Many organizations are contemplating upgrading their core networks to 10Gbps links while some organizations have already implemented a 10Gbps core infrastructure. When you upgrade the core then other networking functions become candidates for upgrade. It is important to determine if your security systems must also be able to function at 10Gbps speeds.
Typically firewalling and IPS are functions that are performed at the edge or perimeter of the network. However, with the erosion of the security perimeter many organizations are putting these security functions closer to the core of their networks. Some organizations I know of use the model of creating “enclaves” within their environment to separate different groups for security purposes. Filtering is performed between these “enclaves” similar to the way hatches can close of compartments in a submarine. The administrative burden to maintain this filtering in the core of these networks is high but the security risks for these organizations is also extremely high. Because closely inspecting the packets and getting the packets forwarded on their way are opposing goals it is difficult to strike the right balance between security and performance.
The questions should be asked how you achieve inspection of packets that flow by at an astounding rate of 10Gbps. It is difficult for firewalls to scale to multiple Gbps throughput because deep packet inspection is a CPU intensive activity. Individual packets must be parsed and their IP header and transport-layer header inspected. If additional payload inspection must be performed then more processing time is required to perform his pattern matching and keep up with the traffic volumes. The Input/Output (I/O) capabilities of the hardware data plane (forwarding fabric or bus) itself may limit the performance of the security system.
Firewall speed is typically governed by the amount of logging, the number of advanced UTM features, and the size of the firewall policy. Even though most firewalls perform a top-down ordered matching of each packet they use complex matching algorithms to speed up the rule matching. Therefore, speed of filtering is not linear with respect to the size of the firewall policy because these optimizations are made in software. Application-Specific Integrated Circuits (ASICs) help firewalls to scale their performance by offloading functions that are typically done in software to hardware that is optimized for the purpose of matching and filtering packets.
Another thing to consider is does the firewall even have 10Gbps interfaces. May vendors claim 10Gbps firewalling capacity but their products actually lack 10Gbps interfaces. If a firewall only has 1Gbps Ethernet interfaces then that is a clue that 10Gbps of performance will be difficult to achieve. Many vendors allow multiple interfaces to be joined together in an EtherChannel. However, there are limits to the number of interfaces that can be combined.
Vendors typically state the “best case” performance specifications for their products. If you wanted to have a best-case Firewall performance then a vendor’s throughput performance is typically rated by using very large packet sizes. Their tests are performed with the largest possible packet size of 1500 bytes or even with jumbo frames. The tests probably use the most basic ruleset (permit ip any any) and without any logging at all. All other extraneous process are turned off or additional deep packet inspection or UTM features are disabled.
Cisco has several security solutions that can scale to many Gbps and even 10Gbps. The Cisco Firewall Services Module (FWSM) is capable of 5Gbps of throughput. Multiple FWSMs can be combined into a single 6500 chassis to increase throughput or an Application Content Engine (ACE) blade can be used for FW load balancing. In a recent blog I talked about how the FWSM 4.0.4 now supports Cisco Virtual Switching System (VSS) 6500s which could actually increase its performance well above 10Gbps. The Cisco Adaptive Security Appliance (ASA) 5580-40 is rated at 10Gbps. It is interesting that these specs actually mention that 20Gbps throughput is possible when jumbo frames are used. The new Cisco Aggregation Services Routers (ASRs) 1000-series routers are also capable of performing filtering and routing of packets. Even though the ASR is typically thought of as a very high-speed WAN router it can also perform firewalling functionality. Depending on the processes that is placed in the ASR governs its performance. An ASR 1004 or 1006 with an ASR1000-ESP10 (single or dual) is scalable to 10 Gbps or higher and with an ASR1000-ESP20 (single or dual) is scalable to over 20 Gbps.
There are also a host of other vendors who offer 10Gbps firewall options. Check Point VSX-1 9070 and 9090 Check Point on Nokia IP2450 Check Point on Crossbeam X45 or X80 Juniper NetScreen 5200 and 5400 Stonesoft StoneGate FW-5100 Palo Alto Networks PA-4000 Fortinet 5000 Watchguard XTM-1050
If anyone knows of any other firewalls that are rated at 10Gbps please let me know. It would be nice if we had a comprehensive list of all 10Gbps firewall vendors here.
10Gbps Intrusion Prevention
Because Intrusion Prevention Systems (IPSs) need to more fully decode every packet and its contents to determine if the packets are part of an attack the IPS function is even more CPU intensive than firewalling. Firewalls only have to look at the first few packets of a stateful connection and then all the subsequent packets that are part of that connection are permitted as long as they contain the same source/destination address, source/destination port numbers and ACK/Sequence numbers. An IPS does not have the luxury to allow all packets through it based on the first few packets that were part of the connection initiation.
If an IPS cannot handle the traffic volumes it does not fail open it actually drops the packets. At times even 1Gbps of traffic will cause a high-speed IPS to drop packets. Because IPSs are deployed in-line with the traffic path in order to prevent malicious packets they must inspect every packet and making them fail-open is not an option.
Similar to firewalls, the more logging that is done on an IPS, the worse the performance will be. The more reports that are being generated on the IPS itself will add to the overhead.
False positives start to increase as the traffic volumes and CPU utilization increase. If you have many false positives with 1Gbps of traffic you will have an overwhelming number at 10Gbps of traffic. In order to get more performance out of your IPS you must tune the signatures being used and tune the IPS to reduce the number of false positives.
The top-of-the-line Cisco 4270 sensor claims a throughput of 4Gbps. Even though the 4270 sensors do not have 10Gbps interfaces multiple 1Gbps Ethernet interfaces can be combined into an EtherChannel.
Other manufacturers are now claiming 10Gbps IPS capabilities and NSS Labs has been conducting their 10 Gbps IPS Group Test.
Again, if you are aware of any other 10Gbps IPSs I would be interested in knowing if I left them off my list.
When you are considering upgrading your core network infrastructure to 10Gbps you do not necessarily have to upgrade your security systems to be capable of inspecting flows at 10Gbps. However, you should be aware of the factors that govern firewall and IPS performance at these extreme speeds. You should view the vendors claims with some skepticism and then determine your true requirements for performance and security so you strike that perfect balance for your organization.
Therefore it would be great to take a poll and see when you think your organization may need to seriously consider 10Gbps firewalls and IPS systems. Please take a moment to answer this single question and then we can all observe the results.