably the most highly integrated and efficient flash controller in the market, and in the purest Mellanox tradition, BlueField is already setting – only a few days after landing in Mellanox labs- new NVMe-over-Fabrics performance records, demonstrating seven and a half million IOPS during initial testing, with zero CPU utilization, and record low latency. As a SmartNIC, BlueField is capable of accelerating a multitude of security, networking and storage workloads. This means that BlueField will help you handle the waves of data anticipated to break on your data center shores!

At the heart of your Ethernet data center sits Mellanox Spectrum Open Ethernet Switches, providing versatile data center rack and server level interconnectivity. Optimized to support the requirements of today’s performance-demanding data centers, Spectrum switches support all speeds (1GbE-100GbE), at line rate, with low latency and zero packet loss. With its high performance, intelligent congestion notification and consistently low latency, Mellanox Spectrum switches are ideal for building Ethernet Storage Fabrics. No wonder HPE picked Spectrum Ethernet storage switches for their M-series!

In addition, Spectrum Ethernet switches have the best RDMA over converged Ethernet (RoCE) implementation both in terms of throughput and intelligent congestion management.  Spectrum switches were recently picked by Baidu and Meituan to build their artificial intelligence infrastructure.

Spectrum has the most scalable and thorough implementation of VXLAN, supporting more than 750 peering switches and over 100K tunnels.  With Spectrum switch series, you can enjoy the advantages of open networking – you are free to pick your NOS of choice. At Mellanox we do not believe in vendor lock-in!

Mellanox LinkX cables and transceivers make 100Gb/s deployments as easy and universal as 10Gb/s links. Mellanox Ethernet optical transceivers are 100% tested on Mellanox equipment to ensure optimal signal integrity and the best end-to-end performance. Because Mellanox offers one of industry’s broadest portfolio of 10, 25, 40, 50 and 100Gb/s Direct Attach Copper cables (DACs), Copper Splitter cables, Active Optical Cables (AOCs) and Transceivers, every data center reach from 0.5m to 10km is supported. To maximize system performance, Mellanox tests every product in an end-to-end environment, assuring a Bit Error Rate of less than 1E-15, 1000x better than many of our competitors.

With record-breaking demands on the data center, start off the new year by placing your data center at the top of your list of resolutions for 2018. In today’s unprecedented competitive IT landscape, using Mellanox’s world-leading Ethernet solutions to maximize your data center’s potential is not only the best decision for your business; it’s a necessity. Contact Mellanox today to find out how we can help, and visit www.mellanox.com/ethernet to learn more about our world-class Ethernet interconnect solutions.

ConnectX-5-pr-graphic-featured

Mellanox Introduces Most Advanced InfiniBand and Ethernet Intelligent Adapter Yet

Last year, IDC predicted that the HPC market would reach $15.2 billion by 2019. That represents a healthy 8.2 percent yearly growth rate. We knew it would be big, and we knew we would be ready for it. In fact, we’ve spent the past decade striving to take high performance computing (HPC) to new levels. We’re fully committed to adding new and higher performance functionality to our smart interconnect product lines, most recently with the launch of ConnectX-5 – the industry’s most advanced 10, 25, 40, 50, 56 and 100Gb/s InfiniBand and Ethernet intelligent adapter.

What is the new technology being delivered with ConnectX-5?

The ConnectX-5 delivers the highest available message rate of 200 million messages per second. And unlike competing products on the market, ConnectX-5 is leading in terms of performance, delivering the highest available throughput (aggregated throughput of 200Gb/s). Here again, Mellanox is leading the marketing with performance that is unmatched. It is also the first interconnect adapter to support PCI Express 3.0 and 4.0 connectivity options and to include an integrated PCIe switch.

How does ConnectX-5 fit into the Co-Design architecture that is revolutionizing the HPC industry?

ConnectX-5 is the latest crucial building block in the overall foundation of the Co-Design architecture. Its new features are designed to execute compute tasks on the network while improving overall system efficiency and speed. Co-Design enables all active components to serve as co-processors in the data center, sharing in data processing wherever the data is located in the network instead of waiting for the CPU bottleneck.

Google has announced its new Tensor processing core, which presents as much as a microcontroller as a CPU that will handle compute functions. This provides even more evidence that the future of the data center is one in which massive amounts of data processing and analysis will continue to occur throughout the network simultaneously. Data is so distributed and the requirements for analysis are so demanding that there is simply no way that the CPU can handle all the processing on its own, nor can data centers afford to wait for the data to get to the CPU. As such, the intelligent network is tasked with handling the processing and analysis on the fly.

ConnectX-5 is the perfect complement to Mellanox’s other intelligent building blocks within the Co-Design architecture. Between Switch-IB 2, the world’s first smart switch, and the NPS network processor family, Mellanox has produced a series of network devices that can analyze data as it moves throughout the network, enabling the utmost performance in the data center.

What markets will ConnectX-5 address?

Mellanox’s new intelligent adapter is designed to address numerous applications for performing data-related algorithms on the network to achieve the highest system performance with minimum CPU utilization. ConnectX-5 brings a series of enhancements and innovations, targeting various markets including:

HPC

ConnectX-5 is the first adapter that supports Co-Design and In-Network computing. It enhances HPC infrastructures by providing MPI and SHMEM/PGAS collective communications accelerations, MPI Tag Matching offload, hardware support for out-of-order RDMA operations, as well as additional Atomic operations support. ConnectX-5 also enhances the innovative transport service Dynamic Connected Transport (DCT), to ensure extreme scalability for compute and storage systems.

Storage

ConnectX-5 offers advanced NVMf target offloads by leveraging its RDMA capabilities, enabling very efficient NVMe storage access with no CPU intervention. Its innovative Host Chaining capabilities and the embedded PCIe switch enable customers to build standalone storage appliances.

Cloud, Web2.0

The new Accelerated Switching and Packet Processing (ASAP2) technology enhances virtual switch and virtual router (e.g. Open V-Switch aka OVS) offloading, which results in significantly higher data transfer performance in virtualized environments with minimal overload of the CPU. Together, with native RoCE and RoCE for Overlay Protocols support, ConnectX-5 dramatically improves Cloud and NFV platform efficiency.

We’re as thrilled to announce ConnectX-5 as customers should be to soon receive the highest application performance and data center return on investment. For more information on ConnectX-5, visit:

  • InfiniBand/VPI Cards – ConnectX-5: LINK
  • InfiniBand/VPI Adapters – ConnectX-5: LINK
  • Ethernet Cards – ConnectX-5 EN: LINK
  • LINK to press release: LINK

ConnectX-5-pr-graphic-620px-wide