Firewalls come in many shapes and sizes but all have one common requirement: to permit authorised network traffic to flow while blocking unauthorised network traffic. What constitutes authorised and unauthorised traffic can vary enormously, from matching packets with specific network addresses, all the way up to examining and making decisions based upon the content of application layer protocols such as malicious code embedded within a web page.
Firewalls are generally implemented in two ways:
This reflects the desired use case; the former being a standalone network device designed to police network traffic through it while the latter specifically polices traffic between its host and its connection to the network.
Until relatively recently, the time it takes for a firewall to inspect and forward packets, or its latency, has not really been an issue. In general, as long as it took no more than a handful of milliseconds, there used to be no material impact on application traffic flowing through it. For example, adding milliseconds to requesting a web page from a web server or an application requesting and receiving the results from a database query is essentially unnoticeable.
Firewall latency however has become much more relevant to application performance as network bandwidths have increased, allowing the disaggregation of shared resources such as flash-based storage. Network latency matters in these cases where applications communicate with a resource via a "chatty" protocol, often designed to deal with local resources, involving multiple request-response exchanges.
An example of this is checking whether a file has been modified recently before copying it, reading it or modifying it. Local hard drive access times are in the tens of milliseconds with local flash-based storage dropping that to a few hundred microseconds. Adding a firewall with a latency of say, 10 ms between the client and remote flash storage, will have a noticeable impact on perceived performance. In these scenarios, unless a firewall has well under a microsecond of latency, the only real alternative is to not implement a firewall at all, leaving a potentially serious security hole.
Example: Electronic Trading and Firewalls
In the world of time-sensitive electronic trading, technologies such as FPGAs have caused trading latencies to continue to fall, and determinism/consistency to improve. A firewall adding milliseconds or even microseconds of latency to trading connections would not be acceptable as it would not allow responses to rapidly-moving markets to be competitive. Trading clients co-located with the exchange connected directly to exchange gateways have the assurances of being on a physically isolated network, however, clients not co-located within the exchange or passing via an ECN or broker do not necessarily have this guarantee of network isolation.
Some exchanges even mandate that brokers or ECN's implement a firewall with defined security policies between themselves and the client. For example, the Korea Exchange (KRX) mandates that brokers offering access to clients, have a suitable firewall in place to ensure that clients are isolated from each other and from the broker and exchange, and to delineate broker-side infrastructure from trader-side infrastructure.
MetaProtect™ Firewall - introducing low-latency security
Metamako's MetaProtect Firewall is implemented as a 1 RU, 48-port 10GbE security appliance. It is specifically designed to filter traffic between ports securely with an optimised latency. Latency through MetaProtect with filtering applied is as low as 130 nanoseconds. In scenarios where filtering is only required in one direction of a connection, the latency through MetaProtect in the other, unfiltered direction with no filter applied, is a mere 5 nanoseconds.
Unlike many other firewalls on the market, MetaProtect is designed to secure up to 32 individual 10GbE links in parallel. It is also capable of handling full line rate at all frame sizes on all ports simultaneously. This, coupled with its ultra-low latency, makes it particularly attractive for protecting links between high-performance servers and remote flash storage as well as isolating electronic trading clients from each other when connecting to a broker's network switch.
In terms of filtering, MetaProtect offers Layer 2 (Ethernet), 3 (IP) and 4 (TCP/UDP) filter access control lists (ACL). Each of the 32 filters' ACL may contain up to 510 entries. MetaProtect also provides detailed logging of packets that fail to match the relevant filter's ACL, allowing immediate alerting to potential network misconfiguration and complying with most financial exchange's requirements for client access via brokers.
- A number of use cases exist to which applying the latency of traditional firewalls creates a severe performance impact
- Metamako's MetaProtect™ Firewall is a 1 RU, ultra-low latency security appliance with 48 SFP+ ports
- 32 individual filters implemented via ACLs containing up to 510 entries may be applied individually to any port
- Latency through the firewall on a port with a filter applied is 130 nanoseconds
- Latency through the firewall on a port with no filter applied is 5 nanoseconds
- ACL rules may be Layer 2, 3 or 4
- Every packet failing an ACL is logged