is your network security keeping up? · corsa security is your network security keeping up? 2...
TRANSCRIPT
WHITEPAPER
Scaling Network Security www.corsa.com
Is Your Network Security Keeping Up?A Turnkey Approach to Scaling Inspection for High Capacity Networks
Is Your Network Security Keeping Up?Corsa Security 2
IntroductionFrom the SSL inspection gap to growing bandwidth needs and the move to the cloud, there are
many current challenges with hardware-based network security appliances and their deployments.
These challenges are not limited to next generation firewalls (NGFWs) as similar challenges apply
to other network security functions like intrusion prevention systems (IPS), Web Content Filters
(Proxies), and any other network appliance that is deployed into the network for the purposes
of inspecting the traffic in-line.
It’s time to look at how we decouple the network from network security to build a dynamic security
perimeter. In this paper, we’ll focus on north-south traffic enforcement for this ‘network perimeter’
but most of the discussion also applies to the many perimeters within the network, like at the edge
of the data centre, or in front of critical assets, or at security zone interconnect points.
While some believe the “perimeter is dead”, most, if not all organizations will have one for the
foreseeable future so you need a solution that allows you to scale them to your ever growing traffic
volumes. Read on to find out how horizontal, rather than vertical scaling, with a network security
virtualization platform is the answer.
Is Your Network Security Keeping Up?Corsa Security 3
Contents
Introduction 2
The Network Security Dilemma 4
A Network Security Transformation: Horizontally Scale and Virtualize 6
Make it Turnkey: The Network Security Virtualization Platform 7
Simplified Network Deployment 11
Beyond Scale: Flexibility and the Power of the Cloud 12
The Corsa Solution 13
About Corsa 14
Is Your Network Security Keeping Up?Corsa Security 4
The Network Security DilemmaThe bottom line is that while networks have changed, network security has not. As a result, we are faced with
a pressing question or two: how do you scale your network security for today’s traffic volumes and encryption
without impacting network performance? And maybe in an economical way, too?
It’s clearly time to acknowledge that finding the answer to these questions with same old solutions is not going
to work. But, to begin to find a solution, you have to clearly identify the problems.
Challenge 1: Performance
Networks are built to move packets as fast as possible. Networking devices, routers and switches, only deal
with packet headers at Layer 2 and Layer 3, sometimes at Layer 4. That is why they can do everything at wire
speed. However, when it comes to network security appliances, filtering at Layer 3 and Layer 4 isn’t sufficient.
Security appliances absolutely must inspect the payload of the packet to determine if the traffic should be
permitted or blocked, and that presents a huge performance challenge.
The number of different things that a modern next generation firewall is doing is quite amazing. It does
everything from VPN tunnel termination to in-line antivirus and malware detection, to URL and content filtering
to intrusion and threat prevention, and on and on. These are extremely complex functions, and require a huge
amount of processing power within the appliance.
However, we have seen that this complexity results in very unpredictable performance of an appliance.
Time and time again some strange (and unanticipated) traffic would negatively affect one of those inspection
functions, which can bring the whole appliance to its knees. So network security teams spend countless
hours tuning their appliances to balance the amount of inspection the appliance is doing versus the network
performance it is able to achieve. And despite their best efforts, they are always at risk of something
unpredictable happening, like a new traffic pattern or a dynamic signature update, that severely degrades
the security device performance.
Challenge 2: Static, Hardwired Architecture
The other major challenge is that the perimeters we are talking about are hardwired into the rest of the
network. If a security device is bolted in-line, it must be able to process all the traffic that the router gives it. If
it’s not able to do it, there usually isn’t anywhere to go. So the performance of the network is usually limited to
the performance of the in-line security appliance.
In addition, as traffic levels rise, the network teams must upgrade their firewalls just to keep up with the volume
of traffic. This is now happening at such a rate that enterprises are struggling with this scale up (or vertical
scaling) approach.
