An undersized firewall can be catastrophic to your network performance, availability and security posture. Selecting a firewall that is the appropriate size for your environment is arguably the most important technical decision you, the gatekeeper of what goes in and out of your network, can make for your network.
This post discusses the five most important metrics to consider when sizing a next-gen firewall. While these tools will help you arrive at what to look for, remember that vendors will always advertise “best case scenarios.” So when comparing vendors, make sure you look at how the vendor arrived at that number (i.e. packet size, traffic profile and testing conditions).
CPS (Connections per Second)
CPS deals with how quickly the firewall can create and store a new session that’s accepted by a firewall policy. The easiest place to determine how many connections per second your network needs is by looking at your current firewall, if you have one. If you don’t have a firewall in place, here’s a little industry technique to determine what you need:
- First, count the total amount of users on your network.
- Next, count the amount of devices on your network without users. This could be IoT devices, servers, printers, phone and other devices.
Each user can expect to use between three and seven sessions per second, with seven the peak exception. Devices should be closer to one or two connections per seconds.
For our example, we’ll use 100 users and 20 devices. That means we would require between 320 CPS during normal or idle times, and about 740 CPS during peak time. Also, don’t forget to consider potential growth in users and IoT devices, so make sure to pad your requirement for that expected growth.
The most common place to start when sizing a next-gen firewall is by looking at the total Layer 4 throughput. But a common mistake is not calculating traffic in all directions.
For example, a 1Gbps symmetrical circuit is commonly 1Gbps download and 1Gbps upload. This means that on a full saturated link, you can have up to 2Gbps of theoretical throughput going through your firewall. Traffic between network segments such as internal users going to an internal resource is often overlooked and must be calculated as well. A properly designed network should have segmentation between different networks, which means that all traffic destined outside that segment would hit the firewall and count toward the total throughput.
Remember to look at the kind of traffic that was used by the vendor in calculating their advertised throughput. Oftentimes, the vendor will advertise UDP with big packet sizes instead of TCP because they perform much better. But with the majority of your traffic probably being TCP, your real-world experience will be quite different.
According to Google’s HTTPS encryption transparency report, 73 percent of pages loaded in Chrome on Windows used SSL, up from 59 percent from a year ago. With that number only expected to continue to rise, SSL inspection is becoming a standard for any network.
Firewall SSL inspection usually comes in two forms: certificate inspection and deep packet inspection (DPI).
- Certificate inspection only inspects the SSL handshake, so there’s usually not a big performance hit because you’re not looking inside the tunnel.
- SSL DPI actually performs a “man in the middle” between the user and server, so this comes at a huge performance impact.
In the most recent NSS “Next-Gen Firewall” report, one vendor experienced as much as a 91 percent performance degradation when it enabled SSL deep packet inspection. Some vendors that employ custom ASIC saw performance decreases as little as 14 percent.
When looking at any vendor’s SSL performance numbers, take note of the cipher suite and packet size used to inspect. Not all SSL performance numbers are measured equally, and firewall vendors are notorious for posting weak ciphers and large packets to make their numbers look better than you would get in the real world.
Next-Gen Firewall Features
There is a performance cost for every next-gen firewall feature that is enabled. In NSS’ report, some vendors dropped as much as 82 percent by enabling IPS and application identification. And that wasn’t even including more resource-intense features such as AV, web filtering and DLP.
Your first step is to decide on the features you need or plan to implement. Next, decide where on your network those features will be enabled. For example, if you decide you need web filtering, you’ll only need to enable it on outbound web traffic. If web traffic accounts for 40 percent of your total circuit and you have a 1Gbps circuit, you would effectively need at least 400 Mbps of web filtering capabilities.
The majority of vendors won’t have performance numbers for every permutation of next-gen features. Instead, they may have one performance number with several features enabled and call it something like “threat protection” or “threat prevention.” This, too, can vary between vendors, so keep an eye out for what’s included in that definition.
Max Sessions (Concurrent Sessions)
As their names imply, this refers to the total number of firewall sessions a box can support. Like CPS, this can vary greatly from network to network depending on a number of different factors including traffic type, protocols, session timeouts, users and more.
Thankfully, as technology has evolved, next-gen firewall vendors have added plenty of memory to support most normal networks for their target market. In fact, in all my years consulting and designing next-gen firewalls for telcos and large customers, I’ve never seen the maximum session of any device get exhausted before other factors such as CPS or CPU due to other features being enabled.
But this can be a serious problem for data centers or other internet-facing traffic where the connections can be unpredictable. It’s also the main target of DDoS attacks, which try to overwhelm a firewall by sending too much traffic at once and exhausting the CPS limits.
If you don’t have a firewall that can tell you how many sessions you currently have, calculating 100 sessions per user or device is usually a safe bet.
The CISO Perspective
An undersized firewall can not only bring your entire network down, but it can also undermine your security policies by failing open. As resources get limited, some firewalls will stop inspecting traffic to conserve CPU or memory. Make sure you understand what the firewall’s behavior is when resources get low and make sure it aligns with your security policy.