Enterprise Next-Generation Firewalls: Why Performance Is Critical for Threat Protection

Introduction
Many IT professionals assume that security feature content is everything for next-generation firewalls (NGFWs), and performance doesn't really matter. But in today's world of massive data breaches, threat protection is impossible without high performance. This article clarifies three different areas where performance is critical for enterprise NGFWs:

  • Traditional firewall functionality, such as network attack detection and network address translation.
  • Advanced security services, such as intrusion prevention, antivirus and security analytics
  • Threat intelligence, including the rapid deployment of threat data feeds for policy enforcement

We also look at another critical question: Is it really possible to provide network security and advanced security on the same device in mission critical enterprise environments?

Packet Processing: Volumes Increase
Enterprise NGFWs need to provide all of the network security features of traditional firewalls. That includes stateful packet inspection, protection against denial-of-service (DoS) attacks, support for IPsec virtual private networks (VPNs), and destination and source network address translation (NAT).

Performance for these features needs to keep pace with ever-higher volumes of network traffic, driven by forces like cloud computing and audio and video streaming. NGFWs also need to be ready to handle larger network-level threats, such as volumetric DOS attacks.

Advanced Security: Too Important to Turn Off
One of the key advantages of an NGFW is the ability to combine on one device traditional firewall features and advanced security services such as:

  • Intrusion prevention
  • Antivirus and antispam
  • Web and content filtering (protecting Web users from suspicious websites and malicious content on the Web)
  • Application firewall and application usage tracking

By consolidating these capabilities on a single device, an enterprise can reduce capital costs, simplify management, and decrease the chance of security breaches caused by configuration errors.

However, these security services are very resource intensive. In a high-volume environment, an NGFW might need to inspect and analyze millions of packets per second in real time. Moreover, some advanced NGFWs analyze application usage and network traffic to find patterns of activity that indicate probes and attacks from malicious actors. Processing requirements for these threat analytics grow very quickly as the data set to be analyzed increases.

If the NGFW doesn't have the performance to provide its advanced security services at "wire speed," enterprises are faced with the choice of either slowing down applications or disabling security services and increasing the risk of a breach.

The Race to Disseminate and Deploy Threat Intelligence
NGFWs use a lot of threat intelligence, including:

  • Malware and spyware signatures
  • Domains and IP addresses associated with spammers, botnets and infected websites
  • URL threat scores for Web filtering
  • Indicators of protocol and network anomalies for intrusion prevention

Often security teams are in a race to disseminate and deploy threat intelligence before attackers can take advantage of newly discovered vulnerabilities and attack techniques. Also, many cybercriminals and state-sponsored hackers now shift their command-and-control centers to new domains continuously, so that domain and IP data need to be updated daily to remain effective for threat detection.

As a result, NGFWs need to be designed for a different type of performance: the ability to pull and absorb thousands of threat feed items in seconds and immediately associate them with enforcement policies.

Can an Enterprise Firewall With Advanced Security Services Really Fly?
Is it actually possible for an NGFW to provide outstanding performance in a high-volume enterprise environment?

For a recent lab report, the Enterprise Strategy Group (ESG) ran two simulations using a high-availability cluster of two Juniper SRX5400 devices:1

  • A financial services scenario with a complex mix of applications, from latency sensitive trading applications to encrypted Web applications.
  • A public sector or research institution scenario required to support a smaller number of sessions with frequent, very large, high-bandwidth downloads and data transfers (a "big data flows" use case).

For the financial services scenario, the devices were able to handle 900,000 concurrent sessions with an aggregate throughput of 19.54 Gbps, and to transfer 28.4 million packets per second with an average latency of 8.1 microseconds. For the big data flows use case, the devices yielded a line rate throughput of 197.4 Gbps, with an average latency of 7.3 microseconds. These tests were run with 2,502 security policies configured and network address translation enabled.

In addition, the testers at ESG stated that "the high end SRX series supports up to one million threat feeds that can be integrated into SRX policies within seconds, without the need to commit firewall policy changes, delivering real-time enforcement at the data center edge."

In short, ESG's lab tests demonstrated that Juniper SRX series security platforms can meet the performance requirements of high-volume enterprise environments in all three areas we have been discussing: traditional firewall packet processing, advanced security services, and the rapid dissemination and deployment of threat intelligence.

For more information, please see:
ESG Lab Report: Performance and Scalability with the Juniper SRX5400
Juniper SRX Series Services Gateways on the Web
Juniper SRX5400, SRX5600, and SRX5800 Services Gateways data sheet

1"Performance and Scalability With the Juniper SRX5400,” Enterprise Strategy Group, March 2015