We’ve attained a significant milestone in boosting firewall performance to maximize hyperscale data center and service provider security efficiency: VM-Series virtual firewalls now integrate with data processing units (DPUs) and smart network interface cards (SmartNICs), thanks to the just-released Intelligent Offload (ITO) service.
This means that organizations running these environments can improve VM-Series performance by up to five times—because ITO offloads the processing of encrypted traffic not benefitting from security inspection to the DPU or SmartNIC, instead of the firewall.
This is critical, because in service provider networks and hyperscale data centers, roughly 80% of traffic consists of flows that either cannot—or will not—benefit from security inspection. For example, a firewall cannot decrypt and inspect encrypted telco network application traffic between an end-user's device and Facebook. In order to inspect the 20% of traffic that can benefit from security inspection, the operator must deploy a firewall capable of handling the throughput of the total traffic or risk increasing network latency. Deploying enough large firewalls to support these enormous networks without sacrificing performance can make security cost prohibitive—until now.
In this blog, we will dive deep into how the Intelligent Traffic Offload service reduces the overall load on VM-Series firewalls and increases its performance—without sacrificing security efficacy.
How Intelligent Traffic Inspection Works Today
Before we get into the details of how the new Intelligent Traffic Offload service works, let’s take a look at how software firewalls analyze traffic without the service. VM-Series inspects the first few packets of every flow to identify the application. Once the application is identified, two factors determine whether the VM-Series performs further content inspection:
Can the application be inspected? Examples here include encrypted traffic without a corresponding decryption policy, or unidentified applications, which cannot be inspected.
Is there a benefit to inspecting further packets of the session? This part of the virtual firewall’s decision-making process looks at streaming media applications that do not have any known vulnerability or any known associated threat—and will not benefit from content inspection.
If the session is identified as not requiring inspection, subsequent packets of that particular session will skip the content inspection step and be directed to the egress interface as shown below.
Figure 1: Security inspection with VM-Series virtual firewalls without Intelligent Traffic Offload enabled
Current trade-off of Hyperscalers: Security vs. Cost
In a typical enterprise environment all encrypted traffic is decrypted and inspected, so the percentage of traffic in these settings that will skip the content inspection step is negligible. But in hyperscale environments, such as service provider transit networks, a major portion of traffic cannot be—or need not be—inspected. There are two primary reasons for this:
The service providers operating the transit networks do not have the keys to decrypt the traffic.
A major portion of the traffic passing through these transit networks is streaming media, such as gaming, video streaming, video conferencing, etc.
So what happens in hyperscale data centers where large volumes of traffic need to be inspected—but only a minor portion of that traffic benefits from next-generation security inspection? Network security professionals end up making less-than-ideal tradeoffs. They can optimize for cost by not deploying next-generation firewalls. Alternatively, they can optimize for security by deploying large numbers of firewalls needed for inspecting every packet of every session, which can be prohibitively expensive. In either scenario, they’re not doing themselves or their organizations any favors.
Intelligent Traffic Offload Service Eliminates Tradeoffs
With the new ITO service, VM-Series virtual NGFWs now eliminate the tradeoff between security and cost. ITO integrates with the industry’s leading DPUs and SmartNICs to improve virtual firewall performance by up to 5X with an elegant and cost-effective approach: traffic that does not benefit from security inspection is offloaded from the firewall to either adapter.
Here’s how it works: For each new flow on the network, ITO determines whether or not the flow can benefit from security inspection. The first few packets of the flow are routed to the firewall for inspection by ITO, which determines whether the session can benefit from content inspection. This part of the process is essentially the same as it always has been.
But, if ITO determines the session does not benefit from content inspection, it instructs the DPU or SmartNIC – using OpenAPI – to forward subsequent packets of that session directly to its destination without sending them up to the VM-Series, as illustrated below.
Figure 2: ITO offload use case
In other instances where firewall traffic inspection is needed, ITO ensures VM-Series inspects all packets of such traffic flows, as seen below.
Figure 3: ITO firewall inspection use case.
By only inspecting flows that can benefit from security inspection and offloading the rest of the flows to the DPU or SmartNIC, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.
Offload Traffic, Onboard Benefits
With ITO in place, organizations in need of securing their hyperscale data center and service provider networks can discover significant benefits:
Reduce CAPEX by up to 150% using VM-Series virtual NGFWs in high throughput environments. Instead of deploying massive hardware firewalls to accommodate throughput needs of service provider and hyperscale networks, organizations can now deploy VM-Series virtual NGFWs with ITO for a fraction of the cost.
Open new revenue opportunities for service providers by enabling advanced security as a value-add service on top of transit networks. With the ability to selectively enforce threat inspection on traffic, service providers can now offer their customers advanced security as an optional service.
Reduce risk by inspecting vulnerable traffic for threats without compromising network and application performance. ITO ensures all traffic that can be inspected will be inspected.
For more information and to learn how to get started, contact us .
... View more