Next-Generation Firewall Buyer's Guide: SonicWALL
E-Class appliances use reassembly free deep packet inspection to deliver speedy application intelligence and control.
As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.
In this EnterpriseNetworkingPlanet buyer's guide, we examine capabilities and features offered by SonicWALL E-Class Network Security Appliances. Dmitriy Ayrapetov, SonicWALL Network Security Product Line Manager, compares traditional firewall inspection to matching baggage tags against passenger IDs. "We look inside those bags – inspecting packet payload – so that admins can create policies that say I don't want P2P apps on my net rather than hunting for ports being used by P2P."
Playing by new rules
"A traditional firewall blocks port 21 to stop FTP, but it's trivial for applications to change ports," explained Ayrapetov. "The recent move to put applications through web browsers also collapsed everything onto ports 80 and 443. To a traditional firewall, that all looks the same. But an NGFW matches traffic to applications, regardless of port. For example, if you want to allocate bandwidth to streaming video, an NGFW will do the work to fingerprint and apply your policy to it."
But Ayrapetov notes there is a price to be paid for these capabilities: computing power. "A traditional firewall only has to look at 1 percent of the traffic: packet headers. An NGFW must look at 100 percent of the traffic: application content. What differentiates products is doing application inspection with reasonable performance and security effectiveness," he said.
Initially, SonicWALL focused on securing SMBs, but has since invested in scalability to meet larger enterprise requirements. "We re-engineered our appliances to go multi-core – our NGFWs can go up to 96 cores," said Ayrapetov. "We don't rely on proxies because they're very slow; we use Reassembly-Free Deep Packet Inspection (RFDPI). This gives us an extremely low latency engine that we can use to deliver a breadth of products – from small office NGFW, up to our SuperMassive."
Under the hood
In fact, SonicWALL sells several very different firewall familes. The flagship SuperMassive E10000 series is a chassis housing six 10-GigE SFP+ and sixteen 1-GigE SFP ports and up to 96 processors, firewalling traffic at rates up to 40 Gbps. Throughput drops to 30 Gbps when optional Application Intelligence and IPS services are enabled, or 10 Gbps with full Anti-Malware. But that's still faster than many others claim for basic firewalling.
For large enterprises with more modest needs, SonicWALL offers the E-Class Network Security Appliance (NSA) series. This 1U family tops out with the NSA E8510, equipped with two SPF+ ports and four 10/100/1000 GigE ports to firewall at rates up to 8 Gbps (3.7 Gpbs IPS, 2.2 Gbps RFDPI). E-Class NSA appliances support load balancing, ISP failover, and active/active RFDPI for high-availability and clustering.
However, don't confuse these E-Class NSA appliances (MSRP $9,995 to $39,995) with SonicWALL's "regular" NSA line of UTM firewalls, designed and priced for small-to-midsize offices and businesses.
Using services to drill deeper
Out of the box, all E-Class NSA appliances can perform stateful packet inspection and RFDPI. A la carte services modules can perform Application Intelligence and Control, IPS, Anti-Virus, Anti-Spyware, Content & URL Filtering, and SSL Inspection.
"On a SonicWALL, you can do IPS, you can look inside SSL traffic, you can fingerprint traffic and take apart whatever is coming in over any port," said Ayrapetov. "We have real-time monitoring so that you can log into a SonicWALL [from a central console], see traffic in real-time, spot a problem, create a new rule to block that application, and immediately see the results."