Is Your Network Security Keeping Up?Corsa Security 5
Challenge 3: Encrypted Traffic
The network and security teams have been coping with the two challenges outlined above for many years,
and probably got quite good at both tuning their firewall performance and upgrading them to a bigger
appliance every few years. But there’s a new “killer app” in town that would make the first two challenges
so much worse, that a new approach is needed. That “killer app” is encrypted traffic.
With 70+% of all traffic in the network now being encrypted and quickly moving towards 100%, security
appliances are simply blind to what is inside those encrypted connections. Some appliances have the capability
of decrypting that traffic in order to inspect it, but that functionality is associated with a huge hit in overall
throughput and inspection performance. For large volumes of traffic, no amount of tuning would help the
appliance cope with it and sizing up to an appliance that would be able to inspect all the encrypted traffic
is usually cost prohibitive due to the performance impact. So, many network teams just leave the encrypted
traffic uninspected, hoping for the best.
But leaving encrypted traffic uninspected isn’t a viable option anymore, if it ever was. More and more malware
is encrypted and data exfiltration tools are using encrypted tunnels. Even if we aren’t talking about outright
badness in your network, decrypting your traffic may be vital to your normal policy enforcement. Network
security appliances are increasingly relying on application identification for their policies. Security vendors are
actively promoting converting firewall policies from simple port-based rules to more sophisticated application
identification and content based rules. There is definitely increased value in doing that, but most of those aren’t
possible without decrypting the traffic first.
So faced with these challenges, what is one to do?
“But there’s a new “killer app” in town that would make the first two challenges so much worse, that a new approach is needed. That “killer app” is encrypted traffic.”
“
Is Your Network Security Keeping Up?Corsa Security 6
A Network Security Transformation: Horizontally Scale and Virtualize Let’s learn from the past and look at the history of ‘How Things have been Scaled’. Back in the beginning,
most web applications were scaled up. If you needed a bigger database, you bought a bigger server. But as
applications got really big, the scale out (horizontal scaling) approach was adopted out of necessity; it would
be impossible to build a web scale application, like Facebook or Twitter for example, on a single server.
In fact, when it comes to scaling applications, large or small, people don’t even think about the scale up
approach anymore. Scaling out so the application is load balanced between as many workers as needed is the
norm. The innovation lies in efficiently distributing the load between multiple systems rather than in trying to
build an ever bigger, single system. This applies to absolutely everything, from front end to middleware and
messaging buses, to back end systems and databases. An added benefit to this is that no one system can ever
be a bottleneck or a cause of failure. You get built-in high availability.
There are a few things that made this approach possible for web applications and are now ripe for the picking
for network security to leverage. To begin, there has been a lot of innovation in load balancing technologies that
allow distributing the load between multiple systems. Multiple layers of load balancing are usually deployed.
Users are first spread between multiple data centers, which is usually done based on geography using DNS.
Then various server and application load balancing methods are used to spread the workload between as many
workers as needed within the data center.
Secondly, we have now fully realized the commoditization of general purpose servers. Over the last decade
server technology has become very cost effective and it is very economical to buy more general purpose
x86 CPUs for your applications as needed. The days of buying special dedicated hardware for your backend
systems are gone.
The last, and one of the very important developments, is the improvement in virtualization and cloud
technologies. These allow you to use your server resources a lot more efficiently when multiple applications are
able to run on the same physical infrastructure. And, with automation and orchestration tools both on-premise
and in the cloud, scale out architectures are now the only way of building any application out there.
So why are we still scaling network security up (vertically) instead of out (horizontally) when all the building
blocks are available?
Is Your Network Security Keeping Up?Corsa Security 7
Make it Turnkey: The Network Security Virtualization PlatformAll the building blocks are indeed available. But the integration of the blocks one with the other, and then into
the network security ecosystem, and then into the network, is necessary for the transformation to begin. When
this is done right, users don’t have to worry about hardware and servers and capacity and specifying how much
of one security appliance over another is needed and what the impact on the network will be. Instead, it should
be just like when we spin up cloud storage where, at the click of a mouse, virtual machines are spun up and
down to process our request. It’s completely seamless and we don’t even think about it.
