The impact of digital transformation on the NGFW
Digital transformation is changing the way enterprises access, process, and share information. The convergence of IoT, mobility, and cloud – combined with a growing reliance on SaaS applications – are driving new digital business models. This has resulted in massively increased volumes of information and transactions extending out to the cloud that have also been encrypted to ensure privacy.
This combination of increasing volume, performance, and processing requirements places new stringent demands on the next generation firewalls deployed at the enterprise edge. Threat protection, SSL inspection, and capacity are now table stakes for any high end NGFW looking to protect the enterprise.
The question that IT teams are wrestling with is, what constitutes adequate security performance levels so that we can be confident that we can conduct business at the speed and volume the market requires, without compromising the security that user and regulatory bodies demand?
The requirement is straightforward: all traffic (clear and encrypted) traversing the network needs to be inspected, and security controls need to be applied, without degrading network performance. However, most NGFW solutions on the market today simply aren’t up to the task.
Providing full threat protection (TP) without slowing down the network can only be accomplished if that protection is applied at rates that match or exceed network speed. With many WAN speeds approaching or even exceeding 40G to 100G, NGFWs deployed at the edge must be able to deliver threat protection at near wire rates. And unlike the solutions being provided by many vendors, organizations can’t afford to disable essential TP functions or SSL decryption in order to meet performance requirements. Threat Protection throughput must be measured with firewall, application control, intrusion prevention (IPS), and antimalware/antivirus functions enabled using an enterprise traffic mix. And SSL inspection functions must be fully enabled to secure a real world mix of enterprise traffic.
It’s about a lot more than just speed
Capacity is another critical requirement. Most NGFW appliances today top out session capacity at a few million sessions. With the increasing volume of traffic and devices connecting to the network, maintaining high session capacity to accommodate peak connectivity is important.
With nearly 80% all web traffic now encrypted, SSL inspection is one of the most important capabilities for a NGFW. It’s really the only way to reduce the risk of a data breach resulting from advanced threats hiding in SSL traffic. To do this, NGFWs must perform deep packet inspection of SSL traffic and apply security controls without compromising network performance. The challenge, however, is that SSL inspection introduces significant overhead and latency that can seriously impact network performance.
For this reason, many NGFW vendors do not even publish their SSL inspection numbers. Claiming high levels of threat protection throughput that drops to its knees when SSL inspection is turned on is not acceptable, especially when the majority of the traffic is encrypted. For example, a claim of 30G of Threat Protection with an SSL inspection throughput of 6.5 Gbps really means you are only getting 6.5 Gbps of security performance for the majority of your network traffic, which is woefully inadequate.
Introducing the world’s first NGFW appliance built to meet the true demands of today’s digital enterprises
Given the new realities of today’s networks (extension to the cloud, more traffic volume, and growing numbers of connected users, devices, and IoT), NGFWs placed at the enterprise edge are under pressure to perform at capacity, resiliency, and connectivity levels that have only ever been seen before in data center firewalls. But because IT expertise has been spread so thin, edge solutions also require ease of deployment, use, and management. Which means that a traditional chassis is not an optimal choice here.
What’s needed is the performance, scale, and capacity of a high-performance chassis in a small, efficient, and highly scalable appliance footprint. Which is why Fortinet has just announced a new class of ultra-high performance security appliances – the 6000F-series NGFWs that have been engineered to meet the real demands of digital business by completely resetting the bar for threat protection (TP) throughput, SSL inspection, connectivity, and capacity.
The 6500F, for example, ensures that customers can confidently inspect and secure all their traffic without the network slowing down by delivering:
- 170 million concurrent sessions
- 130 Gbps of SSL inspection
- 100 Gbps of threat protection performance
- A streamlined 3U form factor
- All at a price point that no one in the industry can match
A look inside the Fortinet 6000F-series hardware architecture
With an industry first for a security appliance, Fortinet’s NGFW hardware architecture leverages a new, compact internal processing card technology that dramatically scales performance while reducing size, allowing them to fit within an appliance form factor. These new processing cards are miniaturized versions of the blades typically used in cutting-edge modular security chassis.
This new design provides dedicated processing power in order to accelerate each step in the inspection and protection process. To accomplish this, each processing card combines multiple 12-core CPUs with Fortinet’s proprietary Security Processing Units (SPUs), Content Processors (CP9), and Network Processors (NP6) into a single, discrete unit. And the FortiGate 6000F series devices are able to support up to ten of these discrete processing cards in a single 3RU-sized appliance.
To accelerate the power and performance of these appliances even further, these processing cards are managed using custom load balancing Distribution Processors (DP3) that intelligently assign and coordinate tasks between the different processing cards. This innovative design enables high resilience, session scale, and advanced security capabilities – benefits traditionally only available in a chassis-based configuration – at breakthrough speeds never before seen in a compact appliance form-factor.
Advanced security capabilities and performance: The 6000F series are the industry’s fastest NGFW appliances, delivering advanced threat protection and SSL inspection performance to handle the massive volumes of traffic at the network edge.
Comparison of the FortiGate 6300F with the PAN 5260 appliance
High Speed and Flexible Interfaces: High density SFP28 and QSFP28 interfaces support 10G, 40G, and 100G data rates, as well the new 25G data rate standard, to provide high speed connectivity and increased flexibility as enterprises migrate to higher density designs.
With this latest NGFW innovation in place, Fortinet has once again widened the performance and security gap between our closest competitors and us. And our ongoing commitment to an engineering-driven architectural approach to security ensures that this gap will only continue to widen, ensuring that customers always have access to the cutting edge security tools they need to enable their continued success in the new digital economy.
FortiGate’s 6000F series Next-Generation Firewalls will be available on March 30th, 2018.
For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evalutate to protect against them.