Cisco’s acquisition of startup Isovalent, developer of open-source tools Cilium and Tetragon, underscores the potential of the popular eBPF kernel technology for multicloud networking and security.
Cisco has raised the profile of the popular container connectivity technology eBPF (extended Berkeley packet filter) with its recent purchase of open-source, cloud-native networking and security firm Isovalent. Cisco announced the deal in late December and expects to close the acquisition in the third quarter of its fiscal year 2024.
eBPF is an open-source Linux operating-system kernel technology that lets programs run securely in a sandbox within the kernel of the OS. This allows customers to incorporate security, observability and networking features quickly and easily without requiring them to modify kernel source code or deal with network overlays or other tedious programming tasks. The technology’s open-source development occurs under the auspices of the Cloud Native Computing Foundation (CNCF) and includes industry input and support from Google, Microsoft, Red Hat, Intel and others.
According to the CNCF, many kernel developers have contributed to eBPF’s integration into the Linux kernel, making it a stable and reliable, and various other projects have created tools and libraries that make eBPF easier to use and manage. In addition, eBPF is the underpinning for Isovalent’s widely used open-source, cloud-based Cilium and Tetragon software packages. Cilium uses eBPF to support networking, security, and observability for containerized Kubernetes workloads, while Tetragon lets users set security policies using eBPF.
eBPF is important in today’s environment of distributed applications, virtual machines, containers, and cloud assets, where application administrators may have little to no insight into the underlying infrastructure, leaving a gap in visibility and security, said Tom Gillis, senior vice president and general manager of the Cisco Security Business Group.
“eBPF and Cilium will let set all sorts of features such as firewall, load balancing, DNS – all kinds of application service level features, all from software in a single location,” Gillis said. “Without eBPF, all of that functionality would have to be enabled individually, which is time consuming and potentially leaves lots of places open to security and networking problems.”
The combination also provides analysis of network traffic and container behavior, enabling network experts to troubleshoot issues and optimize performance, Gillis said.
According to a report by IDC, eBPF, Cilium and Tetragon offer the greatest value to those operating Kubernetes clusters and bring significant networking benefits. For example, eBPF allows users to set a high-performance, programmable network data path between applications and clusters. “eBPF allows quick decisions about how to handle incoming packets [and] can help enforce of a wide range of network and security polices,” IDC stated.
The technology also offers connect-time load balancing: Instead of using a virtual IP address, operators can load balance at source using a program loaded into the kernel, removing NAT (network address translation) overhead, IDC stated. In addition, eBPF programs can add probes as sensors in the Linux kernel to obtain context-rich data, and there’s no need to make changes to the kernel to enable tracing and profiling, IDC stated.
“Cilium gained high-adoption with hyperscalers and cloud providers because of its unparalleled visibility into the behavior and communication of cloud native applications and seamless ability to define the policy of a software-defined network,” Gillis wrote in a recent blog about Cisco’s Isovalent buy.
Cilium is used by AWS, Netflix, Google, Adobe and others to support networking, network policy, and network visibility services.
Isovalent recently introducing Cilium Mesh to allow for the easy connection of Kubernetes clusters with existing infrastructure across hybrid clouds, Gillis noted.
“Tetragon provides security controls to protect workloads as they run by gathering detailed information about the application’s internal processes and how they behave on the network,” Gillis said. “This broad insight provides the highest form of protection for workloads running on any cloud. Tetragon also includes important compliance capability and integration with tools cloud providers and enterprises use to monitor and remediate security incidents.”
It’s unclear how Cisco will use the Isovalent technologies, though they could fit into a number of the vendor’s strategic platforms, such as its Cloud Security, Full Stack Observability (FSO), Networking Cloud and others.
Isovalent could also be a part of Cisco’s Panoptica package, which lets developers and engineers provide cloud-native security from application development to runtime. Panoptica offers a single interface for comprehensive container, serverless, API, service mesh, and Kubernetes security, it scales across multiple clusters with an agentless architecture, and it integrates with CI/CD tools and language frameworks across multiple clouds.
“Isovalent’s Cilium Mesh complements Cisco software-defined networking solutions and together would give customers seamless and secure networking from the branch office to the data center, to the public cloud, using one continuous mesh,” Gillis said. “Hardware acceleration of networking functions will ensure that the already performing eBPF platform will continue to lead the industry. By leveraging the threat intelligence of Cisco Talos and Cisco’s increasingly powerful security analytics capability, Cisco and Isovalent will together build leading-edge protection for any workload on any cloud,” Gillis said.
Gillis added that Cisco will continue to be a key contributor to Cilium and Tetragon as open-source projects and intends to create an independent advisory board to help steer Cisco’s contributions to create multicloud security and networking capabilities that are truly unique.