For network security, we can do the same for large networks. In its best form, the network owner’s perimeter
inspection need is completely abstracted away from having anything to do with infrastructure and is a single-
click to select how much inspection capacity is required and when.
So let’s examine an analysis of what is needed to create a fully turnkey network security virtualization
platform that scales up virtualized firewall instances on-demand to maintain 100% traffic inspection under
all conditions (Figure 1).
Figure 1: The 4 components of a turnkey network security virtualization platform
2
4
3
1 The Load Balancer
2 Servers with Virtualization
3 Virtual Network Security Functions
4 Virtual Infrastructure Manager
1
Is Your Network Security Keeping Up?Corsa Security 8
Component 1: The Load Balancer
You would start with the right load balancing technology to split the traffic between security functions. This
would be quite different from the server load balancing (or application delivery control as some vendors prefer
to call it). Server load balancing deals with client-server communication where you are trying to distribute client
connections between multiple servers. The easiest way is to pretend to be the target server that the client is
trying to talk to, accept the connection, and then direct it to the actual “worker” doing the work.
The challenge here is that this doesn’t quite work for network security. Network security devices are never
the end point of communication. They are transit devices that are placed in-line that only inspect the traffic,
and then either forward it along or drop it based on policy or other inspection results. Traffic is rarely
destined for the firewall itself.
In all fairness there have been “firewall sandwich” topologies that allowed you to use server load balancers
to distribute the load between firewalls. Those are usually hugely complex deployments involving special IP
addressing and NAT, which makes them hard to scale beyond a handful of devices. This makes them unusable
to scale network security where dozens or even hundreds of workers are processing the traffic.
So what is needed is a specific kind of load balancer that is able to spread the traffic between in-line devices
without having to terminate it.
• The ideal load balancer would have to operate at network speeds to process the traffic so that it doesn’t
become another bottleneck in the architecture. So packet performance wise it would have to be similar
to a switch or a router. It absolutely must support network speeds all the way to 100G to really be viable
for high speed networks.
• It would have to understand network flows in order to make sure that both ends of the same flow is
directed to the same appliance for processing. This is critical to network security since security devices track
connections and if they don’t see both sides, the connection is dropped.
• The load balancer would have to support splitting the traffic between virtual appliances since that’s what we
expect the workers to be given we are scaling out. More on the workers in the next section.
• With virtual appliances in mind, it would have to be able to monitor the health of the workers and
automatically remove the ones that aren’t working from the traffic distribution pool. So having awareness
of each worker as it is relates to each physical port is extremely important.
• Finally, since we are load balancing connection tracking devices, the load balancer itself must track connection
state in order to minimize moving connections between workers. The load balancer must allow existing
connections to complete on the worker that it is already assigned to, and not add any in-flight connections
to newly added workers. Without that capability, every time workers are added or removed the network
connections would have to be reestablished, this is inefficient and would result in disruption to the user.
“What is needed is a specific kind of load balancer that is able to spread the traffic between in-line devices without having to terminate it.”
“
Is Your Network Security Keeping Up?Corsa Security 9
Component 2: Servers with Virtualization
As we discussed earlier, one of the crucial requirements when it comes to scale out architectures is that it
must run on general purpose x86 servers to be cost effective. Moving away from single purpose, dedicated
hardware is a key aspect that allows you to build network security infrastructure able to process all the
necessary encrypted traffic in a cost effective way.
However, it is well known that general purpose x86 servers are notoriously bad at network packet processing.
But as we discussed earlier, the main purpose of network security appliances isn’t to just move packets, but
rather to perform complex CPU intensive functions like SSL/TLS decryption, application and content inspection,
and threat prevention. Those are absolutely best suited for general purpose CPUs, especially as they are
increasingly becoming more and more complex.
