is your network security keeping up? · corsa security is your network security keeping up? 2...

WHITEPAPER

Scaling Network Security www.corsa.com

Is Your Network Security Keeping Up?A Turnkey Approach to Scaling Inspection for High Capacity Networks

Is Your Network Security Keeping Up?Corsa Security 2

IntroductionFrom the SSL inspection gap to growing bandwidth needs and the move to the cloud, there are

many current challenges with hardware-based network security appliances and their deployments.

These challenges are not limited to next generation firewalls (NGFWs) as similar challenges apply

to other network security functions like intrusion prevention systems (IPS), Web Content Filters

(Proxies), and any other network appliance that is deployed into the network for the purposes

of inspecting the traffic in-line.

It’s time to look at how we decouple the network from network security to build a dynamic security

perimeter. In this paper, we’ll focus on north-south traffic enforcement for this ‘network perimeter’

but most of the discussion also applies to the many perimeters within the network, like at the edge

of the data centre, or in front of critical assets, or at security zone interconnect points.

While some believe the “perimeter is dead”, most, if not all organizations will have one for the

foreseeable future so you need a solution that allows you to scale them to your ever growing traffic

volumes. Read on to find out how horizontal, rather than vertical scaling, with a network security

virtualization platform is the answer.


Contents

Introduction 2

The Network Security Dilemma 4

A Network Security Transformation: Horizontally Scale and Virtualize 6

Make it Turnkey: The Network Security Virtualization Platform 7

Simplified Network Deployment 11

Beyond Scale: Flexibility and the Power of the Cloud 12

The Corsa Solution 13

About Corsa 14


The Network Security DilemmaThe bottom line is that while networks have changed, network security has not. As a result, we are faced with

a pressing question or two: how do you scale your network security for today’s traffic volumes and encryption

without impacting network performance? And maybe in an economical way, too?

It’s clearly time to acknowledge that finding the answer to these questions with same old solutions is not going

to work. But, to begin to find a solution, you have to clearly identify the problems.

Challenge 1: Performance

Networks are built to move packets as fast as possible. Networking devices, routers and switches, only deal

with packet headers at Layer 2 and Layer 3, sometimes at Layer 4. That is why they can do everything at wire

speed. However, when it comes to network security appliances, filtering at Layer 3 and Layer 4 isn’t sufficient.

Security appliances absolutely must inspect the payload of the packet to determine if the traffic should be

permitted or blocked, and that presents a huge performance challenge.

The number of different things that a modern next generation firewall is doing is quite amazing. It does

everything from VPN tunnel termination to in-line antivirus and malware detection, to URL and content filtering

to intrusion and threat prevention, and on and on. These are extremely complex functions, and require a huge

amount of processing power within the appliance.

However, we have seen that this complexity results in very unpredictable performance of an appliance.

Time and time again some strange (and unanticipated) traffic would negatively affect one of those inspection

functions, which can bring the whole appliance to its knees. So network security teams spend countless

hours tuning their appliances to balance the amount of inspection the appliance is doing versus the network

performance it is able to achieve. And despite their best efforts, they are always at risk of something

unpredictable happening, like a new traffic pattern or a dynamic signature update, that severely degrades

the security device performance.

Challenge 2: Static, Hardwired Architecture

The other major challenge is that the perimeters we are talking about are hardwired into the rest of the

network. If a security device is bolted in-line, it must be able to process all the traffic that the router gives it. If

it’s not able to do it, there usually isn’t anywhere to go. So the performance of the network is usually limited to

the performance of the in-line security appliance.

In addition, as traffic levels rise, the network teams must upgrade their firewalls just to keep up with the volume

of traffic. This is now happening at such a rate that enterprises are struggling with this scale up (or vertical

scaling) approach.


Challenge 3: Encrypted Traffic

The network and security teams have been coping with the two challenges outlined above for many years,

and probably got quite good at both tuning their firewall performance and upgrading them to a bigger

appliance every few years. But there’s a new “killer app” in town that would make the first two challenges

so much worse, that a new approach is needed. That “killer app” is encrypted traffic.

With 70+% of all traffic in the network now being encrypted and quickly moving towards 100%, security

appliances are simply blind to what is inside those encrypted connections. Some appliances have the capability

of decrypting that traffic in order to inspect it, but that functionality is associated with a huge hit in overall

throughput and inspection performance. For large volumes of traffic, no amount of tuning would help the

appliance cope with it and sizing up to an appliance that would be able to inspect all the encrypted traffic

is usually cost prohibitive due to the performance impact. So, many network teams just leave the encrypted

traffic uninspected, hoping for the best.

