Lora O'Haver
Senior Solutions Marketing Manager

Four Low Cost Strategies for Scaling Network Security

April 6, 2017 by Lora O'Haver

If your next generation firewall (NGFW) or intrusion prevention system (IPS) is reaching capacity, you may be worrying about how to scale up without breaking your budget. What if you could help your solutions work smarter, to handle more volume without the need for major CAPEX? You may be able to do just that with a few simple strategies.

Strategy 1: Pool security appliances to serve multiple network segments

This strategy works in situations where a NGFW or IPS on one network segment is working at capacity and a similar appliance on another segment is under-utilized. The idea is to get the appliances to share the workload more evenly to avoid adding another high-cost appliance. To do this, you deploy a network packet broker (NPB) as a middleman to collect incoming traffic from multiple segments and distribute it among your appliances. It may be counter-intuitive that adding a device will save you money, but the cost of an NPB can be far less than adding an appliance to your busiest segment. Plus, an NPB lets you to set the rules for how traffic is distributed, to provide automatic load balancing among them. For monitoring inline traffic on your live network, you should choose a high-performance NPB that can process traffic at line rate, so network response time doesn’t suffer and you can deliver the expected quality of service.

Pooling your security appliances also gives you resiliency without having to purchase redundant devices for every network segment. With an NPB in place, you only need one additional device in the pool to pick up the slack if any one of your appliances goes offline. (You may have heard this referred to as the N+1 approach.) Because your total capacity is pooled, the NPB can automatically allocate the traffic among the remaining available appliances. With this architecture security is maintained even during an unanticipated failure or when you need to take an appliance offline temporarily to update its operating system.  

Strategy 2: Reduce the number of packets you inspect, not the number of segments you monitor

The high cost of sophisticated NGFW and IPS solutions may cause some organizations to pick and choose the network segments they monitor. A recent security study performed by EMA for Ixia found that 47% of enterprises leave more than half of their network segments unmonitored. It’s no wonder attacks continue to succeed. While you may not need to monitor 100% of segments, leaving segments unmonitored can be risky.  A better approach is to pick and choose the type of traffic you send to your appliances, rather than the segments you monitor.

In this strategy, you use the NPB to aggregate traffic collected from multiple network segments using network taps and then eliminate duplications to condense the workload. Some security tools are capable of deduplication, but because this is a resource-intensive process, it is more efficient to use a high performance NPB. When MPLS or other tunneling technology is used, an NPB can also be used to locate the information needed by your IPS appliance.

The NPB can also filter out traffic that doesn’t require inspection, such as voice and video packets that can be forwarded directly into the network. With the growing use of video, this can significantly reduce traffic congestion and make your IPS solution more efficient. Filters can also be created to send email traffic to an Email Security Device and web application traffic to a Web Application Firewall. Filtering has helped Ixia customers reduce traffic to their security tools by up to 80%, providing much more room for overall increases in traffic volume.

Strategy 3: Chain inline appliances together to increase efficiency

If you are sending live network traffic through a series of specialized security monitoring appliances, you may want to link two or more of them together to help one tool take advantage of the work done by another. The diagram below shows how an NPB can create a virtual (or software-based) chain of security monitoring appliances, specifying the order in which they inspect and process traffic. Because the chain is not based on physical connections, the order is easily changed and managed from the NPB’s user interface.

An analogy is what happens in an assembly line, where the work done at one station actually enables the work at the next station to happen. In this example, traffic flows first to an SSL decryption device and the decrypted packets are then forwarded on to the other appliances in the order shown. Some of these appliances may not perform decryption at all and would be unable to inspect the packets at all. Even appliances that can perform decryption use a lot of their processing cycles to do it, which impacts their performance. It is more efficient to use an appliance specifically designed for fast decryption early in the chain and then make those results available to all the other appliances. In addition to being the logic behind the order in which traffic is processed, the NPB is able to mask any data within the decrypted traffic that is too sensitive to expose, such as a customer’s social security number. New technology being added to NPBs will also allow them to re-encrypt the traffic before passing it on to its ultimate destination, to maintain maximum data security.

Diagram of an inline security appliance chain

Strategy 4: Offload traffic blocking from high-cost appliances

The fourth strategy is to reduce the load on your high-cost security appliances by transferring work that can be done more efficiently on a less costly device. One example is the blocking of traffic from IP addresses known to be involved in threats and attacks. Most popular firewalls, IPSs, and SIEM solutions block malicious sites by using rules and black lists you set up. However, security appliances are not designed to store an unlimited number of rules or addresses and have a maximum capacity between 10,000-40,000. This might seem like a large number, but with the increasing volume of traffic and the growth of cyberattacks, it can be a serious constraint. When the number of rules begins to reach the appliance’s upper limit, performance can suffer. Rather than purchasing additional appliances to improve performance, you can offload traffic blocking to reduce the workload on your appliances.

A threat intelligence gateway appliance is designed specifically to identify and block traffic coming from, or going to, malicious sites. The gateway can keep track of an unlimited number of rules and block packets at line rate with no loss of performance. It is usually connected to a real-time threat intelligence feed that continually and automatically updates the rules based on current and verified information, without the need for human intervention. This means that not only does the gateway offload security appliances, it also offloads the security staff. With threat intelligence to offload traffic blocking, your security architecture is ready to scale.

Summary: If your organization is outgrowing your existing security architecture, consider implementing one or more of these strategies to help you get more out of the security infrastructure you already have.