combined with Software-Defined Networking (SDN), can help address the performance issue described earlier while providin
Solution Brief
Protect Performance with Software-Defined Firewall Extension Security at the Speed of Business A Fast Path for Trusted Flows Moving large data flows across a Wide Area Network (WAN) can take hours, if not days, to complete. The time needed to complete these file transfers is dependent on a number of factors, including the size of the data set, the speed of the external connection, the protocol being used, and intermediate congestion points. One such congestion point is the firewall, since large data flows must pass through it for inspection. Compounding this problem, the firewall must treat all flows as suspect to guard against the possibility of malicious traffic, such as Distributed Denial of Service (DDoS) attacks. This continuous blocking of large flows consumes precious bandwidth, further reducing firewall performance.
Highlights • Speeds time to results in university and industry research • Decreases time to revenue by speeding information sharing during development • Leverages external data analytics capabilities through more efficient data set movement • Increases performance in existing data environments by directing trusted data flows to a fast path • Improves the balance between business agility and security requirements
WWW.EXTREMENETWORKS.COM
• Provides flexibility to plan and manage workflows Although methods exist to temporarily manage the problem, they do not resolve the long-term condition, nor do they provide business and research institutions with a way to automatically enable large trusted (good) flows while excluding malicious flows. For example, firewall vendors attempt to address this issue by adding larger interfaces (1 Gbps to 100 Gbps) and increasing processing power. However, these modifications do not scale and astronomically increase the cost of the firewall.
Stop Waiting for Large Data Businesses, research projects, and institutions rely on data, and the sheer amount of data plus the rapidity of its processing are increasing. Companies typically share data between their own teams as well as with third parties that reside outside the company firewall. Data sets are downloaded to enable engineering, marketing, and other everyday functions. In medical research, large data sets are the norm, and any slowing of their acquisition, sharing, or processing increases not only time to cures, but also time to revenue by delaying research results. Finally, in Research and Education Networks (RENs) used by universities and other research entities, one expects information sharing for the common good, but this is difficult to achieve when every large data transfer is essentially a big “time out” for progress, and teams are left waiting.
1
Networks have been designed to provide bandwidth with limited performance degradation. As more users and processes are connected, however, network speeds need to be increased across that bandwidth. Although the network can support the higher traffic flows, the firewall creates a choke point. Organizations can optimize firewall performance and even choose to make traffic inspections less restrictive, but at some point loosening security parameters becomes unwise, and performance reaches its maximum. That is when intelligent direction of network traffic for known safe flows is the answer.
deciding what to let bypass the firewall. For example: • Known good sources (actors) are identified, and the data they share can be accelerated. • Known machine-based sources of large data sets are also identified and directed past the firewall. • Firewall capacity is reserved for data from unproven sources or bad actors with malicious intent.
Enabling Good Flows through Firewall Integration Networks have become more intelligent, with the ability to provide greater visibility into traffic flows. This capability, combined with Software-Defined Networking (SDN), can help address the performance issue described earlier while providing a wealth of new solutions and scaling with the network. Data volume and processing speed have increased, making the network a new operator in the efficiency of data sharing As a result, researchers are consistently rating the network as highly important in their ability to do their jobs.
Users and Data Type When balancing between sharing and security, organizations need to consider the data source, or actor, the user, and the type of data in a stream (expected format or not) before Host 1
Extreme Networks Software-Defined Firewall Extension uses an open, modular approach to accelerate the transfer of large trusted data flows. It identifies those good flows and issues instructions to route that traffic around the firewall. In this implementation, all traffic is initially forwarded from the Extreme router to the firewall for inspection. Once the firewall identifies malicious traffic, the Flow Optimizer issues directions to the router to either drop to either drop that traffic or redirect it to a network analyzer or honeypot. This elimination of firewall-related latency greatly reduces the time needed to complete the data transfer.
Speeding the Flow of Results The network handles all traffic, routing appropriately so that flows identified as good do not continually go through the firewall. This Extreme Networks solution integrates with industry-leading firewalls, and as soon as large flows have been identified as safe or having originated from a known good actor, they are routed directly to their desired location for use (see Figure 1).
Host 2
Host 3
MLX SLX VDX
Honeypot
Firewall
Server 1
Server 2
Flow Optimizer
Figure 1: Extreme data center routers forward good and bad flows appropriately using direction from the SDN Controller and Flow Optimizer, and following parameters received from firewall settings.
http://www.extremenetworks.com/contact
Phone +1-408-579-2800
©2018 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. 12697-0318-27
GA-SB-6209-00 WWW.EXTREMENETWORKS.COM
2
