F5 Launches Firewall for Data CentersBy Chris Talbot | Print
F5 Networks is launching a data center-grade firewall designed to protect websites from cyber attacks. The technology competes with offerings from other vendors in terms of traffic capacity and cost.
F5 Networks has launched a data center firewall designed to protect public-facing websites from cyber-attacks while also competing with other vendors in the space on both traffic capacity and cost.
According to Dean Darwin, vice president of worldwide channel sales at F5 Networks, customers are beginning to recognize that the application delivery network is a prime place to fight off exterior threats. The latest release of the F5 BIG-IP series, which have recently been certified by ICSA Labs as network firewalls, are based on a new F5 structure and strategy that revolves around rolling out products designed to combat threats from the application delivery network.
Over the last six months, F5 has ramped up its strategy in the security market, but it has also been speaking with the channel about its products and security strategy much more frequently, Darwin said.
"We’re going pretty heavy into this space," he said.
With the ICSA Labs network firewall certification, F5 is building out its portfolio beyond its traditional firewalls, which have included web application firewall, SSL VPN and other ICSA Labs certifications, said Mark Vondenkamp, director of product management for F5 security solutions. He added that the addition of the network firewall certification rounds out the vendor’s firewall product portfolio.
"We’re basically positioning the company with a new data center firewall solution. The reason that we think it’s very relevant is the performance and scale that’s in the product, and the defence mechanisms that are built into the product compare directly against point DDoS appliance type solutions," Vondenkamp said.
According to Vondenkamp, the existing network firewall infrastructure doesn’t perform and scale well against today’s massive cyber-attacks. It also doesn’t protect Internet-facing web applications, he said. The reason is that many of the sophisticated attacks on the Internet today take advantage of blind spots in existing firewall infrastructure.
"You really need to be both smart and fast, and if you look at legacy solutions, you’re usually making big trade-offs when you go for one approach versus the other," he said.
BIG-IP version 11.1 includes multiple modules that can be deployed either standalone or layered, and it provides additional protection for DNS servers. It also provides customers with scalable web access management capabilities and single sign-on services. Vondenkamp said F5’s secret sauce is its Traffic Management Operating System (TMOS), which was designed to be "extremely smart and extremely fast."
"What this means to the channel is about 40% of our partners are what I consider to be security focused and have an enterprise business around their firewalls. Now they have another tool in their toolkit that they didn’t have before," Darwin said.
Although F5 is competing directly against other firewall vendors like Check Point and Juniper with the latest version of BIG-IP, he said the technology is also complementary to what other security vendors are doing. For partners, they may find situations where BIG-IP can be used along with products they have from other security vendors.
However, F5 is trying to change the metrics for competition. Vondenkamp noted that throughput is what most firewall vendors talk about, and they have architected their products entirely around throughput. It’s not the most important metric for firewalls, though, he said. Instead, F5 is pushing the connections per second it is able to handle with BIG-IP firewalls. At the network and application layers, attacks are trying to overwhelm systems, and in an infrastructure that does a poor job of setting up connections, it can’t effectively protect those systems, he said.
"That’s the sleight of hand that, from the channel perspective, we’re seeing really resonate with the partners because the types of attacks coming in are not throughput-based, they’re connection-based," Darwin said.