Lora O'Haver
Senior Solutions Marketing Manager

Next Gen Firewalls Need a Security Fabric

July 5, 2016 by Lora O'Haver

According to the 2016 Cyberthreat Defense Report (CDR), next generation firewalls are the top-ranked security acquisition planned in 2016. And it’s no wonder. Even with advanced security appliances implemented in most enterprises—cyberattacks continue to escalate in frequency, severity, and impact. In addition to the out-of-pocket expenses, security breaches can also lead to loss of revenue or the ability to serve customers, as well as damage to brand or reputation. In such a challenging environment, you might need to think outside the box when deploying new security infrastructure. 

Are you minimizing points of failure?  

Firewalls and other inline security tools are critical in preventing cyberattacks. But we need to make sure we are passing as much traffic as possible through these tools, while also keeping traffic congestion and tool failure from impacting network availability. Many organizations deploy inline tools serially so live traffic passes through each security appliance before entering the corporate network.

The issue with serial inline deployment is that if any tool stops working, traffic stops flowing and can trigger a network outage that must be resolved before monitoring can resume. You might not think that’s a big problem, but tools can stop responding for a variety of reasons, including hardware or power failures, traffic congestion, software configuration errors, and downtime scheduled for software or hardware upgrades.  The meantime-between-failure (MTBF) for tools deployed in a serial configuration is actually calculated by multiplying together the MTBF for each appliance. That result may exceed the tolerance set by your network management team and put your network at risk.  Worse yet, congestion on these security tools may slow response times, frustrating your customers and employees.

A security fabric offers a better approach.

You can improve the functioning of your tools by moving to a security fabric. The first step is to deploy bypass switches in place of your tools on the live network and configure the switches to pass traffic to and from the tools.

Graphic shows three bypass switches deployed on the network, each connected to a different security appliance.

A bypass switch stays in constant contact with your tools, to make sure they are available to receive traffic. If any tool becomes unresponsive for any reason, the bypass sends traffic on, “bypassing” the unresponsive tool. As soon as a tool becomes operational again, the bypass switch begins sending traffic back through the tool.

The bypass switch essentially provides failsafe operation for your security tools.  With a bypass switch, administrators can take a tool offline to perform a hardware or software upgrade, and the bypass will route traffic around the tool until the maintenance is complete. Network engineers can also use the bypass to help isolate network performance issues by temporarily removing any tool they suspect of causing a problem.

The second component of a security fabric is the network packet broker (NPB), which aggregates traffic from all of the monitoring points across your network and routes selected traffic to your tools.

Graphic shows a bypass switch on the network connected to a network packet broker, which is connected to three different security appliances.

NPBs have the ability to see inside network packets and use the protocol, IP address, port, VLAN, or other information to filter traffic. Ixia NPB solutions not only filter based on Layer 2-4 data, but also on Layer 7 application level data. With NPBs in place, you can load balance traffic across multiple devices to reduce congestion, making it easier to add capacity without downtime. You can even direct the NPB to allow trusted traffic to bypass all your security devices to increase responsiveness.  NPBs are centrally managed through a graphical interface that makes it easy to change your load balancing policies and reduce administrative costs. Together, these capabilities reduce the volume of traffic passing through many of your advanced monitoring tools, reducing congestion and extending their useful life.

Another valuable feature of an NPB is that it can allocate traffic to security devices at line-rates different from that of your core network, allowing you to separate the decision to upgrade your network from the decision to upgrade the tools monitoring that network.  This flexibility can substantially reduce the cost of a network upgrade.

Take it to the next level with high availability. 

To inspect as much traffic as possible, you can easily configure your security fabric for high availability using redundant bypass switches and NPBs. If you deploy your NPBs in an active-active set-up with complete synchronization, as shown below, you can have automatic and instantaneous recovery of your security infrastructure in the event of any failure, including the NPB itself.

Graphic shows fully redundant security fabric with two network paths, both featuring bypass switches connected to packet brokers, which are synchronized.

It’s clear that a security fabric built with bypass switches and network packet brokers offers many operational advantages. And a security fabric can pay for itself by reducing future tool purchases through increased tool efficiency and better use of existing capacity. With so much at stake, you need to give your next generation security tools the best possible chance for success.