en-US
search-icon

Scaling NGFW for data center modernization

A network-based model for scaling network security to solve complex and demanding data center operations

Abstract

To enable the growing digital business, expectations for IT organizations to lead and deliver value, responsiveness and security has reached an all-time high. Innovative services plus increased data and capacity requirements compel IT leaders to address new operational challenges through data center modernization. That means the scaling of firewall processing that adapts to increasing threat traffic is also necessary as IT is continually challenged to balance network security and performance. However, a traditional scale-up approach leveraging high availability (HA) firewall deployment (1+1) is not a sustainable solution to meet today’s performance demand.

This executive brief explores the limitations of current scaling approaches, identifies requirements needed to overcome them and recommends a viable alternative.

Growing threat-analysis demands

Demands for faster firewall inspection speed have increased due to the growing amount of encrypted traffic that requires deeper analysis. To prevent unauthorized data access and user privacy, organizations are increasingly using encrypted traffic with SSL/TLS and HTTPS to establish secure communication over the internet. Roughly 15 to 25 percent of total internet traffic1 and 35 percent of enterprise traffic2 is encrypted with SSL/TLS. SonicWall threat research analysts have observed HTTPS as total hits reach nearly 65 percent.3 Furthermore, each month throughout 2015 saw an average of a 53 percent increase over the corresponding month in 2014.

The irony of encrypting traffic is that criminals use it to hide malware as well. Half of all inbound and outbound attacks will be encrypted and therefore obfuscated by SSL/TLS by 2017.1

Yet only about 20 percent of enterprises have deployed next-generation firewalls (NGFWs) that can inspect inbound and outbound SSL/TLS traffic.1 A recent high-profile attack distributed malware hidden inside HTTPS at a rate of 27,000 visited users per hour, yet most firewalls were unable to see the attack.4

Obviously, today’s firewalls need to scan encrypted traffic and perform other deep packet inspection (DPI) functions. However, decrypting, analyzing and reencrypting traffic takes a significant toll on firewall performance.

The performance hit

Organizations have struggled with scaling processing capacity to maintain performance while still addressing increasing security processing requirements. Modern networks can incorporate a range from 1 to 40 or even higher Gbps Ethernet connections for both incoming and outgoing traffic. However, the network security layer can create a big bottleneck at the same time. The processing cycles required to perform DPI of SSL/TSL and other network security functions takes a significant toll on throughput performance – as high as 81 percent, according to a 2013 NSS Labs report.2

For example, a network security deployment might include an active firewall and a backup firewall pair. If the active unit has a processing capacity of 10 Gbps, and all security services are activated, DPI throughput performance can drop to 5 Gbps. If SSL/TLS inspection is activated, it then drops to 2 Gbps.

Why the current scaling approach is unsustainable

Many organizations have scaled their network security architecture by simply deploying a pair of large chassisbased firewalls in a 1+1 approach in an attempt to build out increasingly massive processing capacity. However, this approach is unsustainable. Scaling up hardware in this way results in increasingly larger platforms that consume more power, take up more rack space and cost more to purchase and operate.

Moreover, this 1+1 approach fails to deliver the resiliency and security that organizations need. In typical 1+1 high availability (HA) deployments, failure of one device results in 100 percent of the traffic moving to the backup device (likely without state sync for DPI traffic), requiring massive resets of data connections, which impacts efficacy. Failure of both devices takes an entire network down and creates massive business disruption.

Exploring viable alternatives

There are other factors worth considering. For example, how might you enhance performance by effectively separating functions between separate multiple firewalls? Or what if you already have a next-generation firewall pair, but want to add users, increase bandwidth or deploy DPI services? How could you add DPI or DPI-SSL functionality to legacy firewalls that don’t currently provide those services, without doing forklift replacements with newer nextgeneration firewalls? Physically replacing those firewalls also adds risk because of necessary configuration changes and policy migration, including stateful firewall NAT rules.

Unfortunately, using the current approach you can’t address all of these issues in a single platform. This means you are faced with segmenting your network and adding more platforms or replacing your current investment in platforms with bigger, more expensive higher-performing platforms. Even then, you are limited by the fact that any single firewall will eventually reach its peak capacity, which prompts another upgrade cycle.

What is needed is a blueprint for deploying a network-based, scaleout security layer architecture that offers N+1 redundancy instead of 1+1, without reliance on complex HA or clustering protocols.

Conclusion

A 1+1 scaling approach to firewall performance is not ideal for the modern data center. What IT needs is a better approach: a network-based model for scaling a next-generation firewall (NGFW) to approach or surpass existing or forthcoming solutions for enterprise network security — while providing better performance, increased resiliency and lower total cost of ownership (TCO).

SonicWall offers a better approach. Read our solution brief, A Massively Scalable Approach to Network Security.

1D’Hoinne, J & Hils, A. (2013, December 9). Security Leaders Must Address Threats From Rising SSL Traffic.
2Pirc, J. (2014). SSL Performance Problems.
3 2016 “SonicWall Annual Threat Report”
4Goldman, J. (2014, January 6). Malicious Yahoo Ads Infected 27,000 Users Per Hour.