Layered Security Model
ASTRA implements defense-in-depth through multiple architectural layers, each providing distinct security guarantees. The key insight is separating the control plane from the data plane—tenant traffic never touches the control infrastructure.
Six Pillars of Protection
ASTRA's security model is built on six foundational principles that work together to provide comprehensive tenant isolation.
Hardware Root of Trust
Secure boot chain and TPM-based attestation ensure DPU integrity.
Network Segmentation
VLANs, VXLANs, and hardware-enforced tenant boundaries.
Encryption Everywhere
Line-rate IPSec and TLS for all inter-tenant traffic.
Policy Enforcement
Hardware-enforced ACLs that can't be bypassed by software.
Audit & Telemetry
Per-flow logging and real-time anomaly detection.
Blast Radius Containment
Compromised tenant cannot affect other tenants or infrastructure.
Trust Domain Separation
ASTRA divides the system into three distinct trust domains, with the DPU acting as the security boundary between untrusted host workloads and the trusted network fabric.
Packet Trust Chain
Every packet traversing ASTRA goes through a multi-stage trust verification process. The DPU validates identity, policy, and encryption before forwarding.
Security Comparison
Traditional software-based isolation leaves significant attack surface. ASTRA's hardware-based approach eliminates entire classes of vulnerabilities.
| Security Aspect | Traditional (Software) | ASTRA (Hardware) |
|---|---|---|
| Policy Bypass Risk | High (kernel exploits) | None (hardware-enforced) |
| Performance Impact | 10-30% overhead | 0% (line rate) |
| Side-Channel Exposure | Multiple vectors | Hardware isolated |
| Audit Completeness | Best-effort logging | 100% flow visibility |
| Encryption Coverage | Performance limited | All traffic at line rate |
Orchestration Workflow
ASTRA automates the complete tenant lifecycle—from provisioning to teardown—with sub-second latency and zero-touch security configuration.