Trying to properly size a firewall has to be one of the most infuriating things a security operations person can do. Since you’re required to buy one that’s big enough to handle an ever-increasing number of flows in your enterprise you have to play the guessing game. Should I buy one that will fit the projected amount of data in three years? Are the numbers from the vendor reliable for minimum packet sizes only? Should I just throw a dart and double the numbers?
If you think that elastic software firewalls aren’t affect by these issues you probably haven’t deployed enough of them. Deploying a firewall intelligently does alleviate some of the sizing issues. However there are other considerations to think about. Whereas a physical hardware firewall will hit a limit in the number of connections and then fail, a software firewall will just keep chugging along. In fact, in the cloud it can scale up to take all the flows you can throw at it. Sounds awesome, right? Now think about what happens when you get the bill for a firewall that tripled in size over the last month. Worse yet, how can you be sure the flows traversing the firewall need to be doing so in the first place? Can you even separate the mess?
Proper Policing with Prosimo
Prosimo knows the pain of this particular challenge. In their latest cloud-native software release a couple of weeks ago they introduced a tool that looks to solve this particular issue quite elegantly. You may recall seeing Prosimo last year at Cloud Field Day 15 where they talked about the challenges of multi-cloud networking and their solution to the complexity. Here’s a great intro to how they’re building their platform.
Building on this success is their newest service. Adaptive Service Insertion is, on the surface, a very competent tool to deploy firewall resources in appropriate locations with a minimum of fuss.
Adaptive Service Insertion is completely spokeless, which means no need to deploy compute nodes to get the service up and running. You can define your policies to examine traffic based on app definitions, CIDR IP blocks, or even individual flows. Yes, Prosimo allows you to define single flows that transit through their firewall service. This, in and of itself, is a big deal. The ability to redirect critical flows through security services helps support the business rules that govern how you operate. If you are in need of PCI compliance for credit card data you can now send just that traffic through a Prosimo instance and ensure you’re protected. You can also force your local user traffic to exit out to the Internet without needing to transit back to a spoke location like the HQ.
The flexibility of the policy definitions also means you that can identify large flows and deal with them to find out why they’re consuming so many resources. The earlier example of the software firewall becoming a cost chokepoint is one that Prosimo has actually dealt with for a customer. Rather than having one big construct that has thousands of flows being piped through it with no way to figure out what’s consuming all the CPU cycles you can instead break out the flows into their own instances and gain control of the chaos. Once you’ve identified the top talkers you can implement controls to keep them from growing out of control and shocking your stakeholders when the bills come due.
Bringing It All Together
Your security teams and networking teams are probably still fragmented despite our best efforts to help the work together in the new world of cloud-driven services. The traditional methods of securing data don’t scale well in the cloud and the new methods can scale out of control if you don’t have a way to keep them from getting that way. With solutions like the ones from Prosimo you don’t have to worry about creating a monster firewall that threatens to take over your security team. Instead you can intelligently deploy services where they are needed and analyze the data you get to find out how to tame the beasts.
For more information on Prosmio and their newest cloud-native solutions, make sure you check out their website.