SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers

Video: 10 Minute IT Jams - SonicWall director of product management on the importance multi-instance

Mon, 7th Mar 2022
FYI, this story is more than a year old

Multi-instance network security is changing the way large organisations and universities protect their data and manage traffic. That was the clear message from Malik Avati, Director of Product Management at SonicWall, in a comprehensive interview explaining the advantages and implementation of this new security technology.

Avati outlined how the advent of multi-instance architecture marks a step-change from traditional multi-tenancy in network firewalls, a feature that, he says, has long been needed by enterprise business, universities and large data centre operators.

Speaking during a session in SonicWall's IT Jam series, Avati explained: "Let me start with one of the key capabilities that we have introduced on our Generation Seven NSSP firewall platform - multi-instance. Multi-instance is modern and the next generation of multi-tenancy capability, which has been there for the past several years in the industry. It takes a modern approach for network security segmentation for large enterprises and also some data centre deployments."

Traditional multi-tenancy, Avati explained, is the older, legacy approach, where multiple users or departments share the same physical hardware resources, such as CPU, memory, and interfaces. Effectively, the system creates virtual or logical partitions, all running off a single operating system. While this approach does allow for a degree of segmentation, it has evident flaws.

"When there's just one instance on the system, a single tenant can pretty much bring all the systems down," Avati said, highlighting the lack of built-in fault tolerance. "If one tenant or virtual connection takes up all the resources on the CPU or bandwidth, then the entire system gets affected, as do the rest of the tenants. It doesn't provide the resource starvation protection," he added.

He also pointed out the risks posed by software bugs or instability: "If there's an issue with that one operating system, the rest of the tenants also get affected. That's a major challenge we keep hearing from our customers."

In response, SonicWall developed a new multi-instance architecture based on container technology, designed to overcome these deficiencies. "Container-based architecture basically addresses all the challenges that we just talked about," Avati explained. "For example, fault tolerance, resource resistance, and also having these tenants independently running. They have their own operating systems, their own data planes, their own management planes, which basically solves the majority of the problems."

The practical upshot of this technology is that security administrators can "configure and run multiple independent instances on the same physical hardware", meaning that even if one instance faces an issue, the rest remain unaffected. "It also gives the admin a choice to choose the right size firewall instance, and accordingly allocate the number of cores or front panel ports and the operating system independently," he said.

This granular separation is especially vital for organisations managing diverse departments or environments on a single system. Avati gave the example of universities: "Universities also have student lounges where you want to completely isolate the student traffic from the production traffic when it goes through the firewalls." In addition, research departments and core networks can be separated, ensuring that development environments, production applications, and research data all enjoy independent security and performance settings.

The SonicWall NSSP 15700 firewall, a flagship product for the company, exemplifies this multi-instance approach. "We take pride in our NSSP series and especially the 15700. It is one of our high end, ultra-high-end firewalls for large enterprises, data centres, and also some university deployments that we have seen," Avati said.

The hardware capabilities of the 15700 include high-speed processors, extensive memory and storage, and up to 100 gigabits of qualified connectivity, which Avati described as "essential for large organisations or even data centres when they are trying to consolidate their networking and routing stack. It provides a perfect platform for all the consolidation efforts."

From a performance perspective, Avati noted impressive statistics: "The box itself is capable of around 100 gigs of stateful firewall inspection, close to 80 gigs of threat prevention and application throughput performance, and support for about 80 million connections. It also provides around 4 million decrypted TLS and SSL connections."

He added that, given the rising prevalence of encrypted threats and ransomware, robust decryption and inspection are more critical than ever: "Today, all the ransomware threats, those threat actors are leveraging encrypted threats."

Cost is always a concern at the enterprise level, and Avati emphasised SonicWall's commitment to favourable total cost of ownership (TCO). "With all the security features, with all the throughput, performance, and flexibility that you get, the TCO compared to the rest of the vendors has lots of advantages," he asserted.

SonicWall's approach to implementing these technologies for customers is grounded in partnership and planning. "It's always about proper planning. Our sales team works with the customer to actually understand what the requirements are, what the sizing is, and accordingly recommend a certain firewall in the NSSP series," Avati explained. Once the appropriate product is identified, SonicWall's professional services and solutions architects guide clients through the deployment, ensuring that the network and security architecture meet business needs.

One noteworthy addition for new NSSP buyers is the inclusion of professional help at no additional charge. "When a customer buys the security subscription licence, it comes with 60 days of professional services consultation and implementation, and that's included free of cost," Avati said.

For those considering the technology, Avati recommends reaching out via their local SonicWall resellers and partners, or visiting the company's website for detailed product overviews, white papers, and free trial opportunities.

He concluded, "We took a different approach, and that's one of the key differentiating approaches that we have taken when you compare the same solution with the rest of the other providers."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X