There was a time when the only way it was reasonably possible to defend a data center perimeter was with a conga line of security appliances. That line might be getting a little bit smaller if F5 Networks has anything to say about it.
F5 is best known for their product portfolio of application delivery controllers (ADC), known as the BIG-IP product family. Those products are all powered by the traffic management operating system (TMOS) that is now certified by testing vendor ICSA Labs as a firewall. According to F5, the new certification provides validation for the use of ADCs as firewalls to help secure data center assets.
Mark Vondemkamp, director of Product Management at F5, explained that prior to the certification there were customers using BIG-IP ADCs as firewalls, which perform stateful packet inspection in order to mitigate the risk of open ports and rogue traffic. The new certification from ICSA Labs means that BIG-IP can now be considered as a legitimate firewall for PCI-DSS and other security compliance requirements.
“What we’re opening up is a bigger base of potential customers that are really looking for that third party accreditation,” Vondemkamp said.
Going a step beyond the basic firewall definition of packet inspection, TMOS also provides what f5 refers to as dynamic threat defense (DTD). By way of F5’s iRule scriptable programming, a data center administrator can script code to address any number of new and emerging threats as needed.
While DTD goes beyond the traditional firewall, it’s still not a full intrusion prevention system (IPS) as required for full PCI-DSS compliance. “We’re focusing on a subset of IPS and we don’t have IPS completely yet implemented in the product,” Vondemkamp said.
The use case that F5 sees for its ADC-as-a-firewall is when an appliance is placed in front of Internet facing Web applications. Vondemkamp added that for PCI environments, data centers would need to include another vendor to get the IPS capabilities.
In recent years there has been a move towards what analysts refer to as next generation firewalls (NGFW) that provide both firewall and IPS capabilities. IPS vendor Sourcefire recently debuted its NGFW system with the 3D8250 NGFW that provides up to 20 Gbps of packet inspection.
f5’s firewall capabilities are powered by their TMOS system which is inside of all of their products, both physical and virtual. Their high-end BIG-IP 11050 appliance can handle 42 Gbps of throughput and a maximum of 24 million concurrent connections. The Viprion 4400 ADC chassis is the top end and can deliver up to 72 Gbps of throughput, with a capacity of 48 million concurrent connections.