1

Consumption of applications and content is rising rapidly in the information era. The widespread adoption of mobile, BYOD, and SaaS technologies is increasing bandwidth demand for services and data being delivered from data centers and clouds worldwide. Additional trends such as the Internet of Things are further driving an explosion in the quantity of data being stored, as well as the vast potential of knowledge from analyzing and consuming big data.

Firewall and network security bandwidth requirements are increasing as a result, and they are accelerating further as the evolving threat environment drives security deeper into the core of the data center network. As a result, network security speeds are quickly crossing beyond the critical 100G threshold – both the need to inspect aggregate network throughput of 100Gbps or higher, and being able to support the high-speed 100 Gigabit Ethernet (100GbE) physical links transporting it.

Network Security Migrating from the Edge to the CoreFirewalls and network security were long considered a perimeter defense, keeping the bad guys out and containing confidential data inside. But as threats have become more sophisticated, the perimeter has become porous, and recent high-profile security breaches such as at Home Depot and Target demonstrate that hackers are often roaming within the network and data center for weeks or months. The notion therefore of security as an edge technology is long antiquated, and today network security must push deeper into the core of the internal network to segregate sensitive data and to detect malicious behavior of hackers probing and moving laterally within the data center.

WHITE PAPER

Scaling Network Security Performance with 100G

“In preparation for impending infrastructure build-outs, many organizations are looking for platforms like the FortiGate-3810D with more than 100-Gbps throughput; history has shown that the need for additional performance only increases.”

Jeff Wilson,Principal Analyst,Infonetics Research

WHITE PAPER: SCALING NETWORK SECURITY PERFORMANCE WITH 100G

2

Network security bandwidth must therefore increase to capture both WAN/edge (i.e., north-south) and internal east-west traffic. Studies by network equipment manufacturers have found that typically about 76% of data center traffic is east-west, for example moving within the data center from server to server, servers to storage, etc., while only 17% of traffic is north-south exiting the data center (i.e., to the Internet), with the remaining 7% being inter-DC traffic.1

And as enterprises adopt even finer-grained segmentation, performance requirements increase further. The Fortinet Internal Segmentation Firewall (ISFW) provides greater internal segmentation and visibility by enabling security to be deployed not at the network core, but deeper towards the access switching layer. The closer the network segmentation resides to the server workloads and data, the greater the proportion of east-west traffic must pass through network security inspection points.

Making the 10X Jump from 10GbE to 100GbETo support the high volumes of data center traffic, 10Gbps Ethernet (10GbE) has become the common high-speed interface of choice for data center switches today. But the IEEE 802.3 Ethernet Working Group projected that core network bandwidth requirements are doubling every 18 months, hastening the need for organizations to upgrade to higher-speed interfaces such as 100 Gigabit Ethernet (100GbE) and soon beyond. Server virtualization and consolidation are increasing virtual port density and traffic, further driving higher-speed 40GbE and 100GbE uplinks from rack switches to the data center core rather than less efficient link aggregation (LAG) of multiple 10GbE ports.

Analysts project that by 2017, 40GbE and 100GbE switches could make up about 40% of data center switch sales vs. 10% today (see Figure 1). An Infonetics Research survey found that with 51% of IT professionals expressing a need for 100GbE within a few years, a large number might skip 40GbE altogether and make the jump from 10GbE directly to 100GbE.2

Flatter Networks for Scale-out Data CentersEast-west traffic is increasing due a number of factors, including multi-tiered application architectures, virtualization capabilities like VM migration to increase availability and resource efficiency, replication, and other features that support high availability and disaster recovery. Traditional three-tier networks are hierarchically oriented around traffic moving north-south, while two-tier leaf-and-spine topologies can ensure fewer hops and lower latency for east-west traffic between any pair of servers. Hence there is renewed interest in these flatter Layer 2 networks, which can also be more easily scaled with additional switches and racks for building out highly elastic data centers and clouds.

This further drives the use of higher-speed 40GbE and 100GbE uplinks between the leaf-and-spine switches. But by providing direct links from leaf switches to each and every spine switch, this increases not just the speed but also port density of high-speed interfaces that need to be supported by firewalls and network security appliances, in addition to supporting speeds now reaching into multiples of 100Gbps+ throughput.

Industry Use Cases for 100GNetwork bandwidth is increasing for organizations of all types, but there are some industry segments whose particular needs are accelerating 100G adoption, including research and education (R&E), financial services, and Internet/SaaS. While adoption may reflect specific industry factors, in the long run they foreshadow networking trends that will soon generalize to enterprises as a whole.

