Cisco creates architecture to improve security and sell you new switches

Cisco has developed a product called Hypershield that it thinks represents a new way to do network security.

The core element of Cisco's plan is the deployment of "enforcement points" – essentially teensy firewalls that can run on a server, or in data processing units (DPUs, aka SmartNICs) installed in servers or networking hardware.

Enforcement points are made aware of the applications they observe and known good behaviors of that software. They're also kept up to date with info about new vulnerabilities or attacks – thanks to the work of Cisco's security intelligence teams, which distil oodles of signals gathered online using AI.

Armed with info about what an app should be doing, and attacks that could change its behavior, enforcement points check for anomalous behavior. When the software finds it, it can do a couple of things.

One is inform admins about which apps need patching.

The other is to implement a "compensating control" that protects the app – essentially by creating new network segments that don't allow dangerous traffic.

Tom Gillis, senior veep and general manager of Cisco's security business, suggested those controls could be actions like blocking access to a known dangerous URL identified to be part of a cyber attack. Compensating controls can be set running wherever they're needed on a network, reconfiguring it on the fly to harden against a live attack.

Gillis revealed that enforcement points run two data paths. One is the equivalent of a production system that has been tested and found to work without issues.

The enforcement point also runs a "shadow path" – basically a beta of its most recent update. The shadow path runs on live data and uses AI to test whether the update is working as expected.

If those automated tests check out, the enforcement point manages its own lifecycle by making the shadow path the production path, and installing the next upgrade to test in the shadow path.

That automation, Gillis told The Register, should be welcomed by beleaguered security and net admins. He thinks it will also be welcomed in industries like healthcare that can't easily update devices with security vulnerabilities – because they just don't mess with hardware that keeps people alive. Self-updating networks and mitigations that keep those machines safe is Cisco's alternative.

Kernel games and DPU delights

When running on a server, enforcement points use the eBPF tech Cisco acquired along with Isovalent. The extended Berkeley Packet Filter (eBPF) allows developers to run code in sandboxed programs that run in a privileged context – such as the operating system kernel – and allows the addition of capabilities to an OS.

The eBPF implementation Cisco used for Hypershield is lightweight, but still uses one or two percent of a CPU's capacity.

Which is why Cisco can also run enforcement points on DPUs/SmartNICs – an arrangement that isolates them further and relieves the burden on server CPUs.

Cisco will also build switches to run DPUs, making it possible to apply enforcement points on each port in a switch.

Gillis explained that Cisco chose this approach after working with hyperscalers who run DPUs, but tired of having to attach them to every server in a rack. Shifting DPUs into a top of rack switch delivers the same benefits, he said, but shrinks DPU fleets and therefore also the cost of acquiring and operating the cards.

Cisco is happy for Hypershield to use DPUs from any vendor, running in servers from any manufacturer.

But only Cisco networking hardware can run DPUs and Hypershield – and that hardware doesn't exist yet.

Once it debuts, Cisco will pitch its DPU-enabled switches as a fine upgrade to both your network and your security.

"Every time a customer refreshes hardware, it becomes a new enforcement point," Gillis enthused.

There is an element of evil genius here, because switching is commodified so devices seldom need to be replaced – except when networks expand and/or new bandwidth-intensive apps come along. For those not yet dabbling with demanding workloads like AI, Hypershield may be the best reason in years to consider new networking hardware purchases.

Hypershield will be licensed per "workload" – a Cisco metric based on core count and other factors. A cloudy app will serve as the management console.

Gillis was at pains to describe Hypershield as a security architecture expressed in software – not just software appliances replacing networking boxes. "This is not a VM of an existing firewall," he stressed. "It is a new architecture from the ground up."

Hypershield will debut in August with its eBPF incarnation. Other elements will follow over time.

And before you ask: "Hypershield" – Cisco really went there for the name? ®