But leaving encrypted traffic uninspected isn’t a viable option anymore, if it ever was. More and more malware

is encrypted and data exfiltration tools are using encrypted tunnels. Even if we aren’t talking about outright

badness in your network, decrypting your traffic may be vital to your normal policy enforcement. Network

security appliances are increasingly relying on application identification for their policies. Security vendors are

actively promoting converting firewall policies from simple port-based rules to more sophisticated application

identification and content based rules. There is definitely increased value in doing that, but most of those aren’t

possible without decrypting the traffic first.

So faced with these challenges, what is one to do?

“But there’s a new “killer app” in town that would make the first two challenges so much worse, that a new approach is needed. That “killer app” is encrypted traffic.”

“


A Network Security Transformation: Horizontally Scale and Virtualize Let’s learn from the past and look at the history of ‘How Things have been Scaled’. Back in the beginning,

most web applications were scaled up. If you needed a bigger database, you bought a bigger server. But as

applications got really big, the scale out (horizontal scaling) approach was adopted out of necessity; it would

be impossible to build a web scale application, like Facebook or Twitter for example, on a single server.

In fact, when it comes to scaling applications, large or small, people don’t even think about the scale up

approach anymore. Scaling out so the application is load balanced between as many workers as needed is the

norm. The innovation lies in efficiently distributing the load between multiple systems rather than in trying to

build an ever bigger, single system. This applies to absolutely everything, from front end to middleware and

messaging buses, to back end systems and databases. An added benefit to this is that no one system can ever

be a bottleneck or a cause of failure. You get built-in high availability.

There are a few things that made this approach possible for web applications and are now ripe for the picking

for network security to leverage. To begin, there has been a lot of innovation in load balancing technologies that

allow distributing the load between multiple systems. Multiple layers of load balancing are usually deployed.

Users are first spread between multiple data centers, which is usually done based on geography using DNS.

Then various server and application load balancing methods are used to spread the workload between as many

workers as needed within the data center.

Secondly, we have now fully realized the commoditization of general purpose servers. Over the last decade

server technology has become very cost effective and it is very economical to buy more general purpose

x86 CPUs for your applications as needed. The days of buying special dedicated hardware for your backend

systems are gone.

The last, and one of the very important developments, is the improvement in virtualization and cloud

technologies. These allow you to use your server resources a lot more efficiently when multiple applications are

able to run on the same physical infrastructure. And, with automation and orchestration tools both on-premise

and in the cloud, scale out architectures are now the only way of building any application out there.

So why are we still scaling network security up (vertically) instead of out (horizontally) when all the building

blocks are available?


Make it Turnkey: The Network Security Virtualization PlatformAll the building blocks are indeed available. But the integration of the blocks one with the other, and then into

the network security ecosystem, and then into the network, is necessary for the transformation to begin. When

this is done right, users don’t have to worry about hardware and servers and capacity and specifying how much

of one security appliance over another is needed and what the impact on the network will be. Instead, it should

be just like when we spin up cloud storage where, at the click of a mouse, virtual machines are spun up and

down to process our request. It’s completely seamless and we don’t even think about it.

For network security, we can do the same for large networks. In its best form, the network owner’s perimeter

inspection need is completely abstracted away from having anything to do with infrastructure and is a single-

click to select how much inspection capacity is required and when.

So let’s examine an analysis of what is needed to create a fully turnkey network security virtualization

platform that scales up virtualized firewall instances on-demand to maintain 100% traffic inspection under

all conditions (Figure 1).

Figure 1: The 4 components of a turnkey network security virtualization platform

2

4

3

1 The Load Balancer

2 Servers with Virtualization

3 Virtual Network Security Functions

4 Virtual Infrastructure Manager

1


Component 1: The Load Balancer

You would start with the right load balancing technology to split the traffic between security functions. This

would be quite different from the server load balancing (or application delivery control as some vendors prefer

to call it). Server load balancing deals with client-server communication where you are trying to distribute client

connections between multiple servers. The easiest way is to pretend to be the target server that the client is

trying to talk to, accept the connection, and then direct it to the actual “worker” doing the work.

The challenge here is that this doesn’t quite work for network security. Network security devices are never

the end point of communication. They are transit devices that are placed in-line that only inspect the traffic,

and then either forward it along or drop it based on policy or other inspection results. Traffic is rarely

destined for the firewall itself.

In all fairness there have been “firewall sandwich” topologies that allowed you to use server load balancers

to distribute the load between firewalls. Those are usually hugely complex deployments involving special IP

addressing and NAT, which makes them hard to scale beyond a handful of devices. This makes them unusable

to scale network security where dozens or even hundreds of workers are processing the traffic.

So what is needed is a specific kind of load balancer that is able to spread the traffic between in-line devices

without having to terminate it.

• The ideal load balancer would have to operate at network speeds to process the traffic so that it doesn’t

become another bottleneck in the architecture. So packet performance wise it would have to be similar

to a switch or a router. It absolutely must support network speeds all the way to 100G to really be viable

for high speed networks.

