Next-Generation Firewall Buyer's Guide: SonicWALL_2
As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.
In this EnterpriseNetworkingPlanet buyer's guide, we examine capabilities and features offered by SonicWALL E-Class Network Security Appliances. Dmitriy Ayrapetov, SonicWALL Network Security Product Line Manager, compares traditional firewall inspection to matching baggage tags against passenger IDs. "We look inside those bags – inspecting packet payload – so that admins can create policies that say I don't want P2P apps on my net rather than hunting for ports being used by P2P."
Playing by new rules
"A traditional firewall blocks port 21 to stop FTP, but it's trivial for applications to change ports," explained Ayrapetov. "The recent move to put applications through web browsers also collapsed everything onto ports 80 and 443. To a traditional firewall, that all looks the same. But an NGFW matches traffic to applications, regardless of port. For example, if you want to allocate bandwidth to streaming video, an NGFW will do the work to fingerprint and apply your policy to it."
But Ayrapetov notes there is a price to be paid for these capabilities: computing power. "A traditional firewall only has to look at 1 percent of the traffic: packet headers. An NGFW must look at 100 percent of the traffic: application content. What differentiates products is doing application inspection with reasonable performance and security effectiveness," he said.
Initially, SonicWALL focused on securing SMBs, but has since invested in scalability to meet larger enterprise requirements. "We re-engineered our appliances to go multi-core – our NGFWs can go up to 96 cores," said Ayrapetov. "We don't rely on proxies because they're very slow; we use Reassembly-Free Deep Packet Inspection (RFDPI). This gives us an extremely low latency engine that we can use to deliver a breadth of products – from small office NGFW, up to our SuperMassive."
Under the hood
In fact, SonicWALL sells several very different firewall familes. The flagship SuperMassive E10000 series is a chassis housing six 10-GigE SFP+ and sixteen 1-GigE SFP ports and up to 96 processors, firewalling traffic at rates up to 40 Gbps. Throughput drops to 30 Gbps when optional Application Intelligence and IPS services are enabled, or 10 Gbps with full Anti-Malware. But that's still faster than many others claim for basic firewalling.
For large enterprises with more modest needs, SonicWALL offers the E-Class Network Security Appliance (NSA) series. This 1U family tops out with the NSA E8510, equipped with two SPF+ ports and four 10/100/1000 GigE ports to firewall at rates up to 8 Gbps (3.7 Gpbs IPS, 2.2 Gbps RFDPI). E-Class NSA appliances support load balancing, ISP failover, and active/active RFDPI for high-availability and clustering.
However, don't confuse these E-Class NSA appliances (MSRP $9,995 to $39,995) with SonicWALL's "regular" NSA line of UTM firewalls, designed and priced for small-to-midsize offices and businesses.
Using services to drill deeper
Out of the box, all E-Class NSA appliances can perform stateful packet inspection and RFDPI. A la carte services modules can perform Application Intelligence and Control, IPS, Anti-Virus, Anti-Spyware, Content & URL Filtering, and SSL Inspection.
"On a SonicWALL, you can do IPS, you can look inside SSL traffic, you can fingerprint traffic and take apart whatever is coming in over any port," said Ayrapetov. "We have real-time monitoring so that you can log into a SonicWALL [from a central console], see traffic in real-time, spot a problem, create a new rule to block that application, and immediately see the results."
Administrators can use SonicWALL's Application Intelligence and Control service to define rules consisting of primitives: applications, users, groups, schedules, and actions. "Our actions include things like bandwidth management, so that you can block gaming except at lunchtime, when you allow but bandwidth-restrict certain groups and users, while still blocking other aspects of those applications," said Ayrapetov. "We provide administrators with tools; it's up to them to decide what's good for their own businesses."
Keeping up with threats
SonicWALL develops all of its own signatures for application fingerprinting, IPS, and AV. "We have a large research team and a GRID Network lab," explained Ayrapetov. "We learn a lot about IP reputation and get a lot of malware samples from our customers. We participate in industry consortiums and partner with other companies, but all R&D is in-house. We get our performance by coding very low to the metal."
However, this means that SonicWALL R&D must keep pace with a fast-growing wave of new applications. "We have over 3500 application signatures now; that covers the majority of applications found on networks today. But yes there will always be new applications we don't yet have. We rely on customer feedback and our security team to identify things like new Flash protocols or new BitTorrent protocols or clones of existing applications," said Ayrapetov.
According to Ayrapetov, SonicWALL's R&D team generates its own traffic samples to create new signatures. But SonicWALL also provides an "administrative window" into DPI, exposing information that customers can use to create their own signatures – hex strings that are pattern-matched against application streams. "This can also be used as a Data Leak Prevention (DLP) mechanism, checking for watermarks to block [sensitive documents]," he said.
Fitting SonicWALL into your network
Most E-Class NSA appliances are deployed as security gateways, replacing another firewall. However, customers that have invested another vendor's infrastructure may be reluctant to replace their firewall. To help these customers tap NGFW services, E-Class NSA appliances can be deployed as "bumps in the wire."
"We realize that SuperMassive or E-Class NSA deployment won't happen over the weekend. Customers want to see how our firewall is doing. We can start in bypass mode, acting like switch, to help customers gain confidence. We can then go into inspect mode, copying traffic to cores and security engines, listening to show what would have blocked. Once customers know what policies they want, they can go into protect mode by applying actions within policies," explained Ayrapetov.
SuperMassive can be scaled by adding cards to the chassis as performance needs grow, such as in a telco or large university network. E-Class NSA models vary in number of cores and throughput/connection capacity; they should be selected to meet anticipated traffic loads for each environment. However, all E-Class NSA models can be administered consistently, through SonicWALL's central management console.
When the firewall industry moved towards IP/port-independent application inspection, SonicWALL leveraged its reassembly free deep packet inspection technology, quickly adding application control and threat intelligence to the mix – albeit using a la carte service modules that raise a deployment's overall sticker price.
Given its SMB roots, SonicWALL has worked hard to deliver NGFW visibility and control while keeping its firewalls relatively fast and easy to administer. "We think NGFW is about making the network more effective and increasing employee efficiency," said Ayrapetov. To learn more about SonicWALL's NGFW families, visit this link.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.