It is also important to optimize the networking performance as much as possible through the server hardware
so as to not lose any networking performance due to packets being moved by software. Using software
switches that are typically part of every hypervisor isn’t a good option so this is where SR-IOV technology
comes in. It allows the system to dedicate network interface card resources directly to the virtual machine
that is performing the work. The result is that network packets go directly from the physical interface to the
network interface of the virtual machine, bypassing all processing in the hypervisor. This offers the absolute
best networking performance possible when it comes to moving packets through the server. Now all the server
resources are concentrated on doing the inspection work, rather than wasted on just moving packets.
Additionally the networking performance within the virtual machine can be further improved by technologies
like DPDK, and other packet acceleration techniques. This would be specific to each virtual machine itself.
The important point is that with SR-IOV setup as described ensures that the hypervisor doesn’t interfere with
any packet handling by the VM. Therefore this setup enables the highest possible networking performance
for all virtual appliances.
“Moving away from single purpose, dedicated hardware is a key aspect that allows you to build network security infrastructure able to process all the necessary encrypted traffic in a cost effective way. ”
“
Is Your Network Security Keeping Up?Corsa Security 10
Component 3: Virtual Network Security Functions
The next component of this architecture is the workers themselves. As we discussed earlier, the most cost
effective way to do the work is on generic x86 servers but since network security appliances are still mostly
proprietary products, running the software directly on regular servers isn’t an option.
However over the last few years, as virtualization technology matured, practically every security vendor has
made their product available as a virtual function that is able to run in a private cloud. So these virtual versions
of the network security appliances would be the workers that you scale out.
The added benefit to this approach is that this doesn’t change your security posture in any way. You maintain
the same level of compliance and network security by using the virtual appliances from your favorite vendor.
All the management tools and expertise that has been developed don’t change at all. The only thing that is
changing is the form factor. You are moving from a single (or typically a pair of) physical appliance to as many
virtual functions as you require to decrypt and process all the required traffic.
Finally, a most powerful aspect of using a virtual appliance is the ease of adopting an upgraded version of the
product. Simply spin up a new SW license and you have migrated to the latest and greatest firewall.
Component 4: Virtual Infrastructure Manager
Last but not least in our turnkey platform is the orchestration software that puts it all together. It is really
important that all the infrastructure works in a single cohesive package without the user needing to deal with
the complexities of the network, server and virtual machine plumbing underneath.
Public cloud offerings set the standard for how easy it should be to provision virtual resources. There’s no
reason why private cloud network security virtualization should be any different.
A virtual infrastructure manager pulls together all parts of this turnkey platform. From simple spinning up and
down of the virtual appliance instances to tying them into security policy manager and from configuring the
required load balancing and network connectivity to providing a single pane of glass view of what is happening
inside, the virtual infrastructure manager does it all. With a single click of a button, you can add more resources
as your traffic inspection needs grow without having to worry how to plumb it all together. It pushes all the
necessary configuration into the appliances that tie them directly into the policy manager. All you have to do
is provide the appropriate licenses for the virtual functions.
Is Your Network Security Keeping Up?Corsa Security 11
Simplified Network Deployment But, how is this platform deployed in the network. From the network perspective this solution is deployed as
a virtual wire. The load balancer works in a virtual wire mode, as do the virtual security functions. The SR-IOV
technology on the hypervisor also makes it simple to build, extend and tear down virtual wires.
The main reason why this solution must work as a virtual wire is that it is the only way to allow both scaling out
and scaling back in. In a virtual wire mode when the work is distributed, it doesn’t matter if you have 20 virtual
wires or 50 virtual wires. From the switching and routing perspective everything still looks the same. Addresses
don’t change. Neither do VLANs or any other parts of your network. Nobody gets confused. It’s simple to
deploy, and simple to troubleshoot.
In any other deployment mode, like routed or NAT mode for example, where each of the VMs has multiple
IP addresses, going beyond a handful of devices would be infinitely complex. As we have seen with “firewall
sandwiches” trying to scale out things even with a handful of devices is very complicated and prone to problems.
