Cisco marries AI and security with cloud-based data center offering

“This dataplane supports two data paths: a primary (main) and a secondary (shadow). Traffic is replicated between the primary and the secondary,” Connors wrote. “Software updates are first applied to the secondary dataplane, and when fully vetted, the roles of the primary and secondary dataplanes are switched. Similarly, new security policies can be applied first to the secondary dataplane, and when everything looks good, the secondary becomes the primary.”

The idea is to allow software upgrades and policy changes to be placed in a digital twin that tests updates using the customer’s unique combination of traffic, policies and features, then applying those updates with zero downtime, Connors wrote.

Underpinning Hypershield is the extended Berkeley packet filter (eBPF) connectivity technology that Cisco picked up with its recently closed acquisition of open-source, cloud-native networking and security firm Isovalent.

eBPF is an open-source Linux operating-system kernel technology that lets programs run securely in a sandbox within the kernel of the OS. This allows customers to incorporate security, observability and networking features quickly and easily without requiring them to modify kernel source code or deal with network overlays or other tedious programming tasks.

In addition, eBPF is the underpinning for Isovalent’s widely used open-source, cloud-based Cilium and Tetragon software packages. Cilium uses eBPF to support networking, security, and observability for containerized Kubernetes workloads, while Tetragon lets users set security policies using eBPF.  Both services are subsets of Hypershield, Ellis said. 

Hypershield was designed to be self-upgrading and updating, Ellis said. “Because of the distributed architecture, the eBPF agents that send in the telemetry also act as enforcement points, using a patent-pending design that brings the continuous update CI/CD model of the cloud to premises-based systems, whether at the network, workload, file or process level.”



Source link