Research and EducationThe R&E community has been involved with building out high-speed research and scientific networks like the U.S.-based Internet2 consortium’s 100Gbps wide area network, which is also internationally peered with dozens of like efforts in other countries. As universities and research organizations upgrade their Internet2 and scientific network connections to 100Gbps

FIGURE 1. Data Center Switch Adoption by Port Speed (Source: Crehan Research)

1. Cisco Global Cloud Index, 2012

2. Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, Infonetics Research, 2013

WHITE PAPER: SCALING NETWORK SECURITY PERFORMANCE WITH 100G

3

WAN links, many are also often making the jump from 10GbE to 100GbE fabric in their core networks.

As many of the universities, government, and industry organizations have encountered challenges with their existing firewall solutions when employing high-speed networks, they are also looking to adopt 100GbE security appliances that maximize their utility of the R&E networks. For example, the U.S. Department of Energy (DoE) ESNet is often used to transfer large scientific data sets, such as from a remote scientific instrument or facility, over the WAN. And each day the Internet2 network carries approximately 2 Petabytes of information, with common file or data transfers of 1-2 terabytes each.

But most existing firewalls can only support line rate when traffic is comprised of many smaller flows. Without high-speed internal processing paths, high-speed data transfers, even when through a 10GbE firewall port, were being throttled down to 1Gbps or less, negating many benefits of these R&E networks. Congestion with student and/or other campus user traffic could also bottleneck firewall appliance resources such as RAM or CPU at peak times, further disrupting high-speed scientific flows. Thus R&E organizations also need additional support for high-speed individual scientific flows on 100GbE ports, as well as acceleration of IPv6 traffic forwarding in hardware.

Financial ServicesAccess to information and real-time data is paramount in the knowledge-driven financial services sector, driving demand for higher network bandwidth, low latency, and scalable architectures. Traditionally early adopters of the latest networking technologies, financial services firms are also leading the adoption of 100Gbps networks and 40G/100G connectivity. Transatlantic exchange operator NYSE Euronext announced the world’s first 100Gbps backbone as early as 2009 for an ultra-low-latency, high-speed trading network to support data centers including New York and London.3 Meanwhile, 100G regional/metro networks being

deployed to New York and New Jersey financial markets are driving broader opportunities for 40GbE/100GbE core network upgrades.

As the financial services industry continues to recover from the global economic crisis, many firms are increasing efficiencies by consolidating data centers and hardware. Many are also adopting scalable cloud and IT infrastructure to be able to be agile and customer-centric, as they evolve in the post-recovery landscape.

Banks and their customers have long been targeted by hacking groups, but the aggressive threat environment is further compounding the security challenges for financial services firms. Recently it was uncovered that a single organized hacker ring was able to steal nearly $1 billion by breaking into over 100 banks and roaming their internal networks for months, pulling back the covers on the systemic nature of the threat to the industry.

All of these trends validate the need for financial services firms to drive security deeper into the network, increase security bandwidth, and support high-speed, low-latency architectures such as with 100GbE interfaces.

Internet and SaaSInternet and social media companies like Google, Yahoo, and Facebook, whose data centers are their business, are leading the charge along with SaaS vendors in adopting hyperscale computing that can deliver rich content and scale with extreme user demand from hundreds of millions of users. Technologies

FIGURE 2: Research & Education innovations around 100GbE networks (Source: Internet2)

3. http://www.finextra.com/news/fullstory.aspx?newsitemid=19994

WHITE PAPER: SCALING NETWORK SECURITY PERFORMANCE WITH 100G

4

including converged infrastructure stacks, server and storage virtualization, web-scale application infrastructure, and network virtualization/SDN are leading to even greater bandwidth demands and east-west traffic. A recent survey of 1,600 U.S. and European IT professionals found that while 70% expect to deploy 100GbE within the next 24 months, tellingly 97% of those identifying as hyperscale companies agreed with the need to upgrade to higher-speed interfaces vs. only 48% of the non-hyperscale companies.4

High-profile thefts of passwords or personal content from millions of users of Dropbox, Snapchat, and other services also highlights the importance of securing not just the primary SaaS or social media vendor’s data center infrastructure, but also their entire ecosystem web of related and complementary services with privileged connections.

Communications Service Providers Many Internet and SaaS vendors in turn rely on public clouds from service providers to provide scalable infrastructure on a utility basis. IaaS and PaaS cloud providers must therefore not only employ hyperscale data centers with multi-tenant infrastructure that can elastically scale to arbitrary customer demand, they must also ensure tenant isolation and confidentiality on their shared network and server environments.

Driven by the proliferation of high-bandwidth, rich multimedia-capable mobile devices, the development of hyperscale computing for public cloud (IaaS/PaaS/SaaS) and other multi-tenant services, the development and delivery of Rich Content Services and the introduction of international regulation, such as the European “Roam Like at Home” (RLAH) directive, communications service providers including telcos and 4G/LTE wireless operators, managed service providers, and MSSPs (managed security service providers) have become key adopters of higher-speed 40GbE and 100GbE networks.

