From firewall to 'firebox' for the data center

Firewalls gain access-control, intrusion-prevention and other functions as they take on server-to-server protection in the data center

In the US, Mercy Medical Center's security wish list is far from atypical and The Baltimore healthcare provider wants to make sure that users access only the services and servers they require and that its data-center servers remain secure and problem free. Nevertheless, it hasn't yet found quite the right technology combination.

Network access control (NAC) gear from ConSentry Networks handles the user-access-control piece, but the technology doesn't give Mercy Medical a way to address the additional, server-level security it would like. "We want to segregate the servers in the data center from one another," says Mark Rein, the center's senior IT director. The organization needs this separation because it opens its data-center servers to third-party vendors handling certain management and maintenance duties. "We want them to access just that one server or application, and not be able to see or talk to any of the other servers. It's like we need NAC, but at the server level."

This is not an extravagance. "The server is the primary attack-point nowadays, which means that the server is also a great jumping-off point," says Joel Snyder, a senior partner with Opus One and a Network World product tester. "As organizations have heterogeneous data centers -- mixes of Unix flavors, Windows, old mainframes -- there are going to be issues with older systems that might not be patched or closely protected becoming infected and turning into attack vectors for other servers."

That can be an especially brutal problem for enterprises whose security defenses line up at the edge of the data center. If an attack gets through to a server and rides over unprotected high-speed, server-to-server connections, the enterprise quickly gets compromised. Never mind the problems encountered when these servers exist in a virtualized environment.

"Most of our servers are virtual servers sitting in blade chassis. When you start looking at how these virtual servers are potentially talking or co-mingling over the hypervisor to one another, that's a tough problem. At this point, available tool sets are not really great," Rein says.

Page Break

NAC-like server firewalls

Unlike traditional firewalls, which rely on port numbers to differentiate traffic, Palo Alto's appliance is like NAC in that it can see up to Layer 7. It filters traffic based on application and user role via Microsoft's Active Directory, a tactic that becomes useful as more applications run over the single superhighway of Port 80.

The vendor, however, hasn't integrated some of the higher-end capabilities that users, such as Mercy Medical's Rein, hope it one day will for even better server-level protection. These include intrusion-prevention systems (IPS) and data-leakage-prevention services.

Nir Zuk, CTO of Palo Alto, agrees that functions such as these are important and says the company is working on developing them."You want the firewall to do the IPS function and make sure people don't hack the servers. You also want to make sure that it looks for data leaking out of the data center, things like Social Security numbers," he says, adding that speed is a prevailing issue. "Nobody has those pieces yet at the speeds required in a data-center box."

Server-focused firewalls would need to run at a minimum of 10Gbps to support typical performance levels, experts say. Such firewalls also would need to support rich per-server policies that ensure safe traffic, such as backups, gets fast-tracked, and malicious traffic is checked and discarded. In addition, management -- something Snyder says could be a "total nightmare" -- must be easy.

"Lots of firewall companies have centralized management, but the ability to control dozens of firewalls with hundreds of rules all in a single data center is a rare product," Snyder says. "In this case, I'd take a weaker firewall with a better management tool."

Firewall vendors Check Point Software, Cisco and Juniper Networks are working to address the IPS, management and other issues. While they may not have the high level of application- and user-awareness of a Palo Alto device, data-center performance and scalability are big focuses. These vendors caution, however, that such capabilities come with performance hits that might not be acceptable to many enterprises.

Users who want to separate data-center servers must pick a firewall that not only is very fast, but also has robust management, policy and virtualization capabilities, says Tom Russell, Cisco senior product manager. The vendor recently rolled out an example of this with the ASA-5580, a firewall-VPN product that has 20Gbps throughput and supports as many as 10,000 remote users, 75,000 policies and 150,000 connections per second.

Page Break

Intrusion prevention wasn't a focus for this level of firewall, Russell says. An integrated IPS-firewall works best at speeds no higher than 1Gbps, he contends, noting that enterprises needing better performance tend to use separate firewalls and IPSs.

Jon Yun, a Juniper product marketing manager, agrees. "In the server-server scenario, depending on the performance, the integrated IPS products would be ideal. But if there's a huge data center or service-provider type of network, then a dedicated box may be better suited," he says. "Right now, we're at 30Gbps throughput [with the NetScreen-5400]. And if you deploy a firewall like that and then you virtualize it so that it supports 10 different servers on the back end, it still gives you quite a bit of capacity and throughput."

Check Point is working to make sure its software can make the best use of Intel's multicore chip technology. The goal is to keep performance high while adding such features as IPS. "We're looking to speed up this whole idea of application awareness and intelligence," says Bill Jensen, product marketing manager for Check Point's VPN-1 line. "If you buy a US$5,000 server from IBM or Dell that has a couple of the Intel multicore chips on it, and you turn on 70 per cent of the application inspection in our firewall software, you're still going to run around 2Gbps, which is very high."

Server-to-server firewalls, on the other hand, don't require as much IPS horsepower, Jensen says, because they can be tuned specifically to individual server traffic (vs. perimeter firewalls that need to check everything coming into the enterprise). "Once you get into individual racks in the data center and you can have a lower level of inspection turned on, the performance shoots up even higher," he says.

Budget battles

Beyond performance hits, budgets can get in the way, users say. Baptist Healthcare System in the US, uses Cisco PIX firewalls at its perimeter and is rolling out stand-alone IBM-ISS IPS boxes at the edge of its data center. While per-server, NAC-like protection is the ideal, "we have to do more edge-based protection, where there's more bang for our buck," says Tom Taylor, Baptist Healthcare's corporate manager for client/server infrastructure.

Jim Laval, network manager at the organization, agrees. "It took us two years of budget process just to get the first phase of the IPS project approved, and that was about US$110,000. I don't see us going to the server level anytime soon."

Cummings is a freelance writer in the US. She can be reached at