How to Build a Massively Scalable Next-Generation Firewall



Similar documents
Next-Generation Firewalls: Critical to SMB Network Security

Achieve Deeper Network Security

What to Look for When Evaluating Next-Generation Firewalls

Achieve Deeper Network Security and Application Control

Why Protection and Performance Matter

Why protection & performance matter

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Firewall Sandwich. Aleksander Kijewski Presales Engineer Dell Software Group. Dell Security Peak Performance

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Why it's time to upgrade to a Next Generation Firewall. Dickens Lee Technical Manager

Dell SonicWALL Portfolio

Applications erode the secure network How can malware be stopped?

Providing Secure IT Management & Partnering Solution for Bendigo South East College

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Application Intelligence, Control and Visualization

Using Palo Alto Networks to Protect the Datacenter

Dell SonicWALL Next Generation Firewall(Gen6) and Integrated Solution. Colin Wu / 吳 炳 東 Colin_Wu1@dell.com

SSL Performance Problems

Unified Threat Management Throughput Performance

Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation

Network Security Solution. Arktos Lam

10 Strategies to Optimize IT Spending in an Economic Downturn. Wong Kang Yeong, CISA, CISM, CISSP Regional Security Architect, ASEAN

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

The Cisco ASA 5500 as a Superior Firewall Solution

Content-ID. Content-ID URLS THREATS DATA

Cisco Application Networking for IBM WebSphere

SiteCelerate white paper

Preventing Data Leaks At The Firewall A Simple, Cost-Effective Way To Stop Social Security and Credit Card Numbers From Leaving Your Network

Jort Kollerie SonicWALL

Dell Security Next-Generation Firewalls

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

BSNL IDC Hosted Firewall Service. Total Network Security

NEXT GENERATION SECURE WEB GATEWAY: THE CORNERSTONE OF YOUR SECURITY ARCHITECTURE

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Cisco Integrated Services Routers Performance Overview

Stingray Traffic Manager Sizing Guide

4 Delivers over 20,000 SSL connections per second (cps), which

The Evolution of Application Acceleration:

PRODUCTS & TECHNOLOGY

Is Your Network Ready for VoIP?

Load Balancing Security Gateways WHITE PAPER

Delivering 160Gbps DPI Performance on the Intel Xeon Processor E Series using HyperScan

Cisco Application Networking for BEA WebLogic

Accelerating UTM with Specialized Hardware WHITE PAPER

SonicWALL Corporate Design System. The SonicWALL Brand Identity

SuperMassive E10000 Series

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Virtualized Security: The Next Generation of Consolidation

Clean VPN Approach to Secure Remote Access for the SMB

SonicWALL Unified Threat Management. Alvin Mann April 2009

Comparative Performance and Resilience Test Results - UTM Appliances. Miercom tests comparing Sophos SG Series appliances against the competition

Securing the Intelligent Network

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Performance of Cisco IPS 4500 and 4300 Series Sensors

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Enhance Service Delivery and Accelerate Financial Applications with Consolidated Market Data

Moving Beyond Proxies

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

The Application Front End Understanding Next-Generation Load Balancing Appliances

SonicWALL ECLASS Netw

Check Point taps the power of virtualization to simplify security for private clouds

Scaling Objectivity Database Performance with Panasas Scale-Out NAS Storage

Achieving Nanosecond Latency Between Applications with IPC Shared Memory Messaging

Clean VPN Approach to Secure Remote Access

Blind as a Bat? Supporting Packet Decryption for Security Scanning

Silver Peak The WAN Optimization Vendor of Choice for Offsite Data Replication

Forefront Threat Management Gateway (TMG) Whitepaper The Solution.

Networking for Caribbean Development

Securing the Virtualized Data Center With Next-Generation Firewalls

Managing Latency in IPS Networks

The Ultimate Guide to Gaining Control of the WAN

Deploying Silver Peak VXOA with EMC Isilon SyncIQ. February

Application Visibility and Monitoring >

Chapter 15. Firewalls, IDS and IPS

Deliver More Applications for More Users

WHITE PAPER. Extending Network Monitoring Tool Performance

IBM Proventia Network Intrusion Prevention System With Crossbeam X80 Platform

VDI Solutions - Advantages of Virtual Desktop Infrastructure

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

First Line of Defense to Protect Critical Infrastructure

NetScaler VPX FAQ. Table of Contents

Transcription:

How to Build a Massively Scalable Next-Generation Firewall Seven measures of scalability, and how to use them to evaluate NGFWs Scalable is not just big or fast. When it comes to advanced technologies like Next-Generation Firewalls, you can t rely on a single measure like Mbps for stateful packet inspection to tell you how a security appliance will perform under real-world conditions. In this paper, we will discuss seven measures of performance and scalability, and how you can use them to select a Next-Generation Firewall. We will also outline the kind of technical innovations needed to produce a massively scalable NextGeneration Firewall, and take a quick look at results from a benchmark test comparing some of the leading examples.

