Convergence and the Data Center

Convergence and the Data Center

Enterprise firewalls and intrusion prevention systems (IPS) have been converging at the perimeter and network core for almost a decade now. The same desire to simplify the deployment, management, and maintainance of security appliances is now pushing enterprises to demand one piece of equipment to replace the traditional deployment of two — the data center firewall (DCFW) and the data center intrusion prevention system (DCIPS).

NSS is referring to this new product class as the data center security gateway (DCSG). A DCSG delivers high performance and deep inspection to protect north/south traffic traveling into and out of server-based assets that are typically deployed in the data center environment. At a high level, a DCSG = Firewall + IPS.

Historically, performance and latency concerns have been the biggest hurdles to combining these technologies in the data center, but that has changed in recent years. NSS expects to see converged devices that are built on existing next generation firewall (NGFW) platforms but that scale back the next-generation features to ensure there are no compromises with regard to performance and latency.

NSS expects DCSGs to incorporate the following functionality and capabilities:

  • Support redundancy and high availability
  • Integrate firewall and IPS modules, with the focus on policy-driven performance capability for server-based deep packet inspection (DPI) protection
  • Support both for extremely low latency and for a large number of concurrent connections
  • Protect against micro-bursting

NSS does not expect DCSG solutions to have on-box SSL inspection capabilities, since they will likely offload these to other systems either in the data center or in the cloud.

NSS is currently working with both vendors and enterprises to better define the emerging DCSG market segment and to this end has created a test methodology to determine which existing products in the market meet enterprise needs for converged appliances. 

The NSS DCSG v1.0 Test Methodology is available here. Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: data center security gateway, DCFW, DCIPS, DCSG, IPS, Next Generation Firewall, NGFW