NiOS – The Next Generation Secure, Hyper-scale & Programmable Network Operating System

When we started our quest for the future of Networking technologies, we realized that the fundamental networking technology which is the brain behind every networking device, the Network Operating System cannot be based on platforms that were designed 15-20 years back. The reason being the unprecedented scale at which bandwidth and user scalability has evolved was hard to imagine when these platforms were designed. Security was not even a consideration as moving the packet from one point to the other efficiently was the only focus. The proof of that is in the fact that hundreds of vulnerabilities keep getting reported and exploited on these platforms year after year resulting in loss of Billions of dollars to the global GDP.

This is what motivated us to take a grounds up approach to building the next generation Network Operating System, NiOS™, on the foundation blocks of security, scalability and programmability.

Security

Security in a Network Operating System is like the concrete that binds the building together, it needs to be a part of the very DNA. Ignoring security in a Network OS is not an option, most importantly it is very difficult to fix it as an afterthought. Most of the existing Network OS in the market were designed 15-20 years back and are only capable of patching security holes rather than having a comprehensive approach to handle security at an architectural level.

At Nivetti, security was an effort that is woven across the development process. For NiOS™, the security focus was put in place from the day one, whether it’s the coding guidelines derived from the team’s rich experience and best practices, choice of home grown secure library functions that are to be used instead of standard C Libraries or the team’s mindset to look for holes in every new protocol that is introduced. Validating the NiOS™ security against third party security tools was also incorporated in the development process to validate the robustness of the system from time to time.

NiOS™ has a holistic approach of looking at security starting from kernel, low level drivers and all the way up to the protocols and applications. NiOS™ strictly implements the principles of monitoring, isolation and containment by implementing a highly modular architecture which runs all the features and functionality in the user space over a micro kernel architecture. These applications are monitored by a supervisory function called the “Service Manager” for any anomalies in behavior. This implies that even in a worst case scenario if an application or a module gets compromised, it will be restarted by Service Manager without impacting the system functionality to prevent remote code execution.

In spite of all the above efforts, a networking device can still become vulnerable because of misconfigurations or lack of security awareness in the field operatives. For example, an administrator not choosing a secure protocol option inadvertently can make the system vulnerable. NiOS™ solves this problem by using the concept of secure defaults. This means that the device running NiOS™ is shipped with the most secure default configuration options, fortifying the device by default. An administrator needs to take a conscious decision to strip down the guards put in by default against the warning messages thrown by the system in such an event. Our research proves that this makes the administrators think and research before changing any secure default options and drastically reduces misconfiguration led security incidences. Not changing secure defaults can also be enforced by an organization policy. This holistic and grounds up approach is what makes NiOS one of the most secure NOS in the industry.

For more details on the security aspects of NiOS™ please do contactus@nivettisystems.com.

Scalability & Performance

With higher speeds and more and more people getting connected to the internet, routers and datacenter switches needs to handle tens of thousands of interface and millions of routes. This kind of scalability requirement was hard to perceive for any system that was designed more than couple of decades ago. At Nivetti, this requirement was not only perceived but relentlessly pursued in every aspect of NiOS™ design and development.

One of the key innovations in NiOS™ is the non-blocking, asynchronous, event driven architecture which forms the very heart of the system. This is the magic sauce which makes NiOS™ scalable to millions of routes, interfaces and sessions.

Network operating systems are complex. They run multiple applications and perform multiple tasks simultaneously with interdependencies and need for communication between each other. A non-blocking design not only makes the CPU utilization better by reducing the CPU cycles wasted idling in blocked state but even helps optimize the CPU cycles wasted by excessive context switches which are characteristic of a typical blocking system. Blocking design forces a sort of serialization in the system. Even though many tasks/processes may exist, most of the time work shifts from one to another. In a multi-processor system, blocking based design fails to take advantage of multiple processors because of the above serialization. In contrast, a non-blocking design is ideal for multi-processor based system. It can take advantage of multiple processors, and more over it scales accordingly with the number of processors.

To summarize, the grounds up scalability approach of NiOS™ makes it future proof and versatile to manage high density applications like core routing and datacenter switching.

In terms of performance, it’s not only the operating system but also the application implementation which plays a key role. Nivetti realized and pursued the goal of optimizing the application implementation to not only leverage the efficiencies of the OS but also how application themselves manage and manipulate their data structures. An excellent example of this is NiOS™ OSPF stack which is capable of providing sub-second convergence on even a large single area OSPF network. For the same reason every protocol, application and entire networking stack is developed grounds up by Nivetti for delivering high performance with security.

Programmability and Extensibility

Each customer is unique in way they want to use the networking devices, the applications they want to run on them, the way they want to integrate them with their day to day operations. This level on customization needs a highly flexible, programmable and extensible platform which allows such customization with ease.

Keeping this in mind, NiOS™ was developed as a platform that provides native support for XML based programming interface, a set of OpenAPIs for customers to build their own applications to extend the functionality of the devices. NiOS™ OpenAPIs can be used by tech savvy customers who have their own skilled IT work force to build such applications or use Nivetti partners who build differentiated features for their customers or provide this as service to the customers.

This NiOS programmable layer allows granular control of configuration to the individual parameter level and hence enables automation of any network function making it a fully SDN capable platform. Even here security has been given paramount importance by using bidirectional authentication mechanisms to allow only mutually authenticated end point to access the programmable interface.