Second in a Series on Evaluating New Firewalls: Why Scalability is Important to Sustain Protections through Network Growth and Scale.
I realize it may sound a little odd to put firewall scalability ahead of security. After all firewalls are, at their core, access control devices – the ultimate Internet traffic police.
Read Part 1 of this Series > Firewall Wars 2.0 – Are You Armed?
Yet, firewalls are now a 20-year-old technology. Toolkits to build packet filters based on access control lists (ACLs) have existed almost since the inception of the Internet in the early ’90s. Since, advancements to make firewalls stateful, adaptive and adept at mitigating threats in near real time have made these devices quite sophisticated.
But the truth is that the security capabilities of firewalls in the top tier of the market – built for the protection of enterprise and organizational assets – are quite similar.
There is a shared ‘table stakes feature set,’ if you will, which makes these firewalls suitable for safeguarding high-value data and transactions. So rather than the security feature set, which does vary greatly among enterprise and service provider-grade firewalls, the table stakes feature set can deliver sophisticated protections at scale.
Delivering security while enabling high performance for applications, ensuring fault tolerance and accommodating network expansion is tough stuff. And, when it comes to grading firewalls for these capabilities, there is significant difference among offerings.
However, because the testing of firewall scalability is not standardized, most data sheets present scalability information in a narrow way – a way that represents the testing methodology and architectural approach for a given vendor. In other words, comparing different vendors’ products can be quite frustrating because of the time it takes to create a singular test bed for an apples-to-apples comparison.
If you aren’t inclined to set up your own test lab, then you may seek out the test results conducted by third parties. Depending on the lab, however, the comparative test may be vendor-commissioned, meaning there is a possibility that test method favors the vendor who commissioned the test. If it is indeed an independent test, you may still find that the test bed reflects the preferences of the testing entity and may not include features or a general set-up that can be applied to your traffic mix and performance needs.
Still, scalability is perhaps the most critical requirement you need to vet when purchasing an enterprise or service provider grade firewall. Consider, for example, a firewall that includes many features for in-line threat management including anti-virus, URL filtering, VPN, and intrusion prevention (these boxes are often called UTMs and some called them next generation firewalls).
This solution may appear to deliver a lot of value from a check-box feature set perspective. But if it can’t handle your high throughput revenue-generating applications, then it is of little value in your particular environment and, in fact, may be an impediment.
So, if the time has come for you to refresh your high-end firewalls and you are starting your research, consider the following dos and don’ts:
1. Do not presume that data sheet performance data reflects the real world.
2. Do not base your choice on the performance test results of a single lab.
3. Do not limit your scalability requirement to firewall throughput.
4. Do conduct your own test of different vendor solutions if you have the time.
5. Do ask for throughput data for the other firewall features like intrusion prevention, anti-virus, etc.
6. Do ask vendors whether their quoted numbers represent a one-time maxima or continuous operation (i.e. Simultaneous connections for VPN can be quoted as a one-time max or an ongoing operation best effort maximum).
7. Do ask about firewall scaling for throughput and understand whether the process for adding capacity is seamless or disruptive.
8. Do ask for details about fault tolerance such as: Is failover seamless? How many firewalls can be chained in a cluster?
9. Do ask about control plane and data plane separation to understand how traffic patterns and failures of those communication paths affect firewall operation.
10. Finally, do go into the process knowing your traffic mix and minimum requirements for throughput, simultaneous connections and failover time.
When it comes to evaluating firewalls for enterprises, it’s important to understand that the market’s top offerings reflect comprehensive and sophisticated security advancements. Today, vendors differ primarily on the tradeoffs they have made to deliver this sophistication at the expense of scale. Some solutions are tilted in one area, while others have a better price performance balance and feature mix.
The best way to ensure the highest security for your environment is to have technology that can sustain its protections through network growth and scale.
Read Part 1 of this Series: Firewall Wars 2.0 – Are You Armed?