SBIR Phase I: Container Grids for Software Defined Security

Period of Performance: 07/01/2017 - 03/31/2018


Phase 1 SBIR

Recipient Firm

CN3 Systems, Inc
3007 Jackson St Array
San Francisco, CA 94115
Firm POC, Principal Investigator


The broader impact/commercial potential of this Small Business Innovation Research (SBIR) Phase I project appears in three areas. First, there is an $8B dollar market for legacy hardware network security products today that is in transition to Software Defined Security. Adoption of this general SDSec platform has the potential to accelerate that market transition and improve enterprise security. Second, this project's success as an open platform could dramatically shorten the time between research insight and at-scale production deployments; security software built to a lower bar of scale/resiliency is faster and easier to build. The end result will be an increased rate of innovation, and new markets for niche, fit-for-purpose security functions that today are not profitable for vendors to build. Last, this platform could harmonize enterprise security investments and practices for on premise workloads with security investments for public cloud workloads, solving a key dilemma faced by leading IT organizations. This will make those organizations more competitive on the world stage. This Small Business Innovation Research (SBIR) Phase I project addresses the two hardest technical challenges in building an enterprise-grade network security function, scale and resiliency, in a general way that can be applied to both new products and legacy codebases with no code change. Addressing scale/resiliency problems in a general way across many network security functions is novel, and this particular approach of massively parallel, lightweight packet processing functions to achieve this is new to this domain. Why now? The massively parallel design proposed here is far too expensive and impractical with traditional hardware-based network functions. Even traditional hypervisor-based virtual machines carry too much hardware overhead to make this design cost competitive. By using vSwitches and network security functions packaged as Linux containers, the hardware overhead cost per instance drops dramatically, and this class of approach for scale/resiliency may be proven practical.