• It would have to understand network flows in order to make sure that both ends of the same flow is

directed to the same appliance for processing. This is critical to network security since security devices track

connections and if they don’t see both sides, the connection is dropped.

• The load balancer would have to support splitting the traffic between virtual appliances since that’s what we

expect the workers to be given we are scaling out. More on the workers in the next section.

• With virtual appliances in mind, it would have to be able to monitor the health of the workers and

automatically remove the ones that aren’t working from the traffic distribution pool. So having awareness

of each worker as it is relates to each physical port is extremely important.

• Finally, since we are load balancing connection tracking devices, the load balancer itself must track connection

state in order to minimize moving connections between workers. The load balancer must allow existing

connections to complete on the worker that it is already assigned to, and not add any in-flight connections

to newly added workers. Without that capability, every time workers are added or removed the network

connections would have to be reestablished, this is inefficient and would result in disruption to the user.

“What is needed is a specific kind of load balancer that is able to spread the traffic between in-line devices without having to terminate it.”

“


Component 2: Servers with Virtualization

As we discussed earlier, one of the crucial requirements when it comes to scale out architectures is that it

must run on general purpose x86 servers to be cost effective. Moving away from single purpose, dedicated

hardware is a key aspect that allows you to build network security infrastructure able to process all the

necessary encrypted traffic in a cost effective way.

However, it is well known that general purpose x86 servers are notoriously bad at network packet processing.

But as we discussed earlier, the main purpose of network security appliances isn’t to just move packets, but

rather to perform complex CPU intensive functions like SSL/TLS decryption, application and content inspection,

and threat prevention. Those are absolutely best suited for general purpose CPUs, especially as they are

increasingly becoming more and more complex.

It is also important to optimize the networking performance as much as possible through the server hardware

so as to not lose any networking performance due to packets being moved by software. Using software

switches that are typically part of every hypervisor isn’t a good option so this is where SR-IOV technology

comes in. It allows the system to dedicate network interface card resources directly to the virtual machine

that is performing the work. The result is that network packets go directly from the physical interface to the

network interface of the virtual machine, bypassing all processing in the hypervisor. This offers the absolute

best networking performance possible when it comes to moving packets through the server. Now all the server

resources are concentrated on doing the inspection work, rather than wasted on just moving packets.

Additionally the networking performance within the virtual machine can be further improved by technologies

like DPDK, and other packet acceleration techniques. This would be specific to each virtual machine itself.

The important point is that with SR-IOV setup as described ensures that the hypervisor doesn’t interfere with

any packet handling by the VM. Therefore this setup enables the highest possible networking performance

for all virtual appliances.

“Moving away from single purpose, dedicated hardware is a key aspect that allows you to build network security infrastructure able to process all the necessary encrypted traffic in a cost effective way. ”

“


Component 3: Virtual Network Security Functions

The next component of this architecture is the workers themselves. As we discussed earlier, the most cost

effective way to do the work is on generic x86 servers but since network security appliances are still mostly

proprietary products, running the software directly on regular servers isn’t an option.

However over the last few years, as virtualization technology matured, practically every security vendor has

made their product available as a virtual function that is able to run in a private cloud. So these virtual versions

of the network security appliances would be the workers that you scale out.

The added benefit to this approach is that this doesn’t change your security posture in any way. You maintain

the same level of compliance and network security by using the virtual appliances from your favorite vendor.

All the management tools and expertise that has been developed don’t change at all. The only thing that is

changing is the form factor. You are moving from a single (or typically a pair of) physical appliance to as many

virtual functions as you require to decrypt and process all the required traffic.

Finally, a most powerful aspect of using a virtual appliance is the ease of adopting an upgraded version of the

product. Simply spin up a new SW license and you have migrated to the latest and greatest firewall.

Component 4: Virtual Infrastructure Manager

Last but not least in our turnkey platform is the orchestration software that puts it all together. It is really

important that all the infrastructure works in a single cohesive package without the user needing to deal with

the complexities of the network, server and virtual machine plumbing underneath.

Public cloud offerings set the standard for how easy it should be to provision virtual resources. There’s no

reason why private cloud network security virtualization should be any different.

A virtual infrastructure manager pulls together all parts of this turnkey platform. From simple spinning up and

down of the virtual appliance instances to tying them into security policy manager and from configuring the

required load balancing and network connectivity to providing a single pane of glass view of what is happening

inside, the virtual infrastructure manager does it all. With a single click of a button, you can add more resources

as your traffic inspection needs grow without having to worry how to plumb it all together. It pushes all the

necessary configuration into the appliances that tie them directly into the policy manager. All you have to do

is provide the appropriate licenses for the virtual functions.


