Posts

Strategic Re-routing with Equal-Cost Multi-Path (ECMP) – New in SonicOS 6.5 for Firewalls

As intranet networks grow and evolve over time, often duplicate, or even multiple, paths are created to reach a destination. As these paths evolve and get more complex, they can result in failed links. Interior Gateway Protocols provide fast re-routing around these failed links using link-state algorithms, such as Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS). Enterprise networks deploy OSPF much more often. However, I have seen carrier networks who prefer IS-IS, especially when acquiring other networks’ addresses.

Link-state algorithms do an excellent job of fast re-routing inside their areas due to their detection of link failure, and due to each Layer 3 device having a topology of their intra-area network.  (Outside of that intra-area, the networks require more of a distance vector routing protocol. But that is for another blog).  Link-state algorithms also give us the ability to take into consideration speed of links or costing when determining the best path.  This comes in handy when doing prefix evaluation, but it also can give us the ability to have multiple equal-cost paths to a destination.

Equal-Cost Multi-Path (ECMP), which is supported in SonicOS 6.5 for SonicWall’s next-gen firewalls, is an egress routing method used when you have multiple interfaces pointing to a destination. Equal cost routes are added to the connection cache for session setup. As sessions are created, SonicWall hashes the packet 5-tuple in the TCP header to decide which path the session will egress to the next hop.  A 5-tuple is comprised of a source IP address, source port number, destination IP address, destination port number and the TCP protocol. Do not confuse this with per-packet load-balancing. That was tried many years ago, and caused out-of-sequence packets. Large packets followed by smaller packets would egress faster, and would break applications, despite being part of the TCP specifications. This is why you want to have sessions stay on the interface, as opposed to multiplexing packets over the interfaces you have configured with ECMP.

So, what do you want to look out for when designing a network with ECMP?

First off, who is your downstream neighbors, and how are they configured? I mentioned how ECMP is an egress routing method. Typically, you would use ECMP when you are not connecting multiple interfaces to the same devices. The connections are not 1:1 from Device A to Device B, but rather Device A to Device B/C/D, etc. You would use some type of link aggregation for this design.

If your downstream device is a session-aware device, such as a firewall, it may see the source prefix and report that it has detected IP Spoofing. This is due to the arrival of a packet from a source that is not consistent with the routing table. For example, if the firewall expects 1.1.1.1 should come from X4, but instead sees it on X3, it would report IP Spoofing.

Two other scenarios could also trigger an IP Spoofing message in the firewall log that drops the session. One is if you have a router and are performing Reverse Path Forwarding checking to create a loop-free multi-cast network. Another is if are truly looking for malicious spoofed-source IP addresses.

Another possible scenario I’ve seen before is where, after the hashing of the 5-tuple has occurred, the balance of sessions puts the sessions on one interface.  It’s the result of another ECMP hash that has been performed on the 5-tuple prior to receiving those sessions. Since the hash calculation has already been performed, and the device has been given one set of sessions that were derived from the hash value, when we hash again they have the same value, hence, they land on the same interface. A quick fix is to have the upstream device modify the 5-tuple down to four. This lets the downstream device have a different value on the TCP header.

Ultimately, if you account for these potential issues, ECMP offers a great way to utilize multiple paths in a dynamic network and maximize investment in your infrastructure.

This is just one of the 60 new features in SonicOS 6.5 for all of SonicWall next-gen firewalls. Want to learn more? Check out a new video on SonicOS 6.5.

SonicOS 6.5, the Biggest Update in Company History, Delivers Powerful Security, Networking and Usability Capabilities

Keeping organizations running safely, while improving business and user productivity in today’s accelerating threat environment, continues to be a non-trivial task for IT leaders. At the current pace of cyber attacks, we understand all too well that the effects of recent events, such as the Equifax, WannaCry and NotPetya attacks, have demonstrated their capacity to change the global business environment from normal to total hysteria in the blink of an eye.

