Enterprise firewall protection: Where it stands, where it's headed
A comprehensive collection of articles, videos and more, hand-picked by our editors
F5 Networks is entering a crowded firewall market with a basic Layer 4 firewall that integrates with the rest of its network security and application delivery technology. The company is also refreshing its existing product line with faster hardware and virtual appliances.
Dubbed the Application Delivery Firewall (ADF), the F5 firewall serves as the foundation for a larger network security appliance that integrates with F5's Web application firewall, denial-of-service (DoS) protection tool, Secure Sockets Layer (SSL) termination application and other services. Like all F5 products, ADF will run on the company's BIG-IP hardware platform.
The F5 firewall is the first product to combine a Layer 4 firewall with traffic management, Web application firewall technology, user access management and DNS security in a single platform, according to Brian Lazear, senior director of product management at Seattle-based F5.
F5 is targeting a different use case than the popular next-generation firewalls from Palo Alto Networks, Checkpoint Software Technologies and others, Lazear said. Those firewalls focus on protecting outbound traffic by policing the external applications and services that users access from within the enterprise. F5's heritage is in managing inbound traffic. Its firewall will specialize in protecting against inbound threats.
F5's distinction between inbound and outbound firewall protection is a legitimate one, said Greg Young, research vice president for Stamford, Conn.-based Gartner Inc. Next-generation firewalls have enjoyed hype because they can identify applications and link them to internal users. This helps enterprises control usage of frivolous or potentially dangerous applications and services, like peer-to-peer file sharing and Facebook gaming. Ideally, however, a firewall should be optimized to handle both inbound and outbound traffic, he said.
On the inbound firewall side, SSL-encrypted traffic becomes an issue for enterprises, particularly those that deploy firewalls in front of high-volume Web servers.
"That's where SSL is terminating," Young said. Firewalls can't see into SSL traffic, so many enterprises want to terminate SSL on their firewalls, a process that slows down many platforms.
"If you're going to do [SSL termination] elsewhere, you have to deal with SSL going through the firewall with no visibility," he said. The F5 firewall integrates with the company's SSL termination capabilities, allowing customers to run both processes on a single box at scale.
F5 firewall offers carrier-grade performance on new BIG-IP platforms
Thanks to a BIG-IP hardware refresh, the F5 firewall will offer carrier-grade performance. F5 announced a refresh of its general platforms, including its BIG-IP fixed-configuration boxes, Viprion chassis and BIG-IP VE virtual appliance, which increases the scale and performance of F5's application delivery controllers (ADCs) and other products.
The eight-slot Viprion 4800 chassis, which supplants the Viprion 4080 series as F5's top-end platform, can support up to 20 million Layer 7 requests per second, and 160 Gbps of SSL throughput. If deployed on the Viprion 4800, F5's new firewall will have up to 640 Gbps of Layer 4 throughput, support 288 million concurrent sessions, and enable 8 million connections per second.
Other platform updates include new BIG-IP 2000 series boxes with entry-level prices for 10 Gigabit Ethernet interfaces. F5 has also tripled the throughput of its virtual appliance, BIG-IP VE, to 3 Gbps. The virtual ADC now runs on Amazon Web Services, VMware vCloud, Microsoft Hyper-V, Citirx XenServer and KVM.
Integrating application delivery controllers and firewalls
Many enterprises prefer to have a single firewall vendor across their entire infrastructure, so F5 will struggle to sell ADF to those companies, said Gartner's Young. Few of these customers will want to replace their branch firewalls with a data center-class BIG-IP appliance.
More developments in the firewall market
Cisco's ASA clustering feature scales to 320 Gbps firewall bandwidth
Do you need a virtual firewall?
Instead, the F5 firewall will appeal to companies that run their data centers almost like a second and distinct business from the rest of the infrastructure, he said. F5 should, however, add an intrusion prevention system (IPS) to its security suite, since enterprises also struggle with IPS visibility into SSL traffic, he added.
Combining the application delivery controller with a firewall will also cause some auditing and control problems for some enterprises. "It can be difficult from an audit and control perspective if a firewall box is touching too many things," Young said. "If you converge too much, it becomes a trust issue."
Additionally, most enterprises have very distinct groups managing their application delivery controllers and firewalls, he said. Asking those two groups to work with a common platform may pose an organizational challenge.
The ADF will work "for specific use cases where companies already have F5 BIG-IP in place, and where ADC operators are also operating the firewalls," Young said. "And from an industry perspective, F5 talking about security [is] good overall. When your infrastructure provider is concerned about security, that's a good thing and more significant than any dent they make into the firewall market."
Let us know what you think about the story; email: Shamus McGillicuddy, news director.