- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
We’ve attained a significant milestone in boosting firewall performance to maximize hyperscale data center and service provider security efficiency: VM-Series virtual firewalls now integrate with data processing units (DPUs) and smart network interface cards (SmartNICs), thanks to the just-released Intelligent Offload (ITO) service.
This means that organizations running these environments can improve VM-Series performance by up to five times—because ITO offloads the processing of encrypted traffic not benefitting from security inspection to the DPU or SmartNIC, instead of the firewall.
This is critical, because in service provider networks and hyperscale data centers, roughly 80% of traffic consists of flows that either cannot—or will not—benefit from security inspection. For example, a firewall cannot decrypt and inspect encrypted telco network application traffic between an end-user's device and Facebook. In order to inspect the 20% of traffic that can benefit from security inspection, the operator must deploy a firewall capable of handling the throughput of the total traffic or risk increasing network latency. Deploying enough large firewalls to support these enormous networks without sacrificing performance can make security cost prohibitive—until now.
In this blog, we will dive deep into how the Intelligent Traffic Offload service reduces the overall load on VM-Series firewalls and increases its performance—without sacrificing security efficacy.
Before we get into the details of how the new Intelligent Traffic Offload service works, let’s take a look at how software firewalls analyze traffic without the service. VM-Series inspects the first few packets of every flow to identify the application. Once the application is identified, two factors determine whether the VM-Series performs further content inspection:
If the session is identified as not requiring inspection, subsequent packets of that particular session will skip the content inspection step and be directed to the egress interface as shown below.
Figure 1: Security inspection with VM-Series virtual firewalls without Intelligent Traffic Offload enabled
In a typical enterprise environment all encrypted traffic is decrypted and inspected, so the percentage of traffic in these settings that will skip the content inspection step is negligible. But in hyperscale environments, such as service provider transit networks, a major portion of traffic cannot be—or need not be—inspected. There are two primary reasons for this:
So what happens in hyperscale data centers where large volumes of traffic need to be inspected—but only a minor portion of that traffic benefits from next-generation security inspection? Network security professionals end up making less-than-ideal tradeoffs. They can optimize for cost by not deploying next-generation firewalls. Alternatively, they can optimize for security by deploying large numbers of firewalls needed for inspecting every packet of every session, which can be prohibitively expensive. In either scenario, they’re not doing themselves or their organizations any favors.
With the new ITO service, VM-Series virtual NGFWs now eliminate the tradeoff between security and cost. ITO integrates with the industry’s leading DPUs and SmartNICs to improve virtual firewall performance by up to 5X with an elegant and cost-effective approach: traffic that does not benefit from security inspection is offloaded from the firewall to either adapter.
Here’s how it works: For each new flow on the network, ITO determines whether or not the flow can benefit from security inspection. The first few packets of the flow are routed to the firewall for inspection by ITO, which determines whether the session can benefit from content inspection. This part of the process is essentially the same as it always has been.
But, if ITO determines the session does not benefit from content inspection, it instructs the DPU or SmartNIC – using OpenAPI – to forward subsequent packets of that session directly to its destination without sending them up to the VM-Series, as illustrated below.
Figure 2: ITO offload use case
In other instances where firewall traffic inspection is needed, ITO ensures VM-Series inspects all packets of such traffic flows, as seen below.
Figure 3: ITO firewall inspection use case.
By only inspecting flows that can benefit from security inspection and offloading the rest of the flows to the DPU or SmartNIC, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.
With ITO in place, organizations in need of securing their hyperscale data center and service provider networks can discover significant benefits:
For more information and to learn how to get started, contact us.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |