CPX 2011: Security Gateways in the data center

On CPX 2011 I listened to some presentations which dealt with the security gateways in data centers.

I got the impression that Check Point is only looking at high-end facilities of large companies because they were only talking about multi Gigabit firewalls and Crossbeam, VSX, Multidomain Management and so on.

Since 1997 I’ve seen a couple of data centers ranging from 250m² to 2000m² and different network sizes and I worked for MSPs the last years. I’ve seen that the service providers have multi-gigabit uplinks to the internet and that the backbone has 10 GigabitEthernet, but these are pure routers and at this point there’s no firewall or IPS functionality.

Depending on the customer there are some different setups.

First one is a dedicated type:

Connected to the backbone are smaller networks that represent a customer or a customer project, such as a web shop. And these smaller networks are protected with a perimeter firewall that is handling all the traffic. Normally a FastEthernet-Uplink is enough, some go with GigabitEthernet. And also inside the different network segments FastEthernet is most likely enough.

An UTM-1 27x appliance can handle these traffic without problems, if you’re doing the backup over the firewall using GigabitEthernet interfaces an UTM-1 57x will do the job and give you full performance for your network interfaces.

Then we have the second type, also dedicated:

Here we have a front end segment that contain for example the webservers. They have additional network interfaces that connect to the backend network segment where the database or application servers are located and an interface to the backup network. The firewall in this scenario has only to protect the whole environment against access from outside, so it just needs to handle an amount of traffic that corresponds to the uplink. Here you can easily go with a UTM-1 27x appliance.

The last type of infrastructure in a data center is the one where the users access resources which are all protected by firewalls.

The perimeter firewall protecting the passage to the internet can be small, there’s no difference to type one scenario. But the internal firewall that is shielding high traffic servers like file servers or backup servers needs to be multi gigabit capable. And this is the scenario Check Point only refers to when it comes to data center firewalls.

But to be honest, this is not so common in the real world. Most companies don’t run internal firewalls or they don’t protect the servers that produce high network load like file servers. Or, also widely seen, these servers have only GigabitEthernet connections and so the firewall don’t need to be that big.

So, what’s my bottom line? Well: data center firewalls are not only about high performance and multi gigabit. The vast majority of SME customers have other needs.

But what are requirement from a MSP perspective? First the solution has to be cost effective. At the moment customers are price sensitive and we have strong competitors like Cisco with their ASA solutions in the market.

When I look at our first setup we can have a firewall and management solution that consists of two UTM-1 272 appliances in a full cluster for $ 8.640. The same setup with two UTM-1 574 appliances is $ 16.200.

Check Point positions its VSX and P-1 as the product of choice for a data center / MSP solution. But if we look at the numbers, what do we see? VSX 2 core license with 10 virtual systems is $ 24.000, the HA license is $ 19.200. OpenServers like the HP DL360 server are about $ 5.000 each. So just the firewalls are $ 53.200 in total, per customer this would be $ 5.320. But now we also need a management. A proper multi domain management is at $ 100.000 on a Smart-1 50 appliance for 10 domains. So the management per customer is $ 10.000. In total we have a price of $ 15.320 for a virtual firewall instance running in HA mode on a 2 core system including management. In comparison the UTM-1 272 cluster is at $ 8.640.

A UTM-1 574 cluster costs $ 16.200 – the VSX cluster is cheaper by $ 880. But do we get the same performance for out money? Remember that the VSX is running on a 2 core license. So with actual server hardware and the proper amount of memory I would estimate a performance a little bit over a UTM-1 307x appliance, which is at 4.5 Gbps throughput. Divided by our 10 customers this would be about 500 Mbps per customer for $ 15.320. The dedicated solution would we running with 2.5 Gbps for only $880 more. I know that in real live customers have different traffic profiles and so the real available performance would be higher, but still. Remember Check Points point for data center firewalls: multi gigabit high performance.

It really needs a high amount of virtual firewall instances running on a powerful hardware along with a big multi domain management to create a cheaper solution (per customer) than a dedicated environment with appliances. Even taken in consideration the additional effort for power consumption, rack space, clima control…. for the dedicated solution.

And remember that the invest for a VSX / multi domain management solution is really high, you quickly need the customers that use and pay for this in order get your finances right.

That puts me to the point when it is usefull to have the “Check Point way” for data center firewalls and when not:
if you are running a huge data center as an MSP with lot’s of customers (100 and up) that all require a Check Point firewall solution for their environment, then it will make sense to use VSX and P-1 because it’s cheaper and the managment effort is less than with dedicated solutions which also saves money. At best you’re operating this as managed service.

If your data center consists of smaller customer installations and you don’t have that high amount of customers that requires Check Point protection (or that are willing to pay so much money) you are better with dedicated installations based on appliances. And also the invest are smaller and you can make them when needed.

Multi Gigabit is needed but can also be satisfied by small appliances. The need for Crossbeams and huge multi core firewalls with number of 15 Gbps and up is rare and most likely needed when you operate interal firewall systems that protect servers that are producing high network load.

To sum up: it would like to see Check Point moving their focus from purely high end when it comes to data centers. There are lot’s of MSP and data center provider out there that would love to have Check Point solutions in place when they would be affordable. Or when Check Point would provide a pay-as-you-grow model for licensing. The invest for hardware capable of multi gigabit is not the big thing, the license is. Maybe start with the desired number of IP addresses and just one core? Add another core(s) if you need more performance and then pay for it. Install a VSX system with P-1 for only two customers and only pay for these two. Add more customer licenses when you sold the firewalls to new customers. I know that would complicate licensing…. but it already is really complicated, so no big deal here.

Would be interesting to see if Check Point is adapting it’s thinking in the future…