Evolving security requirements have led to increasing network traffic and the more widespread adoption of 40+ Gbps core networking technologies. Many organizations have responded to this by scaling up their hardware, which is proving to be unsustainable due to complex, power-hungry virtualized systems, increases in the impact of failures, and allowing for a single attack point for DOS attacks. The answer: a network-based model for scaling a next-generation firewall (NGFW). This network-based, scaled NGFW approach to surpassing existing or future enterprise network security issues provides better performance, increased resiliency, and lower total cost of ownership (TCO).
“Devices don’t have to be massive to scale massively”
To meet current security requirements, many companies have gone to deploying singular, large platforms that consume large amounts of both rack space and power. These methods also cost more to purchase and operate and also fail to deliver the reliability and security that organizations need. In most high availability setups, the failure of one large device results in a huge 50% reduction in capacity, as well as providing a single location point for DOS attacks to target, increasing the likelihood of failures.
There is a better option. Network-based architecture allows NGFW platform deployments to be scaled infinitely while providing similar or better TCO, better performance, and increased resiliency to failures and attacks. A fully implemented architecture can comprise up to 16 fully active NGFW devices with up to 640 Gbps of DPI with failure modes that typically impact only n-1 of overall capacity.
With the benefit of freedom to choose components based on price/performance and this type of architecture, devices don’t have to be massive to scale massively.
Dell SonicWALL Firewall Sandwich
Dell Network Security solutions deliver unmatched price/performace by delivering strong security, low latency, and high throughput at an incredibly low TCO. This architecture provides extremely fast, extremely scalable Reassembly-free Deep Packet Inspection, SSL decryption threat protection, and easy dynamic management to address user privacy concerns. It provides N+1 redundancy (vs. 1+1) without reliance on High Availability custering protocols.
Ingress and Egress layers are configured symmetrically (with dual Dell Networking S5000 Switches in the given diagram) to ensure persistent, identical packet flow since traffic can originate from either direction. Ingress and Egress connections can be made with 10 GbE or 40 GbE links and provide load balancing and persistence of a given flow to a specific firewall for DPI in the security layer. The security (firewall) layer in the given diagram utilizes three SuperMassive 9800 Firewalls deployed in an active configuration. The number of security layer devices can be scaled out as needed to meet performance or resiliency requirements, but a minimum of 2 is recommended for resiliency purposes. To determine the best size for your firewall cluster, view this sizing chart.