Next Generation Firewall Features (NGFW)
Next Generation Firewall Features
The firewall may be the most important security device on your network, as the gatekeeper of what comes in and goes out of your network. Essentially, picking the appropriate size for your environment can make or break your network and security objectives.
Basically, when it comes to sizing a next-generation firewall, you should consider sizing of the following features.
connections per second which is also known as new sessions per second. CPS deals with how quickly the firewall can create and store new sessions that’s accepted by the firewall policy. The easiest place to determine your requirement would be from your current firewall, if you have one in place. For this, first count the total number of users on your network. Then get the total amount of devices without users.
This could be a IoT devices, servers, printers, phones and any other network device without users. You will have to make an assumption here and calculate that each user will use between 3 to 7 sessions per second and each device will use closer to 1 to 2 connections per second. Plus, don’t forget to consider potential growth in your users and devices so make sure that you have the needed requirement for that expected growth.
the most common place to start when sizing a NGFW is by looking at the total layer for throughput for a given device. But a common mistake is to not calculate traffic in every direction. For example, a 1Gb of a symmetrical circuit is commonly one gigabit down and one gigabit up. This means that on a fully saturated circuit, you can have up to two gigabits of theoretical throughput going through your firewall. Moreover, do not forget about internal only traffic such as Wi-Fi users hitting your DNS server or internal users hitting your intranet portal.
Property designed network should have segmentation between different networks which means that all traffic destined outside of that segment would hit the firewall policy and count towards your total throughput. Lastly, make sure you look at what kind of traffic type was used by the vendor in calculating their advertised throughput. Oftentimes, the vendors will advertise UDP with big packet sizes instead of TCP because they perform much better, but with the majority of your traffic probably being TCP your real world experience will be much less than what’s advertised by the vendor.
Firewall SSL Inspection
According to Google’s HTTPS encryption transparency report, 73 percent of pages loaded in Chrome used SSL which is 59 percent higher from a year ago. With that number, SSL inspection is becoming a standard for any network. Firewall SSL inspection usually comes in two forms: certificate inspection and deep packet inspection. Certificate inspection only inspects the SSL handshake so there’s usually not a big performance hit, because you’re not looking inside the SSL tunnel.
However, deep packet inspection actually performs a man-in-the-middle between the user and the server so this comes at a huge performance impact. When looking at any vendors SSL performance numbers, note of the cipher suite and packet size used for the performance number. Not all SSL numbers are measured equally and firewall vendors are notorious for posting weak ciphers and large packets to make their numbers look better than what you would get in the real world.
Firewall IPS and Malware Protection
Next-generation firewalls have a lot of great features like IPS, application identification, antivirus and many others however there is a performance cost for every feature that’s enabled in. Moreover, on Cisco Firepower family, every single feature required a specific Cisco license. Plus, some vendors have experienced as much as 82 percent drop by IPS and application identification and that wasn’t even including more resource-intensive web filtering and DLP.
Your first step is deciding on what features you need or plan to implement next decide where in your network those features will be enabled. For example, if you decide you need web filtering you only need to enable it on outbound web traffic if web traffic accounts for 40% of your total circuit and you have 1G circuit you would effectively need about 400 megabits of web filtering capabilities.
Although, the majority of vendors won’t have performance numbers for every permutation of next-gen features, instead they may have one performance numbers with several features enabled and call it something like either threat protection or threat prevention. This can vary from vendor to vendor so keep an eye out for what’s included in their terminology.
Firewall Maximum Sessions (Concurrent Sessions)
As their names imply this refers to the total number of firewall sessions a box can support. This can vary greatly from network to network depending on a number of different factors like traffic type, protocols, session time, users and many other factors. Thankfully, as technology has evolved, next-generation firewall vendors have added plenty of memories for most normal networks for their target market.