In a dynamic environment where you want to spin up resources with a click of a button all of a sudden you
have to signal topology and routing changes to the rest of the network, and make sure all those changes have
propagated and converged properly.
This discussion is specific to the north-south perimeter deployments and trying to scale out traffic processing
with dozens if not hundreds of virtual appliances in routed mode is just not feasible. It should be noted that for
other use cases, such as east-west microsegmentation, routed deployment mode may be applicable, even as
you distribute things between large number of hosts.
“From the network perspective this solution is deployed as a virtual wire... It’s simple to deploy, and simple to troubleshoot.”
“
Is Your Network Security Keeping Up?Corsa Security 12
Beyond Scale: Flexibility and the Power of the CloudBesides affording the scale you expect with virtualization, the platform provides unparalleled levels of flexibility
that weren’t possible with dedicated hardware appliances. Because network security functions are virtualized,
switching to different functions and between different offerings can be as easy as shutting down old virtual
appliances, and starting new ones. The same goes for software upgrades.
It is also possible to mix and match vendors. You can have one department or tenant using one vendor and
another tenant use a different one. When it comes to new vendor testing and adoption this capability can be
extremely valuable. Testing and running services in parallel with full control of which traffic is directed to which
set of virtual appliances is something that was never possible before. You don’t have to do forklift upgrades and
hard cut-overs anymore.
Last, but not least, this allows you to convert to a cloud-like OPEX based consumption model with monthly
subscription pricing based on the traffic inspection capacity you require. You can consume your on-premise
network security on a pay-as-you-grow basis, just like any other cloud based services.
Figure 2: Software-defined Network Security for flexibility and efficiency
TURNKEY NETWORK SECURITY VIRTUALIZATION
PUBLICINTERNET
SOFTWARE DEFINED FIREWALLSSL/TLS VISIBILITY ENTERPRISE NETWORK
Is Your Network Security Keeping Up?Corsa Security 13
The Corsa SolutionCorsa Security offers the only turnkey network security virtualization platform that scales your network security
at any perimeter. By running virtual network security functions from our partner ecosystem on general purpose
x86 servers, Corsa is able to deliver unlimited scale to any network security application by using this private
cloud approach. With true horizontal scale of your traffic inspection you can enable all the necessary inspection
functions, including such “killer apps” as SSL visibility.
Corsa provides all the necessary network, server, load balancing and management components in a turnkey
hyperconverged infrastructure (HCI) package. When more capacity is needed, it’s just a matter of ordering it
with a single click. This turnkey platform can be deployed in minutes and is transforming traditional network
security to software-defined networking security. It allows you to have a private cloud-like experience for your
network security so you can inspect all your traffic, all the time. Say good-bye to the SSL inspection gap and
examine 100% of your traffic.
Virtual Firewall Function
Firewall Policy Manager
Virtual NGFW FunctionsBYOL (Bring Your Own License)
Corsa Supplied and Maintained
Turnkey Network SecurityVirtualization Platform
HighCapacityvNGFW
Network
Load Balancer
Server
Hypervisor
Virtual Appliance Image
Vir
tual
ized
Infr
astr
uct
ure
Man
ager
Figure 3: Corsa Red Armor Turnkey Network Security Virtualization Platform
About CorsaCorsa Security is leading the transformation of network security with a private cloud approach
that helps large enterprises and service providers scale network security services with unwavering
performance, unparalleled flexibility and unmatched simplicity. By leveraging unique networking
expertise and proven virtualization technologies, Corsa Red Armor is a turnkey network security
virtualization platform that you order with one click, deploy in minutes and pay-as-you-grow to scale
traffic inspection for 100% visibility and better ROI compared to existing approaches.
To start on your software-defined network security journey, visit corsa.com.
11 Hines Rd. Suite 2032Ottawa, ON Canada K2K 2X1 613 287 0393
[email protected] www.corsa.com
For more information about our solutions, please contact Corsa today.
Please contact us
WP-CDD0013-000, Rev 001