How to Build a Massively Scalable Next-Generation Firewall

Transcription

1 How to Build a Massively Scalable Next-Generation Firewall Seven measures of scalability, and how to use them to evaluate NGFWs Scalable is not just big or fast. When it comes to advanced technologies like Next-Generation Firewalls, you can t rely on a single measure like Mbps for stateful packet inspection to tell you how a security appliance will perform under real-world conditions. In this paper, we will discuss seven measures of performance and scalability, and how you can use them to select a Next-Generation Firewall. We will also outline the kind of technical innovations needed to produce a massively scalable NextGeneration Firewall, and take a quick look at results from a benchmark test comparing some of the leading examples.

2 TABLE OF CONTENTS Why Scalability Is Important Seven Measures of Performance and Scalability, and When to Use Them How to Create a Massively Scalable Next-Generation Firewall The Proof: Results from a Benchmark Test

3 Why Scalability Is Important Better Security: Traditional firewalls scan packet headers and apply rules to forward or block the packets. Next-Generation Firewalls do far more work: They inspect packet payloads, apply advanced malware detection and intrusion prevention techniques, perform content filtering, decrypt Secure Sockets Layer (SSL) traffic, control application traffic, and prevent employees from using non-business Web applications. These activities greatly improve security, but they require much more processing power. When non-scalable appliances max out, administrators typically turn off some security functions.1 This opens up the network to malware and attacks. Lower Costs: One enterprise Next-Generation Firewall can replace multiple firewall and intrusion prevention systems. This consolidation reduces hardware and software license expenses, as well as deployment and administration costs. Higher productivity: When utilization rises, most Next-Generation Firewalls are forced to buffer network packets and inspect them in memory. This slows network performance and hurts employee productivity. A massively scalable Next-Generation Firewall can inspect even very large files at near wire speed, so employee productivity is not affected.2 Seven Measures of Performance and Scalability, and When to Use Them Performance and scalability cannot be boiled down to a single measure for Next-Generation Firewalls. The following are seven measures to use when selecting the right solution for your environment. These measures are often (although not always) available in vendor data sheets and in the reports of independent benchmark tests. 1. Performance with stateful packet inspection. Firewalls that perform stateful packet inspection inspect packet headers, track the state of network connections (such as TCP streams), and apply rules to block or forward packets. Maximum throughput with stateful packet inspection, measured in Mbps or Gbps, was a meaningful measure of performance for traditional stateful packet inspection firewalls. However, it doesn t reflect the workload of Next-Generation Firewalls with their extra security capabilities. It should be given very little weight unless an appliance is going to be used in an environment with minimal security requirements. 3 1 Many IT security pros shut off security to improve performance, survey finds, Infosecurity, July 21, For more details on why scalability is important, see Executive Brief on Enterprise Next-Generation Firewalls

4 2. Performance with deep packet inspection. Deep packet inspection (DPI) involves inspecting the application content or payload of network packets, as well as the headers. Most of the extra security capabilities of Next-Generation Firewalls, such as malware detection, intrusion prevention, SSL decryption, content filtering and application control, are based on DPI. Maximum throughput with deep packet inspection, measured in Mbps or Gbps, is a much more meaningful indicator of Next-Generation Firewall performance than throughput with stateful packet inspection. 3. New connections per second. In enterprise environments, millions of connections are created and dropped every minute. New connections per second measures the ability of a firewall to promptly handle new user traffic. In some ways, it is analogous to measuring acceleration: If many remote users log in at once, can the appliance pick up speed and handle them right away, or will it stall and slow down network performance? New connections per second is an important measure to consider if you have a large number of network users, particularly if they connect and log out frequently. Be aware, however, that some vendors publish connections-per-second statistics with DPI turned off. That test setting does not simulate real-world conditions. 4. Simultaneous connections with DPI enabled. Maximum number of simultaneous connections, measured in thousands or millions, represents the number of network sessions that the Next-Generation Firewall can handle at peak times. Obviously, this is an important measure for large enterprises with large numbers of network users. Again, beware of vendors that publish measurements of connections with DPI turned off. 5. Performance with SSL decryption. SSL traffic is widely used by banks, online retailers and cybercriminals to shield Web traffic from inspection. The ability to decrypt, scan and reassemble SSL-encrypted packets is one of the key security advantages of Next-Generation Firewalls, but it is very resource-intensive. If you have SSL traffic crossing your network boundary, then SSL decryption performance, measured in Mbps or Gbps, is a key metric for understanding how the Next-Generation Firewall will behave under real-world conditions. A related metric is how many simultaneous connections can be decrypted and inspected. 4

