5 Considerations: Sizing Your Next-Gen Firewall (NGFW)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Good stuff that NSE didn't cover 100%

👍︎︎ 8 👤︎︎ u/sonygoup 📅︎︎ Dec 24 2018 🗫︎ replies

Moar plz

👍︎︎ 4 👤︎︎ u/Didsota 📅︎︎ Dec 24 2018 🗫︎ replies

Very well made and easy video to follow!

👍︎︎ 2 👤︎︎ u/CoyKava 📅︎︎ Dec 24 2018 🗫︎ replies

Great video, it really cleared up quite a lot.

👍︎︎ 2 👤︎︎ u/SaneGaming_ 📅︎︎ Jan 06 2019 🗫︎ replies
Captions
one can argue that the firewall may be the most important security device on your network as the gatekeeper of what comes in and goes out of your network picking the appropriate size for your environment can make or break your network and security objectives I'm Andy with the seaso perspective and today we're gonna look at five considerations when sizing a next-gen firewall number five connections per second also known as new sessions per second connections per second deals with how quickly the firewall can create and store new sessions that's accepted by the firewall policy as someone who has size firewalls for large telcos and federal agencies determining the connections per second may be the most difficult thing to calculate on a network the easiest place to determine your requirement would be from your current firewall if you have one in place if you don't or you can't get that number here's a little technique to determine what you need first count the total number of users on your network next get the total amount of devices without users this could be a IOT devices servers printers phones and any other network device without users will have to make an assumption here and calculate that each user will use between three to seven sessions per second each device will use closer to 1 to 2 connections per second if we use as an example 100 users and 20 devices we would expect to see anywhere between 320 to 740 connections per second the 740 connections per second would probably be during peak times such as after lunch or when users are logging in for the first time don't forget to consider potential growth in your users and devices so make sure you pad your requirement for that expected growth number for total throughput the most common place to start when sizing a next-gen firewall is by looking at the total layer for throughput for a given device but a common mistake is to not calculate traffic in every direction for example a one gig of a symmetrical circuit is commonly one gigabit down and one gigabit up this means that on a fully saturated circuit you can have up to two gigabits of theoretical throughput going through your firewall and don't forget about internal only traffic such as Wi-Fi users hitting your DNS server or internal users hitting your intranet portal property design network should have segmentation between different networks which means that all traffic destined outside of that segment would hit the firewall policy and count towards your total throughput lastly make sure you look at what kind of traffic type was used by the vendor in calculating their advertised throughput oftentimes the vendors will advertise UDP with big packet sizes instead of TCP because they perform much better but with the majority of your traffic probably being TCP your real world experience will be much less than what's advertised by the vendor in last year's NSS next-gen firewall reports there was a vendor that claimed 20 gigabits of throughput but when NSS turned on their real-world traffic profile that number went down to 3 point 6 gigabits number 3 SSL according to Google's HTTPS encryption transparency report 73 percent of pages loaded in Chrome used SSL up 59 percent from a year ago with that number only expected to continue to rise SSL inspection is becoming a standard for any network firewall SSO inspection usually comes in two forms certificate inspection and deep packet inspection certificate inspection only inspects the SSL handshake so there's usually not a big performance hit because you're not looking inside the SSL tunnel deep packet inspection actually performs a man-in-the-middle between the user and the server so this comes at a huge performance impact in this year's NSS next-gen firewall report there was one vendor who experienced as much as 91 percent performance degradation when they enabled SSL deep packet inspection some vendors and employ custom Asics are performance decreases as little as 14 percent when looking at any vendors SSL performance numbers take note of the cipher suite and packet size used for the performance number not all SSL numbers are measured equally and firewall vendors are notorious for posting weak ciphers and large packets to make their numbers look better than what you would get in the real world number 2 next-gen firewall features next-gen firewalls have a lot of great features like IPS application identification antivirus and many others however there is a performance cost for every feature that's enabled in NSS is 2018 next-generation firewall reporting some vendors dropped as much as 82 percent by IPS and application identification and that wasn't even including more resource-intensive iris web filtering and DLP your first step is deciding on what features you need or plan to implement next decide where in your network those features will be enabled for example if you decide you need web filtering you only need to enable it on outbound web traffic if web traffic accounts for 40% of your total circuit and you have one gig circuit you would effectively need about 400 megabits of web filtering capabilities the majority of vendors won't have performance numbers for every permutation of next-gen features instead they may have one performance numbers with several features enabled and call it something like either threat protection or threat prevention this too can vary from vendor to vendor so keep an eye out for what's included in their terminology again when comparing products always look at the traffic type and packet size for any advertised number this varies greatly across the industry so make sure you're comparing apples to apples when comparing two different sets of numbers number one maximum sessions also referred to as concurrent sessions as their names imply this refers to the total number of firewall sessions a box can support light connection per second earlier this can vary greatly from network to network depending on a number of different factors like traffic type protocols session time miles users and many other factors thankfully as technology has evolved next-generation firewall vendors have added plenty of memories for most normal networks for their target market in fact in all my years consulting and designing next-generation firewalls for telcos and large customers I've never seen the maximum session on any device get exhausted before other things like connections per second CPU memory when other features are being enabled but this can be a serious problem for data centers or other internet facing traffic where the connections can be unpredictable it's also a main target of DDoS attacks which try to overwhelm a firewall by sending too much traffic at once and exhausting the connections per second or max the sessions al firewall can support if you don't have a firewall that can tell you how many sessions you currently have calculate about a hundred sessions per user or device this is usually a safe bet when trying to determine how many maximum sessions you need the seaso perspective security should come without compromising business objectives an undersized firewall can be catastrophic to your network performance and business availability that's why sizing the right box for your organization is crucial an undersized firewall can not only bring your entire network down but it can also undermine your entire security policy by failing open as resources get limited some firewalls will stop inspecting traffic to conserve CPU and memory so make sure you understand what your firewalls behavior is and make sure it aligns with your security policy so that does it for this video guys I hope it was informative and if it was please comment hit like and subscribe to stay on top of all of our latest releases
Info
Channel: The CISO Perspective
Views: 27,446
Rating: undefined out of 5
Keywords: Next-gen firewall, ngfw, Palo Alto, Fortinet, checkpoint, firepower, firewall, sizing, cybersecurity, firewall sizing, netsec, network security, versa, asa, Cisco, Pan, juniper, advanced threat protection, fortigate, incident response, Zero day, 0 day, malware, virus, nss, intrusion prevention, ciso, information security, sandboxing
Id: 12AqJdlqXzM
Channel Id: undefined
Length: 7min 16sec (436 seconds)
Published: Sun Dec 23 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.