As embedded microprocessors evolve into systems on a chip, an encryption engine has become a standard feature on many products. This encryption engine can be used for everything from virtual private networks (VPN) to digital rights management (DRM) to wireless LAN security. But many businesses, large and small, need more than just encryption to secure their networks. Stateful firewalls, intrusion detection systems (IDS), and antivirus (AV) software typically use powerful and expensive CPUs such as Intel’s multicore Xeon chips. To reduce cost and power dissipation, some vendors are offering application-specific processors that combine efficient RISC CPUs with special-purpose engines for security functions. Low-Cost Octeon Cavium led the way with its CN3120, a low-cost version of its popular Octeon processor. While the full Octeon has up to 16 MIPS CPUs, the CN3120 has only two CPUs, each running at up to 500MHz. Although it clocks far slower than a Xeon, the CN3120 is capable of complex security applications such as IDS and AV at up to 1Gbps. Cavium achieves this performance using a set of hardware security engines. Each engine accelerates a different function: encryption, pattern matching (reg-ex), file compression and decompression, TCP processing, and so forth. Reg-ex is the most commonly used function in both IDS and AV; file decompression is required to scan a compressed email attachment for viruses. By offloading these functions from the CPUs, these engines improve throughput while reducing overall power dissipation. The CN3120 burns a maximum of 7W, far less than any Xeon processor. The chip has a list price of $125, and single-CPU versions are available for less than $20. All versions are currently in production. Raza Microelectronics recently announced its XLS processor, targeting similar price points. The XLS also comes in single- and dual-CPU versions, but the Raza CPU operates at speeds of up to 1.2GHz. Furthermore, this CPU is multithreaded, which allows it to quickly switch to a new task when the current task is inactive (such as during a cache miss). Multithreading improves the CPU efficiency. The XLS provides encryption and decompression engines but lacks the networking and reg-ex accelerations of Cavium’s chips. The faster CPUs help the XLS outperform the CN3120 on most security software, but software that takes advantage of Cavium’s reg-ex engines will close the gap. The XLS is just beginning to sample in 2Q07. PowerPC Targets Security Freescale, the leading PowerPC vendor, is also targeting security applications. The company already offers encryption engines in almost all of its processors at little or no extra cost. To take the next step, Freescale plans to sample its MPC8572 in mid-2007. This chip is the first to integrate technology from Freescale’s acquisition of Seaway Networks in 2005. The MPC8572 starts with a pair of PowerPC e500 CPUs that can reach speeds of 1.5GHz. It also includes hardware engines for encryption, pattern matching, file decompression, and table lookups. These engines should allow the chip to accelerate the same applications as does Cavium’s CN3120, but the Freescale processor has much faster CPUs. As a result, the MPC8572 should achieve better security performance. Freescale has not yet announced pricing for its new chip, but we expect it to be around $200, matching it against Cavium’s four-CPU Octeon. Freescale is likely to offer a single-CPU version that will come closer in price and performance to the CN3120. Another option for security equipment is the 1682M, the first processor from startup P.A. Semi. This PowerPC device also comes with one or two CPUs but has the fastest clock speed in this group: up to 2.0GHz. Furthermore, P.A. Semi’s CPU design can execute three instructions per cycle and reorders instructions to maximize performance. Despite its high performance, the dual-CPU chip dissipates less than 25W, still below most Intel processors. At 1.0GHz, power dissipation drops to 12W (maximum). Sampling since early 2007, the 1682M includes a high-performance encryption engine and TCP offload, but it does not provide other hard-wired security functions. Instead, the chip relies on its powerful CPUs to perform most security functions in software. This approach simplifies porting software from Intel-based systems, which are also mainly software based. But programmers may gain better performance by using the security engines on the Cavium or Freescale designs. These RISC processors provide a range of options for security appliances. Designers that are willing to port their software to a RISC CPU will find lower cost, greater integration, and reduced power dissipation compared with Intel-based platforms.
|
