Cisco Cisco ASA 5515-X Adaptive Security Appliance 白皮書
Lippis Report 158: Next Generation Network Security for Data Center Protections
lippis.com
3
Consider the following example of policy and enforcement creating a virtual perimeter… A user may be
accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with
associated policy and enforcement. When this user is outside the corporate perimeter, he/she could
access the SaaS application directly without corporate policy or enforcement opening vulnerabilities.
However, with mobile policy and enforcement, this same user could access the SaaS application with the
same policy, enforcement and protections as available when within the corporate perimeter mitigating
any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate
firewall or a security cloud service where IT controls policy before the user connects to the SaaS
application.
accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with
associated policy and enforcement. When this user is outside the corporate perimeter, he/she could
access the SaaS application directly without corporate policy or enforcement opening vulnerabilities.
However, with mobile policy and enforcement, this same user could access the SaaS application with the
same policy, enforcement and protections as available when within the corporate perimeter mitigating
any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate
firewall or a security cloud service where IT controls policy before the user connects to the SaaS
application.
New Security Performance Demands
With mobile endpoints under corporate IT policy and enforcement, this huge security vulnerability can
now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data
center security appliances are failing to keep up with the huge demand for information and application
access. As more compute power is concentrated into smaller spaces, traffic volume increases
exponentially,
now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data
center security appliances are failing to keep up with the huge demand for information and application
access. As more compute power is concentrated into smaller spaces, traffic volume increases
exponentially,
and
security
appliances
need
to
adjust
accordingly.
Consider how web sites serve up a rich media web page. Every time a user requests a webpage, its
server typically needs to request 50 to 100 different objects just to display the one webpage requested.
Now consider a data center with thousands of servers and five-thousand connections per second of
requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between
servers are one to two orders of magnitude larger than the north-to-south user request flows with the
combination of both flows being immense.
server typically needs to request 50 to 100 different objects just to display the one webpage requested.
Now consider a data center with thousands of servers and five-thousand connections per second of
requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between
servers are one to two orders of magnitude larger than the north-to-south user request flows with the
combination of both flows being immense.
New Firewall/IPS Performance Metrics Needed
From a security point of view, not only is firewall throughput an important performance metric, but
“connections per second” is becoming more important. A high number of “connections per second”
supported assures IT that backend server flows are being screened without delaying user experience. In
addition to the number of connections per second, another performance measurement is “maximum
connections” supported per second to assure that the number of server-to-server flows to deliver a
webpage can be securely delivered. The combination of throughout, connections per second and
maximum number of connections can be defined as “true scale performance.” Typically a firewall can
deliver hundreds of thousands of connections per second, but this is too slow for most demanding data
centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported
per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more
realistic throughput measurement other than a range of UDP packet sizes, which is common in the
industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a
better
“connections per second” is becoming more important. A high number of “connections per second”
supported assures IT that backend server flows are being screened without delaying user experience. In
addition to the number of connections per second, another performance measurement is “maximum
connections” supported per second to assure that the number of server-to-server flows to deliver a
webpage can be securely delivered. The combination of throughout, connections per second and
maximum number of connections can be defined as “true scale performance.” Typically a firewall can
deliver hundreds of thousands of connections per second, but this is too slow for most demanding data
centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported
per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more
realistic throughput measurement other than a range of UDP packet sizes, which is common in the
industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a
better
measurement
to
assure
throughout
quoted
is
throughput
experienced.
In addition to raw security performance, data center rack space too needs to be carefully managed as IT
executives quickly start running out of rack space as they consolidate. Security appliances need to
reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more
executives quickly start running out of rack space as they consolidate. Security appliances need to
reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more