One of my readers sent me this question:
After reading this blog post and a lot of blog posts about zero trust mode versus security zones, what do you think about replacing L3 Data Center core switches by High Speed Next Generation Firewalls?
Long story short: just because someone writes about an idea doesn’t mean it makes sense. Some things are better left in PowerPoint.
Let’s start with raw numbers (and Fermi estimates). You probably need an order of magnitude more bandwidth within the data center than going out of the data center. If you have a 10GE WAN connection, you probably need 50+ Gbps of core bandwidth in your data center (web hosting companies are an obvious exception).
A single ToR switch can give you 1+ Tbps of linerate layer-3 forwarding performance. In reality, if you’d redesign most data centers with state-of-the-art equipment, you’d probably be left with 2 ToR switches and a single rack of servers.
I repeated my “Who has more than 2000 VMs” poll @ Interop Las Vegas. The result: a few people in a packed room (way less than 10% of the audience). Afterwards, I did a reality check with Chris Wahl, and he told me most of his customers are below 3000 VMs.
In comparison, you can get next-generation firewalls that works at 100 Gbps speeds, but it would probably be more expensive than the rest of your data center (Palo Alto needs 400 processors to get that performance, which is probably more cores than most companies need to run their application workload).
Next, placing a firewall in the middle of your data center makes absolutely no sense from the security perspective. You need a full-blown next-generation firewall either at the edge of your data center (the traditional architecture), or close to every VM (microsegmentation approach), but not between internal VLANs – if an intruder breaks into a VLAN shared by multiple applications, it’s game over anyway.
Also consider that you’ll probably gain nothing by deep inspection of backup traffic, SQL queries or application JSON/RPC calls? Who will configure all that stuff? Also, don’t forget that most times packets filters might be good enough for intra-DC traffic generated by applications that use static port numbers (get lost, Microsoft Outlook).
Finally, if you really need full visibility into traffic within your data center (which you won’t get with central firewall anyway, because you’d be missing all intra-VLAN traffic), deploy Netflow or Sflow on your virtual switches… or, if you have a really big budget, go for Gigamon’s Visibility Fabric (hint: they run tapping VMs in promiscuous mode on every ESXi host).