Firewalls play a big position in securing right this moment’s datacenters, however the expertise should evolve if it is to stay related, Fortinet VP of product Nirav Shah instructed The Register.
Enterprise datacenters are altering. Workloads do not simply run on-prem – more and more they’re being deployed throughout a number of datacenters and clouds, he mentioned. In line with these developments, the quantity of site visitors not solely shifting out and in of the datacenter — north-south site visitors — however throughout the datacenter — east-west site visitors — is rising exponentially, driving operators towards higher-performance interfaces.
Dell’Oro Group expects shipments of 200Gbit/sec to 400Gbit/sec switches to greater than double this yr alone – pushed largely by AI and different bandwidth-hungry purposes.
But whereas high-throughput, low-latency switching has been round for years, the strategy compromises on safety and might not be viable for extremely regulated markets like healthcare or the monetary business, Shah argued. The downside, he claimed, is that almost all firewalls aren’t nicely outfitted to examine site visitors at these speeds. And these that may do it are both prohibitively costly or too massive and sophisticated to implement and preserve.
Fortinet is not any stranger to this problem. The firm’s NP7 ASIC-based FortiGate 4200F and later 4400F firewalls, launched in late 2020, introduced 100Gbit/sec interfaces and north of 1.15Tbit/sec of firewall capability, within the case of the latter, to a 4U chassis. These firewalls particularly focused high-performance datacenter and hyperscale prospects.
This week, the safety vendor upped the ante with the FortiGate 3700F, which packs a number of 400Gbit/sec ports into an excellent smaller 2U chassis. Though the firewall does lose out on uncooked capability – coming in at 600Gbit/sec.
The 3700F is not for everybody, but, Shah admitted. It’s geared toward prospects coping with massive flows of delicate knowledge inside and between personal and cloud datacenters.
“They’re building this hyperscale datacenter for specific applications that need to [meet] compliance and performance requirements,” he defined.
Healthcare is one market wherein Shah sees robust demand for high-performance firewalls, as a result of they’re typically saddled with massive portions of extremely delicate knowledge that will should be moved between datacenters or the cloud to carry out AI/ML workloads.
Meanwhile, monetary establishments – significantly these dealing in high-frequency buying and selling – want a safety equipment that may sustain with tens of millions of latency delicate connections each second, Shah mentioned. “Ultra-low latency is equally important.”
The new firewall helps latencies down to 2 microseconds which, in line with Shah, makes firewalls just like the 3700F preferrred for these environments.
While demand for these sorts of firewalls is proscribed to some particular industries for now, Shah mentioned he expects nearly all of datacenters to comply with an identical path finally.
Zero-trust within the datacenter
Beyond supporting bigger knowledge flows, Shah additionally sees firewalls as a way to increase zero-trust ideas deeper into the datacenter.
“This is where we think network firewalls in the datacenter play a critical role,” he mentioned. “We think that’s going to play an important role for the universal enforcement of ZTNA.”
While zero-trust community entry (ZTNA) is basically seen as a alternative for VPNs for distant entry, Shah believes the expertise could be utilized to safe datacenter-to-datacenter site visitors as nicely. Meanwhile microsegmentation – a expertise typically utilized in zero-trust architectures to make sure solely these workloads which might be supposed to speak to one another can – offers an avenue for securing application-to-application site visitors inside the datacenter.
“It’s high time to [start] using microsegmentation in datacenters, and the firewall remains the central part of that,” he mentioned.
Taken as a complete, Shah argues that by doing all of this within the firewall, prospects stand to eradicate the complexity of managing a number of platforms to realize a zero-trust structure.
Distributed firewalls achieve momentum
Fortinet’s firewall-centric strategy to datacenter safety might quickly be challenged by a brand new bread of safety home equipment.
Data processing models (DPUs) from corporations like Intel, Nvidia, and Marvell present prospects with an alternate that, with the correct software program, places a small firewall in each server. Last summer time, rival firewall vendor Palo Alto Networks demoed this functionality by deploying its virtualized firewall platform on Nvidia’s BlueField-2 DPUs.
The DPU features equally to a co-processor, offloading and accelerating Palo Alto Networks’ packet filtering and forwarding capabilities from the CPU. And, like Fortinet’s hyperscale firewalls, Nvidia claims this strategy permits knowledge flows beforehand thought unimaginable or impractical.
Asked whether or not Fortinet, which designs its personal networking and safety ASICs, would pursue an identical disaggregated strategy to firewalls, Shah declined to remark – however did not rule out the likelihood. Such a product – a FortiDPU maybe – would not be all that shocking, in line with ZK Research’s Zeus Kerravala.
“With BlueField, Palo Alto Networks has to port the software to it. They’ve gotta make sure that it’s optimized to run on BlueField,” he instructed The Register. “What Fortinet has with their security processing unit is silicon that’s optimized for what they do. It gives them a big price/performance advantage.”
The Fortinet Security Fabric provides one other benefit by offering operators a way to handle and lengthen coverage to every equipment centrally, Kerravala added. “Now that we’ve moved to this hybrid world where everything is distributed, that’s really the problem the fabric was created to solve.” ®