In the ever-evolving landscape of networking security, where the threat of cyberattacks looms larger than ever, the demand for robust cybersecurity protection has become a paramount concern. Every networking device, from switches to routers, stands as a potential gateway for malicious actors seeking to exploit vulnerabilities. The need to prevent unauthorized monitoring, modification, diversion, and the infiltration of malicious traffic has never been more critical. Yet, despite the increasing awareness of these threats, the majority of existing switches and routers fall short in providing the essential security features required to thwart these potential breaches. Enter Axiado TCU, an innovation that pioneers critical AI-driven hardware security for network switches. In this blog, we delve into the pressing security challenges faced by networking devices today and explore how Axiado’s TCU solution revolutionizes the landscape with its comprehensive set of security capabilities. From secure boot with attestation to integrated Hardware Platform Root-of-Trust and advanced vulnerability management, Axiado TCU emerges as a strong platform of network integrity. Join us as we uncover the transformative advantages of Axiado’s TCU in strengthening network switches against the ever-present threats. 

Every networking device, including switches and routers, require very strong security to: 

  • Prevent malicious players from utilizing networking for monitoring, modifying, diverting, blocking existing traffic plus enabling the malicious traffic to go through. 
  • Many systems, even those with secure boot, could be altered with correct but older and potentially vulnerable boot images, especially when physical access to the device is possible as in a case of insider attack or another device can be installed on the same network pretending to be a password/image recovery server. 

Most existing switches and routers do not support: 

  • Secure boot w attestation capabilities 
  • Device Identifier Composition Engine (DICE), which provides crucial security layer with or without integrated Trusted Platform Module (TPM). 
  • Built-in Hardware Platform Root-of-Trust (HPROT) and Platform Firmware Resiliency (PFR). 
  • Hardware Security Module (HSM) for secret management or rely on centralized HSM. 
  • In today’s switches, there is a significant complexity in integration of Network Operating Systems (NOS) to control switch platforms. One example is Software for Open Networking in the Cloud (SONiC) that requires platform and device specific controls for elements like fans, sensors, LEDs and similar. 

The Advantages of Axiado’s TCU Solution 

  • TCU offers to host all platform component images on multiple flash devices. It monitors/filters/enforces access to the flash, decrypts and verifies images and configuration settings before providing it to the switch, it can keep secrets on integrated OTP memory as opposed to external flash, EPROM or similar non-volatile storage. 
  • TCU offers to do vulnerability management at boot time by checking all firmware images against known vulnerabilities reported using its AL/ML engines. This can be extended for all firmware upgrades/patches.    
  • TCU’s Smart NIC functionality with hardware firewall and inline crypto capabilities can facilitate any control and management network access, such as in case of network boot, external services access (Open Networking in the Cloud (SONiC) services as an example), event logs, default/management VLAN packets processing, and more. 
  • TCU integrates TPM, DICE-as-a-Service, HPROT, PFR, and edge/distributed HSM. 
  • TCU offloads and secures various management protocols – Telnet, SSH, TLS, AAA – RADIUS/DIAMETER, SNMP, etc. 
  • TCU offloads and optionally encrypt/decrypt control plane protocols, such as CDP, VTP or similar (usually unencrypted exposing a lot of information about switch/router). 
  • TCU offloads DHCP snooping to ensure that only authorized DHCP servers can assign IP addresses. 
  • TCU has built-in Board Management Controller (BMC) capabilities and can proxy NOS control requests by abstracting particular hardware.