Programmable Network Platform Empowers Scalable Firewall for the Network Edge

Background

With the deployment of 5G networks globally, the importance of network edge, particularly in terms of performance and programmability, is ever more critical for consumers and service providers. If you are unfamiliar with the concept, network edge is simply a distributed computing paradigm that brings computation and data storage as close to the point of request as possible to deliver low latency and save bandwidth. Network edge empowers service providers with the openness, agility, and scalability they need to deliver a full range of services and applications to their customers, efficiently and economically.

A key strategy or policy critical for leveraging the power of network edge is the Secure Access Service Edge (SASE). SASE (pronounced “sassy”) is an emerging concept that brings together WAN and network security services into a single, cloud-delivered service model. SASE allows enterprise networks to provide immediate, uninterrupted access to their users, no matter where they are located. This scalable and versatile “firewall” is essential for enabling maximum usability without compromising security in the fast-paced 5G era.

Requirements

The programmable network platform needed to meet the needs of cybersecurity in the evolved network edge. This architecture fully consolidates high performance computing, high speed switching fabric and massive storage into an all-in-one programmable hyper converged platform. As a result, the platform had to lower TCO and reduce CapEX and OpEX. What’s more, it needed to be NEBS-ready for high availability applications and offer terabit capacity networking with programmable telemetry in silicon.

Solution

Lanner collaborated with NoviFlow to deliver a scalable firewall solution. The integrated multivendor solution leverages modular hardware and software to provide 145 Gbps to 1 Tbps of scale-out Firewall service with unmatched remote configuration and monitoring, while delivering significant reductions in capital and operating costs, footprint and power consumption.

Key features of the scalable firewall solution:

All-in-one Modular Design

The hardware solution to this is the Lanner HTCA-6600 Series. Optimized for simple, scalable, and secure services at the network edge, Lanner HTCA-6600 Series is a white-box hardware platform that aggregates up to (12) 2nd generation Intel® Xeon® Scalable processors. What’s more, it can integrate up to two HLM-1100 high-speed P4-programmable Barefoot Tofino switching ASICs, and massive storage with support for precision time protocol (PTP), as an all-in-one modular network appliance.

SRv6 Support

The scalable firewall solution supports SRv6, making Firewall resources addressable from anywhere in the network. With SRv6, the Scalable NGFW can be part of a global network service chain reducing the need to overprovision Firewalls to meet peak local demand. With Noviflow VisualAnalytics, you can see trends in Firewall usage evolve over time, enabling capacity planning based on utilization. It also allows operators with network orchestration to divert traffic to underutilized firewalls and thus recover unused capacity.

P4 Programmable Networking

At the heart of the HTCA-6600 is the embedded hardware-based load balancer which utilizes the Barefoot Networks 3.2 Tbps Tofino programmable silicon. You get the flexibility of sophisticated load-balancing and traffic mitigation features written in software and executed in silicon at line rate. Utilizing this architecture built on commercial silicon, you eliminate the need to deploy expensive dedicated load balancers to scale out your firewall services.

Hyperscale Framework

There’s no need for a forklift upgrade of your firewall environment. Utilize your existing physical appliances seamlessly by connecting them to the switching fabric and add security blades to the HTCA-6600 platform as capacity is needed. With proportional load balancing, you can mix and match virtual and physical appliances with different throughput capacity, HTCA platform can be configured to load balance traffic for the capacity available for that device.

High Availability

The joint solution was designed to be resilient with multiple redundancies in the hardware platform. At the firewall service level multiple features were built into the hardware load balancer to deal with failures.

Programmable Network Platform Empowers Scalable Firewall for the Network Edge was last modified: August 31st, 2021 by Jorge Peregrina