back to article Fortinet's latest firewall is like your kids' music – you're probably not ready for it, yet

Firewalls play a significant role in securing today's datacenters, but the technology must evolve if it's to remain relevant, Fortinet VP of product Nirav Shah told The Register. Enterprise datacenters are changing. Workloads don't just run on-prem – increasingly they're being deployed across multiple datacenters and clouds, …

  1. tip pc Silver badge

    At those volumes?

    Why would you pass that traffic through firewalls at those volumes of throughput?

    If a needs to send to b at huge volumes put them in the same subnet.

    Just firewall between the reviewing system and what ever has the answer that’s crunched, which should reduce the bandwidth needed by the firewall.

    If you’ve truly got gobs of different traffic in and out that requires more than a basic access list then I’d suggest some kind of authentication of the flows, firewalls are a bit basic and permit predicable flows.

    If your doing ips or some other type of inspection I can see the value in a huge box with loads of cpu that can inspect at scale.

    Most transport is encrypted though which blinds inspection unless it decodes - inspects - encodes, but you may as well do that with an agent on the sending systems before the initial encryption.

    I think advanced next gen firewalls will find it increasingly hard to find a use case over basic firewalling as more and more flows are end to end encrypted,

    1. W.S.Gosset

      Re: At those volumes?

      > Why would you pass that traffic through firewalls at those volumes of throughput?

      My thoughts were: malware infection resistance.

      1. tip pc Silver badge

        Re: At those volumes?

        A Basic firewall will just stop ports to / from src / dst unless they are permitted.

        A firewall won’t stop malware if it works on permitted ports & src/dst.

        At huge volumes it’s desirable to put those systems sending the most within the same vlan / subnet / segment to reduce the number of systems that the huge volume needs to be sent through then protect the perimeter which is likely less volume of transfer.

    2. Anonymous Coward
      Anonymous Coward

      Re: At those volumes?

      I suspect you may not have much experience in large enterprise or modern utm firewalls.

      You cant just use the same subnet because that would break the security zone model that almost all large organisations employ for network segmentation, you're often dealing with large complex networks utilising dynamic routing and spread across multiple locations. You mention authentication - FNT are also ahead of you here with the concept of ZTNA that has been part of FortiOS for quite some time now. For regular firewalling identity based policies have been the norm for ages - identity based on many sources.

      As regards who uses that sort of performance - providers (there is a special OS for that featuring CG Nat), telcos, multi tenant applications, large business organisations. In the financial world, latency is CRITICAL. a millisecond of latency in finance is completely unacceptable and latency figures are in the nanosecond range. It's not just IPS that's applied on this traffic it is also deep packet inspection, application control, Web filtering, email filtering, WAF, antivirus, behaviour analysis, sandboxing etc all in the same inspection cycle and in the case of the firewalls mentioned in this article, mostly handled in hardware for excellent performance

      All of the big players do ssl decrypt, fortinet leads the pack on the performance in this front as they do this in hardware. Palo alto won't even quote their ssl decrypt figures as they are pretty poor in comparison. Checkpoint are getting back there with their new appliances.

      1. tip pc Silver badge

        Re: At those volumes?

        If you’ve got a load of machines that need to exchange huge volumes of traffic with each other then it’s sensible to put them in the same zone and secure the access into that zone.

        By all means do your east-west segmentation between your zones and north-south but if you’ve grouped your systems by volumes of data that need to be exchanged between each other, data that is encrypted in transit then what’s the need to inspect the data, you wont find anything that hasn’t already broken tcp, if it’s important to encrypt why decrypt with something that increases the attack surface.

        Firewalls are not magic bullets, they have their uses, they don’t need to be given out like smarties.

      2. Anonymous Coward
        Paris Hilton

        Re: At those volumes?

        Anon - I suspect you have skin in the game.

        I'll just pick at one thread: As you say big finance need low latency and what you don't mention but probably assume - confidentiality. That is of course why they shouldn't put a box in between A and B that inspects traffic. A and B will share a hardware stored secret of some sort and have custom hardware that can encrypt and decrypt messages at something like nano second or better latency. It has to be better than LAN latency, how better is a matter of engineering and requirement but the latency for network connections over megametres are the big win. Even so: a general purpose firewall, no matter how fancy will not cut it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like