Select Page

Sep 12, 2018

Getting the Right Firewall Protection for Your Data Center

by

The explosive growth in data creation and data storage is set to continue, with Asia Pacific’s data center market increasing significantly and even surpassing the European market by 2021, according to Cushman & Wakefield. The surge in data consumption in the region is currently driving the increase, and mobile data usage has increased in Asia Pacific in recent years. In 2016, Asia Pacific achieved 3,109,117 terabytes in monthly mobile data consumption, and is expected to reach 22,845,908 terabytes per month in 2021. This article looks into the key features and benefits of the right firewall to protect your data center.

With traffic explosively increasing, network firewalls need to have powerful capabilities to handle high traffic and massive concurrent user access, as well as the ability to effectively cope with sudden bursts of user activity. In fact, data center firewalls must not only have high throughput but also extremely high concurrent connections and new session processing capabilities.

It is crucial for a Data Center Firewall to adopt an innovative, fully-distributed architecture to implement distributed high-speed processing of service traffic across their network.

Resource management algorithms allow for the realization of the full potential of distributed multi-core processor platforms, to further increase the performance of firewall concurrent connections, new sessions per second, and achieve a fully linear expansion of system performance. The data center firewall should ideally process up to 1 Tbps, up to 10 million new sessions per second, and up to 480 million concurrent connections. It would be ideal if the device can provide up to 44 100GE interfaces, 88 10G interfaces, or 22 40GE interface, 132 10G interface expansion capabilities. A packet forwarding time of less than 10us can fully meet a data center’s demand for real-time servicing.

Carrier Grade Reliability

The hardware and software of the data center firewall should deliver 99.999% carrier-grade reliability and support active / active or active / passive mode redundant deployment solutions to ensure uninterrupted service during single failure. The adoption of a modular design, supporting control module redundancy, service module redundancy, interface module redundancy and switching module redundancy is key, as is all modules being hot-swappable.

The data center firewall should support multi-mode and single-modules port bypass modules. This is so that when the device is running under special conditions such as power-off, the system will start in Bypass mode to ensure uninterrupted operation of business. It also provides power redundancy, fan redundancy and other key components to guarantee reliability.

Twin-mode High Availability (HA) effectively solves the problem of asymmetric traffic in redundant data centers. The firewall twin-mode is a highly reliable networking mode building on dual-device backup. Two sets of active / passive firewalls in the two data centers can be connected via a dedicated data link and control link, allowing the two sets of devices synchronize session information and configuration information with each other.

Leading virtual firewall technology

Virtualization technology is becoming more and more common in data centers. The data center firewall should be able to logically divide a physical firewall into upwards of 1000 virtual firewalls to meet a data center’s virtualization needs, providing virtual firewall support capabilities for large data centers. At the same time, users should be able to dynamically set resource for each virtual firewall based on actual business conditions, such as CPUs, sessions, number of policies, ports, etc., to ensure flexible changes in service traffic in a virtualized environment. The firewall should have a virtual firewall system not only as independent system resources, but also individually and granularly managed to provide independent security management planes for different services or users.

The firewall should also provide intrusion prevention technology based on deep application identification, protocol detection, and attack principle analysis. It should effectively detect threats such as Trojans, worms, spyware, vulnerability attacks, and escape attacks, and provide users with L2-L7 network security. Among them, a web protection function should be able to meet the deep security optical protection requirements of Web server; while a Botnet filtering function can condition and protect internal hosts from infection.

It is important that the firewall supports URL filtering for tens of millions of URL signature library. It can help administrators easily implement web browsing access control and avoid threat infiltration of malicious URLs.

The firewall should also come with intelligent bandwidth management based on deep application identification and user identification. Combined with service application priorities, the firewall should be able to implement fine-grained, two-layer, eight-level traffic control based on policies and provide elastic QoS functions. Used with functions such as session restrictions, policies, routing, link load balancing, and server load balancing, this means the firewall would be able to provide users with more flexible traffic management solutions.

Strong network adaptability

It is key to fully support next-generation Internet deployment technologies (including DNS64 / NAT64 and other transitional technologies). Having NAT444 capabilities helps support the static mapping of fixed-port block of external network addresses to intranet addresses. It can generate logs based on session and user for easy traceability. Enhanced NAT functions (Full-cone NAT, port multiplexing, etc.) can fully meet the requirements of current ISP networks and reduce the cost of user network construction.

Lastly, it is important the firewall provides full compliance with standard IPSec VPN capabilities and integrates third-generation SSL security VPN to provide users with high-performance, high-capacity, and full-scale VPN solution. At the same time, having a plug-and-play VPN greatly simplifies configuration and maintenance challenges and provides users with convenient and remote secure access services.