5 6. Latency with DPI enabled. Firewalls with proxy-based designs can have high throughput but still force users to wait for large files to be buffered in memory, inspected and reassembled. So latency with DPI enabled, measured in milliseconds, is an important measure for anticipating how firewall performance will or won t affect end-user productivity. It is particularly important for application response times when large files are transmitted. 7. Maximum file size. Many firewalls place a limit on the size of files they can inspect typically 100 MB. This is because they need to buffer files in memory but don t have enough memory to handle large files. Therefore, these files must either be quarantined, which is bad for end-user productivity, or passed through without inspection, which is bad for security. The file-size limit is particularly important if you have users who receive or send large files such as zip files, audio and video files, ISO images, and CAD/CAM design files. How to Create a Massively Scalable Next-Generation Firewall You can t create a scalable Next-Generation Firewall by taking traditional firewall architecture and adding duplicate components or inserting a faster CPU. Diminishing returns kick in quickly because of bottlenecks. The only way to create a massively scalable Next-Generation Firewall is to design one from the ground up, taking advantage of a wide range of hardware and software technologies such as the following, used by Dell SonicWALL: Specialized processors optimized for networking: Standard x86 microprocessors are inefficient for inspecting and forwarding network traffic. Specially designed application-specific integrated circuits are not flexible enough for DPI, and once installed, they can t easily be upgraded or reprogrammed with microcode. The best results are achieved by using CPUs such as Cavium processors that are optimized for processing network traffic. These are extremely well suited to inspecting data payloads and packet forwarding. They also consume much less power and generate less heat than conventional microprocessors, so more of them can be used together in parallel processing systems. Figure 1: Example of a multi-core architecture to support parallel processing (from the Dell SonicWALL E10000 Series) 5

6 Multi-core architecture and parallel processing: Parallel processing is a critical enabler for enterprise-class performance and scalability. It allows dozens of processors to split the work of inspecting thousands of streams of traffic. Parallel processing can: p Dramatically increase throughput. p Increase new connections per second. p Increase maximum simultaneous connections. Next-Generation Deep Packet Inspection: Advanced hardware alone is not sufficient to create a massively scalable Next-Generation Firewall. The vendor also needs to develop an optimized single-pass engine for DPI. For example, Dell SonicWALL has developed the patented Reassembly-Free Deep Packet Inspection (RFDPI) engine, which performs highly efficient pattern matching within files attachments and many compressed archives, regardless of file size and independent of protocol. RFDPI techniques go far beyond simple security countermeasures. The RFDPI engine analyzes factors such as packet type and expected content for file types. It applies heuristic techniques for example, flagging password-protected compressed files and uses application control to apply granular controls to specific Web applications.3 The efficient RFDPI software engine also eliminates the need for buffering large files in memory. This can: p Reduce latency. p Eliminate the need to cap file sizes. The Proof: Results from a Benchmark Test Independent third-party tests are useful for validating vendor claims about performance and scalability. In April 2012, Network World published an in-depth analysis of four leading Next-Generation Firewalls. These Mixed-HTTP Content Handling tests involved simulating enterprise network traffic with objects of different sizes and file types, designed to closely approximate the loads handled by firewalls in real-world environments. 3 6 For more details on the technologies that go into a massively scalable Next-Generation Firewall, see Why Protection and Performance Matter

7 The testers varied the conditions of the tests by running them with only the firewall turned on; with the firewall and intrusion prevention system features turned on; and with firewall, antivirus, antispyware and IPS features all turned on. The tests were further varied by sending the traffic in cleartext and again encrypted using SSL. Summaries of key results are shown in Figure 2. The Dell SonicWALL SuperMassive E10800 came out on top, with the best performance on five of the six tests. In the most demanding test in this series scanning SSL traffic with firewall, antivirus, antispyware and IPS features turned on the Dell SonicWALL appliance outperformed the second-fastest device by 18% (11,305 Mbps, vs. 9,544 Mbps) and the other two devices by more than 100% (11,305 Mbps, vs. 5,266 Mbps and 4,648 Mbps). Figure 2: Network World Clear Choice Test for Next-Generation Firewalls, Mixed-HTTP Content Handling tests A related Network World article noted: [Dell] SonicWALL s SuperMassive can decrypt SSL traffic very fast in fact, these one-off tests show it to be the fastest device by far. 4 Learn more about Enterprise Next-Generation Firewalls at For more details on this and other NGFW benchmarks, see: Clear Choice Test: Next-Generation Firewalls ( com/reviews/2012/ firewalls-test html), Scaling Up With SonicWALL s Supermassive ( reviews/2012/ firewalls-test-sonicwall html), and What to Look for When Evaluating Next-Generation Firewalls (