Fortinet Leads the Way with 100G Security SolutionsFortinet offers a variety of both 40GbE and 100GbE FortiGate solutions to address different enterprise and provider needs. All FortiGate models offer both a high-performance data center firewall as well as a consolidated security platform that can support a full complement of FortiGuard threat services including IPS, anti-malware, and application control.

Breaking the 1Tbps Barrier for Provider Scale NetworksTypically carrier and provider scale networks require specialized architectures that offer greater redundancy and resiliency in addition to much higher performance. Gartner Research highlighted the distinct requirements of carrier and provider-scale networks by recently introducing and formalizing the definition of the Carrier-Class Network Firewall (CCNFW)5, to distinguish from enterprise and campus use cases such as next-generation firewalls (NGFW). In particular, Gartner noted that 10GbE connections were no longer sufficient and called out 40G/100G as a key buying criteria.

Fortinet surpassed all vendors by introducing an all-new chassis solution with the FortiGate 5144C, marking the world’s first firewall that can exceed 1Tbps of aggregate firewall throughput. Featuring a dual dual-star architecture and 40Gbps backplane to distribute traffic efficiency and high availability, the 5144C can leverage new high-speed 40GbE and 100GbE controller blades to pool security horsepower from up to a dozen FortiGate-5001D security blades, each powered with the latest FortiASIC NP6 network processors.

Redefining the Next Generation of Data Center Firewall (DCFW) with 100GbEUtterly unique on the market, Fortinet has redefined the upper limits of enterprise security offerings with a superclass of next generation firewalls that deliver both high performance and advanced security for high speed networks, without compromising one for the other.

Designed to meet the needs of modern data centers that are faced with an evolving threat landscape while accommodating rapid mobile growth and network capacity, the newly available FortiGate 7000E series delivers the advanced security capabilities to protect organizations from known and unknown threats often hidden in encrypted traffic, without sacrificing performance and ease of deployment.

Ideal for deployment at the data center edge or core, the 7040E series delivers high density 10GbE, 40GbE and 100GbE interfaces in a compact chassis design. The 7040E series leverages the latest Fortinet FortiASIC™ CP9 technology to deliver high performance support for critical security services such as SSL traffic decryption and inspection, advanced NGFW protection, and VPN Suite B cryptography. Unlike any in the industry, the FortiGate 7040E supports full pattern matching of

4. Emulex Study Reveals Bandwidth and Network Speeds Exploding with Web-scale Deployments, http://www.emulex.com/pr/2014-1028/

5. Competitive Landscape: Carrier-Class Network Firewalls, Gartner Research, October 2014

WHITE PAPER: SCALING NETWORK SECURITY PERFORMANCE WITH 100G

IPS signatures in hardware, to deliver deep inspection at record speeds. To facilitate ease of deployment, the 7040E comes pre-configured in six different configurations tailored for customer needs.

By retaining an enterprise form factor of 3U or smaller, these data center firewalls have a compact size and power efficiency that make them ideal for next-generation enterprise data centers and private clouds that need more performance and scalability than the status quo. Perhaps just as important is that this unprecedented approach leads to cost efficiencies that enable Fortinet to deliver 10X the price/performance ratio of lower-performing vendor offerings. They avoid the cost and complexity of a chassis solution while still offering mission-critical data center features such as clustering and high availability, and the ability to manage hundreds of virtual domains for cloud or multi-tenant use cases.

Fortinet’s 40GbE and 100GbE data center offerings are a future-proof investment for today’s common 10GbE fabric as well, as these models simultaneously offer the highest 10GbE port densities available. With support for 28 to 60 SFP+ interfaces instead of the dozen or less offered by all other vendors, these models can support large, flat 10GbE networks being deployed now, while handling network switch upgrades to 40GbE/100GbE fabric in coming years without risk of obsolescence.

ConclusionIncreasing user demand for bandwidth due to adoption of cloud, big data, and SaaS is driving the adoption of new data center architectures and high-speed 40GbE and 100GbE networks. Fortinet has been leading the way with the highest-performing solutions and innovative approaches that deliver 10X the performance of traditional vendors, with models and features appropriately designed for all enterprise and service provider use cases.

Traditionally, most data center firewall appliances top out at 40-60Gbps; as such, no other vendor has been able to justify higher-speed ports above 10GbE in enterprise appliances. But with models such as the FortiGate 3800D series, Fortinet now offers the only non-chassis solutions for 40GbE and 100GbE connectivity.

FIGURE 4: FortiGate 3810D delivers the world’s first 100GbE security in a compact appliance

FIGURE 3: FortiGate 7040E

Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein Valbonne 06560, Alpes-Maritimes, France Tel +33 4 8987 0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600 México D.F.Tel: 011-52-(55) 5524-8428

June 30, 2016