TABLE OF CONTENTS Why Scalability Is Important.................................................. 3 Seven Measures of Performance and Scalability, and When to Use Them........................................................ 3 How to Create a Massively Scalable Next-Generation Firewall........ 5 The Proof: Results from a Benchmark Test................................. 6 2

Why Scalability Is Important Better Security: Traditional firewalls scan packet headers and apply rules to forward or block the packets. Next-Generation Firewalls do far more work: They inspect packet payloads, apply advanced malware detection and intrusion prevention techniques, perform content filtering, decrypt Secure Sockets Layer (SSL) traffic, control application traffic, and prevent employees from using non-business Web applications. These activities greatly improve security, but they require much more processing power. When non-scalable appliances max out, administrators typically turn off some security functions.1 This opens up the network to malware and attacks. Lower Costs: One enterprise Next-Generation Firewall can replace multiple firewall and intrusion prevention systems. This consolidation reduces hardware and software license expenses, as well as deployment and administration costs. Higher productivity: When utilization rises, most Next-Generation Firewalls are forced to buffer network packets and inspect them in memory. This slows network performance and hurts employee productivity. A massively scalable Next-Generation Firewall can inspect even very large files at near wire speed, so employee productivity is not affected.2 Seven Measures of Performance and Scalability, and When to Use Them Performance and scalability cannot be boiled down to a single measure for Next-Generation Firewalls. The following are seven measures to use when selecting the right solution for your environment. These measures are often (although not always) available in vendor data sheets and in the reports of independent benchmark tests. 1. Performance with stateful packet inspection. Firewalls that perform stateful packet inspection inspect packet headers, track the state of network connections (such as TCP streams), and apply rules to block or forward packets. Maximum throughput with stateful packet inspection, measured in Mbps or Gbps, was a meaningful measure of performance for traditional stateful packet inspection firewalls. However, it doesn t reflect the workload of Next-Generation Firewalls with their extra security capabilities. It should be given very little weight unless an appliance is going to be used in an environment with minimal security requirements. 3 1 Many IT security pros shut off security to improve performance, survey finds, Infosecurity, July 21, 2011 2 For more details on why scalability is important, see Executive Brief on Enterprise Next-Generation Firewalls

2. Performance with deep packet inspection. Deep packet inspection (DPI) involves inspecting the application content or payload of network packets, as well as the headers. Most of the extra security capabilities of Next-Generation Firewalls, such as malware detection, intrusion prevention, SSL decryption, content filtering and application control, are based on DPI. Maximum throughput with deep packet inspection, measured in Mbps or Gbps, is a much more meaningful indicator of Next-Generation Firewall performance than throughput with stateful packet inspection. 3. New connections per second. In enterprise environments, millions of connections are created and dropped every minute. New connections per second measures the ability of a firewall to promptly handle new user traffic. In some ways, it is analogous to measuring acceleration: If many remote users log in at once, can the appliance pick up speed and handle them right away, or will it stall and slow down network performance? New connections per second is an important measure to consider if you have a large number of network users, particularly if they connect and log out frequently. Be aware, however, that some vendors publish connections-per-second statistics with DPI turned off. That test setting does not simulate real-world conditions. 4. Simultaneous connections with DPI enabled. Maximum number of simultaneous connections, measured in thousands or millions, represents the number of network sessions that the Next-Generation Firewall can handle at peak times. Obviously, this is an important measure for large enterprises with large numbers of network users. Again, beware of vendors that publish measurements of connections with DPI turned off. 5. Performance with SSL decryption. SSL traffic is widely used by banks, online retailers and cybercriminals to shield Web traffic from inspection. The ability to decrypt, scan and reassemble SSL-encrypted packets is one of the key security advantages of Next-Generation Firewalls, but it is very resource-intensive. If you have SSL traffic crossing your network boundary, then SSL decryption performance, measured in Mbps or Gbps, is a key metric for understanding how the Next-Generation Firewall will behave under real-world conditions. A related metric is how many simultaneous connections can be decrypted and inspected. 4