Simplified Network Deployment But, how is this platform deployed in the network. From the network perspective this solution is deployed as

a virtual wire. The load balancer works in a virtual wire mode, as do the virtual security functions. The SR-IOV

technology on the hypervisor also makes it simple to build, extend and tear down virtual wires.

The main reason why this solution must work as a virtual wire is that it is the only way to allow both scaling out

and scaling back in. In a virtual wire mode when the work is distributed, it doesn’t matter if you have 20 virtual

wires or 50 virtual wires. From the switching and routing perspective everything still looks the same. Addresses

don’t change. Neither do VLANs or any other parts of your network. Nobody gets confused. It’s simple to

deploy, and simple to troubleshoot.

In any other deployment mode, like routed or NAT mode for example, where each of the VMs has multiple

IP addresses, going beyond a handful of devices would be infinitely complex. As we have seen with “firewall

sandwiches” trying to scale out things even with a handful of devices is very complicated and prone to problems.

In a dynamic environment where you want to spin up resources with a click of a button all of a sudden you

have to signal topology and routing changes to the rest of the network, and make sure all those changes have

propagated and converged properly.

This discussion is specific to the north-south perimeter deployments and trying to scale out traffic processing

with dozens if not hundreds of virtual appliances in routed mode is just not feasible. It should be noted that for

other use cases, such as east-west microsegmentation, routed deployment mode may be applicable, even as

you distribute things between large number of hosts.

“From the network perspective this solution is deployed as a virtual wire... It’s simple to deploy, and simple to troubleshoot.”

“


Beyond Scale: Flexibility and the Power of the CloudBesides affording the scale you expect with virtualization, the platform provides unparalleled levels of flexibility

that weren’t possible with dedicated hardware appliances. Because network security functions are virtualized,

switching to different functions and between different offerings can be as easy as shutting down old virtual

appliances, and starting new ones. The same goes for software upgrades.

It is also possible to mix and match vendors. You can have one department or tenant using one vendor and

another tenant use a different one. When it comes to new vendor testing and adoption this capability can be

extremely valuable. Testing and running services in parallel with full control of which traffic is directed to which

set of virtual appliances is something that was never possible before. You don’t have to do forklift upgrades and

hard cut-overs anymore.

Last, but not least, this allows you to convert to a cloud-like OPEX based consumption model with monthly

subscription pricing based on the traffic inspection capacity you require. You can consume your on-premise

network security on a pay-as-you-grow basis, just like any other cloud based services.

Figure 2: Software-defined Network Security for flexibility and efficiency

TURNKEY NETWORK SECURITY VIRTUALIZATION

PUBLICINTERNET

SOFTWARE DEFINED FIREWALLSSL/TLS VISIBILITY ENTERPRISE NETWORK


The Corsa SolutionCorsa Security offers the only turnkey network security virtualization platform that scales your network security

at any perimeter. By running virtual network security functions from our partner ecosystem on general purpose

x86 servers, Corsa is able to deliver unlimited scale to any network security application by using this private

cloud approach. With true horizontal scale of your traffic inspection you can enable all the necessary inspection

functions, including such “killer apps” as SSL visibility.

Corsa provides all the necessary network, server, load balancing and management components in a turnkey

hyperconverged infrastructure (HCI) package. When more capacity is needed, it’s just a matter of ordering it

with a single click. This turnkey platform can be deployed in minutes and is transforming traditional network

security to software-defined networking security. It allows you to have a private cloud-like experience for your

network security so you can inspect all your traffic, all the time. Say good-bye to the SSL inspection gap and

examine 100% of your traffic.

Virtual Firewall Function

Firewall Policy Manager

Virtual NGFW FunctionsBYOL (Bring Your Own License)

Corsa Supplied and Maintained

Turnkey Network SecurityVirtualization Platform

HighCapacityvNGFW

Network

Load Balancer

Server

Hypervisor

Virtual Appliance Image

Vir

tual

ized

Infr

astr

uct

ure

Man

ager

Figure 3: Corsa Red Armor Turnkey Network Security Virtualization Platform

About CorsaCorsa Security is leading the transformation of network security with a private cloud approach

that helps large enterprises and service providers scale network security services with unwavering

performance, unparalleled flexibility and unmatched simplicity. By leveraging unique networking

expertise and proven virtualization technologies, Corsa Red Armor is a turnkey network security

virtualization platform that you order with one click, deploy in minutes and pay-as-you-grow to scale

traffic inspection for 100% visibility and better ROI compared to existing approaches.

To start on your software-defined network security journey, visit corsa.com.

11 Hines Rd. Suite 2032Ottawa, ON Canada K2K 2X1 613 287 0393

[email protected] www.corsa.com

For more information about our solutions, please contact Corsa today.

Please contact us

WP-CDD0013-000, Rev 001

is your network security keeping up? · corsa security is your network security keeping up? 2...

Documents