Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Enterprise Firewalls’ Top Requirement: Scalability

Second in a Series on Evaluating New Firewalls: Why Scalability is Important to Sustain Protections through Network Growth and Scale.

I realize it may sound a little odd to put firewall scalability ahead of security. After all firewalls are, at their core, access control devices – the ultimate Internet traffic police.

Second in a Series on Evaluating New Firewalls: Why Scalability is Important to Sustain Protections through Network Growth and Scale.

I realize it may sound a little odd to put firewall scalability ahead of security. After all firewalls are, at their core, access control devices – the ultimate Internet traffic police.

Read Part 1 of this Series > Firewall Wars 2.0 – Are You Armed?

Yet, firewalls are now a 20-year-old technology. Toolkits to build packet filters based on access control lists (ACLs) have existed almost since the inception of the Internet in the early ’90s. Since, advancements to make firewalls stateful, adaptive and adept at mitigating threats in near real time have made these devices quite sophisticated.

Firewall Evaluation Information

But the truth is that the security capabilities of firewalls in the top tier of the market – built for the protection of enterprise and organizational assets – are quite similar.

There is a shared ‘table stakes feature set,’ if you will, which makes these firewalls suitable for safeguarding high-value data and transactions. So rather than the security feature set, which does vary greatly among enterprise and service provider-grade firewalls, the table stakes feature set can deliver sophisticated protections at scale.

Delivering security while enabling high performance for applications, ensuring fault tolerance and accommodating network expansion is tough stuff. And, when it comes to grading firewalls for these capabilities, there is significant difference among offerings.

However, because the testing of firewall scalability is not standardized, most data sheets present scalability information in a narrow way – a way that represents the testing methodology and architectural approach for a given vendor. In other words, comparing different vendors’ products can be quite frustrating because of the time it takes to create a singular test bed for an apples-to-apples comparison.

If you aren’t inclined to set up your own test lab, then you may seek out the test results conducted by third parties. Depending on the lab, however, the comparative test may be vendor-commissioned, meaning there is a possibility that test method favors the vendor who commissioned the test. If it is indeed an independent test, you may still find that the test bed reflects the preferences of the testing entity and may not include features or a general set-up that can be applied to your traffic mix and performance needs.

Still, scalability is perhaps the most critical requirement you need to vet when purchasing an enterprise or service provider grade firewall. Consider, for example, a firewall that includes many features for in-line threat management including anti-virus, URL filtering, VPN, and intrusion prevention (these boxes are often called UTMs and some called them next generation firewalls).

This solution may appear to deliver a lot of value from a check-box feature set perspective. But if it can’t handle your high throughput revenue-generating applications, then it is of little value in your particular environment and, in fact, may be an impediment.

So, if the time has come for you to refresh your high-end firewalls and you are starting your research, consider the following dos and don’ts:

1. Do not presume that data sheet performance data reflects the real world.

2. Do not base your choice on the performance test results of a single lab.

3. Do not limit your scalability requirement to firewall throughput.

4. Do conduct your own test of different vendor solutions if you have the time.

5. Do ask for throughput data for the other firewall features like intrusion prevention, anti-virus, etc.

6. Do ask vendors whether their quoted numbers represent a one-time maxima or continuous operation (i.e. Simultaneous connections for VPN can be quoted as a one-time max or an ongoing operation best effort maximum).

7. Do ask about firewall scaling for throughput and understand whether the process for adding capacity is seamless or disruptive.

8. Do ask for details about fault tolerance such as: Is failover seamless? How many firewalls can be chained in a cluster?

9. Do ask about control plane and data plane separation to understand how traffic patterns and failures of those communication paths affect firewall operation.

10. Finally, do go into the process knowing your traffic mix and minimum requirements for throughput, simultaneous connections and failover time.

When it comes to evaluating firewalls for enterprises, it’s important to understand that the market’s top offerings reflect comprehensive and sophisticated security advancements. Today, vendors differ primarily on the tradeoffs they have made to deliver this sophistication at the expense of scale. Some solutions are tilted in one area, while others have a better price performance balance and feature mix.

The best way to ensure the highest security for your environment is to have technology that can sustain its protections through network growth and scale.

Read Part 1 of this Series: Firewall Wars 2.0 – Are You Armed?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...