6. Latency with DPI enabled. Firewalls with proxy-based designs can have high throughput but still force users to wait for large files to be buffered in memory, inspected and reassembled. So latency with DPI enabled, measured in milliseconds, is an important measure for anticipating how firewall performance will or won t affect end-user productivity. It is particularly important for application response times when large files are transmitted. 7. Maximum file size. Many firewalls place a limit on the size of files they can inspect typically 100 MB. This is because they need to buffer files in memory but don t have enough memory to handle large files. Therefore, these files must either be quarantined, which is bad for end-user productivity, or passed through without inspection, which is bad for security. The file-size limit is particularly important if you have users who receive or send large files such as zip files, audio and video files, ISO images, and CAD/CAM design files. How to Create a Massively Scalable Next-Generation Firewall You can t create a scalable Next-Generation Firewall by taking traditional firewall architecture and adding duplicate components or inserting a faster CPU. Diminishing returns kick in quickly because of bottlenecks. The only way to create a massively scalable Next-Generation Firewall is to design one from the ground up, taking advantage of a wide range of hardware and software technologies such as the following, used by Dell SonicWALL: Specialized processors optimized for networking: Standard x86 microprocessors are inefficient for inspecting and forwarding network traffic. Specially designed application-specific integrated circuits are not flexible enough for DPI, and once installed, they can t easily be upgraded or reprogrammed with microcode. The best results are achieved by using CPUs such as Cavium processors that are optimized for processing network traffic. These are extremely well suited to inspecting data payloads and packet forwarding. They also consume much less power and generate less heat than conventional microprocessors, so more of them can be used together in parallel processing systems. Figure 1: Example of a multi-core architecture to support parallel processing (from the Dell SonicWALL E10000 Series) 5

Multi-core architecture and parallel processing: Parallel processing is a critical enabler for enterprise-class performance and scalability. It allows dozens of processors to split the work of inspecting thousands of streams of traffic. Parallel processing can: p Dramatically increase throughput. p Increase new connections per second. p Increase maximum simultaneous connections. Next-Generation Deep Packet Inspection: Advanced hardware alone is not sufficient to create a massively scalable Next-Generation Firewall. The vendor also needs to develop an optimized single-pass engine for DPI. For example, Dell SonicWALL has developed the patented Reassembly-Free Deep Packet Inspection (RFDPI) engine, which performs highly efficient pattern matching within files attachments and many compressed archives, regardless of file size and independent of protocol. RFDPI techniques go far beyond simple security countermeasures. The RFDPI engine analyzes factors such as packet type and expected content for file types. It applies heuristic techniques for example, flagging password-protected compressed files and uses application control to apply granular controls to specific Web applications.3 The efficient RFDPI software engine also eliminates the need for buffering large files in memory. This can: p Reduce latency. p Eliminate the need to cap file sizes. The Proof: Results from a Benchmark Test Independent third-party tests are useful for validating vendor claims about performance and scalability. In April 2012, Network World published an in-depth analysis of four leading Next-Generation Firewalls. These Mixed-HTTP Content Handling tests involved simulating enterprise network traffic with objects of different sizes and file types, designed to closely approximate the loads handled by firewalls in real-world environments. 3 6 For more details on the technologies that go into a massively scalable Next-Generation Firewall, see Why Protection and Performance Matter

The testers varied the conditions of the tests by running them with only the firewall turned on; with the firewall and intrusion prevention system features turned on; and with firewall, antivirus, antispyware and IPS features all turned on. The tests were further varied by sending the traffic in cleartext and again encrypted using SSL. Summaries of key results are shown in Figure 2. The Dell SonicWALL SuperMassive E10800 came out on top, with the best performance on five of the six tests. In the most demanding test in this series scanning SSL traffic with firewall, antivirus, antispyware and IPS features turned on the Dell SonicWALL appliance outperformed the second-fastest device by 18% (11,305 Mbps, vs. 9,544 Mbps) and the other two devices by more than 100% (11,305 Mbps, vs. 5,266 Mbps and 4,648 Mbps). Figure 2: Network World Clear Choice Test for Next-Generation Firewalls, Mixed-HTTP Content Handling tests A related Network World article noted: [Dell] SonicWALL s SuperMassive can decrypt SSL traffic very fast in fact, these one-off tests show it to be the fastest device by far. 4 Learn more about Enterprise Next-Generation Firewalls at www.dell.com/us/enterprise/p/network-security. 1 7 For more details on this and other NGFW benchmarks, see: Clear Choice Test: Next-Generation Firewalls (http://www.networkworld. com/reviews/2012/042312-firewalls-test-258120.html), Scaling Up With SonicWALL s Supermassive (http://www.networkworld.com/ reviews/2012/042312-firewalls-test-sonicwall-258138.html), and What to Look for When Evaluating Next-Generation Firewalls (http://www.bitpipe.com/resource/1354736280_374).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information