I am comparing Cisco Firehouse vs Palo Alto vs Fortinet for Perimeter Firewall as an option.
Cisco is pretty good with IPS and been ranked #1 in Gartner. While in NGFW (next gen firewall ranking) Cisco is placed in Challengers quadrant. Here I am listing a few of the features that Cisco doesn’t provide in their Cisco Firehouse model. However, Cisco is a fighter and will definitely come up with feature enhancement pretty soon.
- Integarted Antrivirus
- Protocol scanning (HTTPS)
- SSL VPN
- Encrypted VPN Inspection
- SSL Client OS Support
Now lets through some light on Fortinet as a product and its limitations. Fortinet as a firewall is having all the required feature that a NGFW should have but there are many ambiguity in the market for Fortinet. Many would prefer Fortinet firewall in their environment on-premise or on cloud but is that a good/smart choice. Should you go with Fortinet as perimeter firewall? Some look to save cost for a better price/performance ratio but is that a smart choice? Let’s discuss some of the limitations below. Fortinet is one of the rarest firewall to give WAN optimization etc but do we really need those.
- Its attach rate for cloud-based sandboxing is low, and the feature has received few improvements since its first release. some prospective customers with high-risk exposure still express doubts regarding Fortinet’s ability to meet their security requirements.
- Fortinet does not offer the direct vendor support and premium subscriptions that large enterprise clients might require.
- Centralised and cloud-based management have made insufficient progress to positively influence Fortinet’s score during technical evaluation.
WAN optimisation does not work for encrypted traffic; avoid optimisation for encrypted network traffic.
- Some feature like WAN optimisation that Fortinet supports and Palo Alto doesn’t is/are basically an additional feature one might not use in environment. The following application control 2.0 feature do not work in combination with WAN optimisation.
- SSL interception
- Virus scanning in the firewall
- ATP – Advanced threat protection
Fortinet scores pretty well on Gartners magic quadrant but it is also a second choice when security comes in. One workaround for better price/throughput solution would be to go with Cisco IPS devices with Fortinet firewalls.
Today, I am comparing why one should really be careful while opting Kafka with Lambda. While Building customer centric solution one might think of opting for an alternative better and cheaper solution. Let’s first look at characteristics of Kafka clusters and later this article will discuss characteristics of Kinesis stream.
Characteristics of a Kafka Cluster:
- Kafka clusters are made up of 4 core components: topics, partitions, brokers, and Zookeeper
- Topics are used to group messages of the same type to simplify access by consumers
- Partitions are data stores that hold topic messages. They can be replicated across several brokers
- Brokers are nodes in a Kafka cluster and can hold multiple partitions across several topics
- Zookeeper is an Apache service that Kafka relies on to coordinate Kafka brokers. This includes leader election, coordination between broker consumers and producers, and broker state tracking
Characteristics of a kinesis stream:
- A single Kinesis stream is equivalent to a topic in Kafka.
- Each Kinesis stream is made up of a configurable number of shards.
- Shards are equivalent to partitions in Kafka terminology.
- Shards allow a steam to be scaled dynamically in response to demand fluctuations. To understand what a shard is, think of a single Kinesis stream as a highway, and each shard is a lane. A Kinesis stream’s throughput can be increased by adding more shards – similar to how a highway’s throughput can be increased by adding more lanes.
- Consumers can attach a partition key to each data sent to Kinesis to group data by shards. This can be very helpful to determine how data is routed when shards are added or removed in a stream.
- The partition key is designed by the stream creator to reflect how the data should be split in case more shards are added.
- It is important to keep in mind that all of this is happening in a single topic/stream. Partition keys are used to determine how data is routed across shards within a single topic/stream.
- Example: A stream has a single shard but 4 producers each attaching their unique partition key to the data when they insert it into the stream. Demand starts low with 1 shard being able to support all 4 producers. When demand increases, three more shards can be added for a total of 4 shards in this stream. Based on the partition key design, Kinesis can map the partition keys to the new shards and each producer will get its own shard.
- A Kinesis stream can have a minimum of 1 shard and a maximum of 50 (actual maximum is region specific).
- Each shard can support up to 2MB/sec data read.
- Each shard can support up to 1,000 writes per second, for a maximum of 1MB/sec.
- Maximum size of a single data blob in a stream is 1MB.
- Default data retention per stream is 24 hours. Increasing this number will increase the per stream cost.
- The data retention can be increased in hourly increments up to a maximum of 7 days.
Amazon Kinesis Streams is a fully managed service that makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. It enables you to cost effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. Apache Kafka is an open-source streaming data solution that you can run on Amazon EC2 to build real-time applications. (AMAZON, https://aws.amazon.com/real-time-data-streaming-on-aws/)
I would be giving my views on how to select right perimeter firewall. There are many in the market but lets compared Cisco, Juniper and Palo Alto today.
NGFW products include unified threat management (UTM), nondisruptive in bump-in-the-wire configuration, NAT, stateful packet inspection, virtual private network (VPN), integrated signature-based IPS engine and application awareness.
Cisco ASA with FirePOWER Services provides an integrated defense solution with greater firewall features detection and protection threat services than other vendors. Cisco tops in terms of IDS/IPS but those are not the native role of firewall, however, Cisco Firepower gives the power of both but it is pretty new product. Cisco Firepower has come to the market last year and there is plenty to assess on. Cisco provides application visibility and control as part of the base configuration at no cost. Cisco licensing might be confusing because separate licenses are required for next-generation intrusion prevention systems (NGIPS), advanced malware protection and URL filtering.
Juniper support is from channel partners. Juniper is niche player in Gartners quadrant. Juniper SRX is the first NGFW to offer customers validated (Telcordia) 99.9999% availability (in its SRX 5000 line). Open attack signatures in the IPS also allow customers to add or customize signatures tailored for their network. Overall pretty good option but Gartner is skeptical about their security vision. Maybe better in terms of throughput/price. One can look to have Cisco IPS and Juniper decent model together since Cisco is leader in IDS/IPS.
Palo alto – One license for full UTM device. Ranked #1 in Gartner and have very less cautions in Gartner review. Overall a good device with all the NGFW features and pretty much nothing to question about. Maybe questioned slightly on support which its competitor Cisco maybe slightly ahead.