Fortinet's latest firewall is like your kids' music – you're probably not ready for it, yet

Unless you happen to be in healthcare or finance or using AI on personal info or...

Firewalls play a significant role in securing today's datacenters, but the technology must evolve if it's to remain relevant, Fortinet VP of product Nirav Shah told The Register.

Enterprise datacenters are changing. Workloads don't just run on-prem – increasingly they're being deployed across multiple datacenters and clouds, he said. In line with these trends, the amount of traffic not only moving in and out of the datacenter — north-south traffic — but across the datacenter — east-west traffic — is increasing exponentially, driving operators toward higher-performance interfaces.

Dell'Oro Group expects shipments of 200Gbit/sec to 400Gbit/sec switches to more than double this year alone – driven in large part by AI and other bandwidth-hungry applications.

But while high-throughput, low-latency switching has been around for years, the approach compromises on security and may not be viable for highly regulated markets like healthcare or the financial industry, Shah claimed. The problem, he argued, is that most firewalls aren't well equipped to inspect traffic at these speeds. And those that can do it are either prohibitively expensive or too large and complex to implement and maintain.

Fortinet is no stranger to this challenge. The company's NP7 ASIC-based FortiGate 4200F and later 4400F firewalls, introduced in late 2020, brought 100Gbit/sec interfaces and north of 1.15Tbit/sec of firewall capacity, in the case of the latter, to a 4U chassis. These firewalls specifically targeted high-performance datacenter and hyperscale customers.

New FortiGates

This week, the security vendor upped the ante with the FortiGate 3700F, which packs multiple 400Gbit/sec ports into an even smaller 2U chassis. Though the firewall does lose out on raw capacity – coming in at 600Gbit/sec.

The 3700F isn't for everyone, yet, Shah admitted. It's aimed at customers dealing with large flows of sensitive data within and between private and cloud datacenters. Or as he put it, clients "building hyperscale datacenters for specific applications that need to [meet] compliance and performance requirements."

Healthcare is one market in which Shah sees strong demand for this class of high-performance firewalls, because they're often saddled with large quantities of highly sensitive data that may need to be moved between datacenters or the cloud to perform machine-learning tasks.

Meanwhile, financial institutions – particularly those dealing in high-frequency trading – need a security appliance that can keep up with millions of latency-sensitive connections every second, Shah said. "Ultra-low latency is equally important," he said.

The latest firewall supports latencies down to two microseconds which, according to Shah, makes firewalls like the 3700F ideal for these environments.

While demand for these kinds of firewalls is limited to a few specific industries for now, Shah said he expects the majority of datacenters to follow a similar path eventually.

Zero-trust in the datacenter

Beyond supporting larger data flows, Shah also sees firewalls as a means to extend zero-trust principles deeper into the datacenter.

"This is where we think network firewalls in the datacenter play a critical role," he said. "We think that's going to play an important role for the universal enforcement of zero-trust network access."

While zero-trust network access is largely seen as a replacement for VPNs for remote access, Shah believes the technology can be applied to secure datacenter-to-datacenter traffic as well. Meanwhile microsegmentation – a technology often used in zero-trust architectures to ensure only those workloads that are supposed to talk to each other can – provides an avenue for securing application-to-application traffic within the datacenter.

"It's high time to [start] using microsegmentation in datacenters, and the firewall remains the central part of that," he said.

Taken as a whole, Shah argues that by doing all of this in the firewall, customers stand to eliminate the complexity of managing multiple platforms to achieve a zero-trust architecture.

Distributed firewalls gain momentum

Fortinet's firewall-centric approach to datacenter security could soon be challenged by a new bread of security appliances.

Data processing units (DPUs) from companies like Intel, Nvidia, and Marvell provide customers with an alternative that, with the right software, puts a small firewall in every server. Last summer, rival firewall vendor Palo Alto Networks demoed this capability by deploying its virtualized firewall platform on Nvidia's BlueField-2 DPUs.

The DPU functions similarly to a co-processor, offloading and accelerating Palo Alto Networks' packet filtering and forwarding capabilities from the CPU. And, like Fortinet's hyperscale firewalls, Nvidia claims this approach enables data flows previously thought impossible or impractical.

Asked whether Fortinet, which designs its own networking and security ASICs, would pursue a similar disaggregated approach to firewalls, Shah declined to comment – but didn't rule out the possibility. Such a product – a FortiDPU perhaps – wouldn't be all that surprising, according to ZK Research's Zeus Kerravala.

"With BlueField, Palo Alto Networks has to port the software to it. They've gotta make sure that it's optimized to run on BlueField," he told The Register. "What Fortinet has with their security processing unit is silicon that's optimized for what they do. It gives them a big price/performance advantage."

The Fortinet Security Fabric offers another advantage by providing operators a means to manage and extend policy to each appliance centrally, Kerravala added. "Now that we've moved to this hybrid world where everything is distributed, that's really the problem the fabric was created to solve." ®

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022