When news breaks on new data breaches, we see a surge in conversations with our SonicWall partner and customer communities about security and risk assessments. These engagements reinforce our development commitment to ensure every new product release delivers more tools and capabilities to protect their networks and data, and subsequently avoid the unnecessary breach.

Delivering on that commitment, I am thrilled to introduce SonicWall’s biggest firewall feature release in its history. SonicWall SonicOS 6.5 is packed with powerful security, networking and usability capabilities, and meets the security operation requirements of organizations of various sizes and use cases. SonicOS 6.5 focuses on empowering IT leaders and their security teams to:

  • Elevate their breach detection and prevention capacity
  • Manage and enforce security controls across the entire organization
  • Bring the latest in wireless speed, performance and security for cloud and mobile users
  • Scale firewall networking, connectivity and performance for uncompromised, uninterrupted network services

SonicOS 6.5 delivers the following customer-focused outcomes as part of SonicWall’s expanding Automated Real-Time Breach Detection and Prevention Platform.

1. Bolster breach prevention capabilities for wired, wireless and cloud-enabled network environments

  • SonicOS 6.5 includes 60-plus new features, nearly half of which focus on enabling the latest Wi-Fi standard, 802.11ac Wave 2, to deliver matching network security performance, connectivity and security between wired and wireless networks.
  • The combination of SonicWall firewalls and the new SonicWave 802.11ac Wave 2 series of wireless access points gives customers the assurance that their users have uninterrupted, secure and fast access to business services and resources over wired and wireless connections.
  • Built-in features, like Wireless Deployment Tools, greatly aid in planning and building a robust wireless infrastructure, while Band Steering, Airtime Fairness and others improve the overall wireless service quality and performance to give users a safe, productive wireless experience. This helps eliminate dropped connections and slowness anytime, anywhere and in any environment within the workplace. Moreover, Dynamic VLAN assignment segments wireless users based on their roles and group associations to prevent advanced threats from spreading.
  • SonicOS 6.5 expands the threat API capabilities to help customers establish a path toward security automation. Through greater firewall collaboration with third-party security ecosystem, the firewall can automatically pull external intelligence sources for threat detection and protection, and security policies enforcement. For example, our Dynamic Botnet List feature enables customers to program their firewalls to download private third-party lists that contain desired security information, such as malicious IP and URL addresses, that they want the firewall to block for additional threat coverage.
  • For distributed organizations that have offices operating on different network domains, the new multi-domain security management capability in SonicOS 6.5 helps them manage and enforce discrete security policies across those domains. Based on service levels, risk tolerance, compliance and/or legal requirements, administrators can apply identical security controls to all domains or specific policy to a single domain or group of domains. This flexibility helps reduce the attack surface, eliminate security gaps, isolate risks and prevent any lateral movement of backdoor, network-based attacks, such as WannCry and NotPetya.

2. Increase scalability and connectivity of the firewall system

  • Advances in Layer 2/3 network and connectivity help customers optimize system availability and performance, and scale the firewall to deliver uncompromised, uninterrupted threat protection for every connected network domain. Supported on all SonicWall next-generation firewall (NGFW) models, including the newest NSA 2650, SonicOS 6.5 also supports daisy-chaining and management of Dell X-Series switches, Virtual Wire Mode, Dynamic LAG using LACP and Equal Cost Multi-Path (ECMP).
  • Using multi-domain security management in conjunction with virtual wire mode gives customers the ability to micro-segment and manage their virtual networks. These also provide independent security management, policies, controls and scanning to each virtual network with its separate security zone.

3. Improve ease of use and firewall management

  • SonicOS 6.5 introduces a completely redesigned user interface (UI) for a fresh, productive user experience (UX). This new UI gives users an executive dashboard loaded with security, user and traffic information. It also offers an organized, familiar and easily-understood menu-driven security management console. The dashboard presents a consolidated view of the live firewall security environment. This view includes a threat index, security events and data, network performance and connectivity, and application and bandwidth usage. The intuitive UI lets users complete security tasks faster, and with greater ease, from a single-pane-of-glass.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.