A real-world calculation
The promise of a turnkey network security virtualization platform to streamline deployment, management and operations of virtualized next generation firewall (NGFW) arrays is very compelling to most large enterprises. But when they find out it can also be an economical way to elastically scale security while maintaining network performance, they start to think it’s too good to be true. Last time, we talked about the indirect cost savings of this approach, but after reading that, if you think it all sounds too good to be true, let’s look at a typical scenario for a break-down of the direct cost savings using a real-life scenario.
Imagine you’re a large enterprise with typical inspection needs. Whether you’re shopping for a virtualized NGFW or a hardware-based NGFW, the selection boils down to a few key needs:
- The inspection capacity and amount of protection needed over your network links
- Licenses for the functions you require (IDS/IPS, SSL/TLS decryption, anti-malware, etc.)
- The number of years you have modeled your network and plan to operate the firewall
In today’s scenario (based on a real example we’ve encountered), the enterprise network is in the middle of a hardware refresh exercise. They have three 10 Gbps links and are predicting that a 100 Gbps link is something they will be lighting up in the coming years. They need 15 Gbps of inspection today and their network model predicts this will grow to 20 Gbps in 3 years. Some of their traffic is SSL/TLS encrypted (https) but it’s not easy to nail down what percentage. They need enterprise threat protection that includes application control, intrusion prevention system (IPS), anti-virus, anti-spam, and web filtering which covers both http and https traffic.
With an understanding of the enterprise’s needs, let’s analyze the direct costs of deploying a virtualized NGFW (vNGFW) built on a turnkey network security virtualization platform versus the equivalent functionality of a traditional hardware-based NGFW.
Virtualized NGFW:
With the Corsa turnkey network security virtualization platform, the enterprise licenses 15 Gbps of compute and inspection at the start. After 12 months, they add virtual firewall instances to enable another 2-3 Gbps of inspection and after 12 more months they license an additional few Gbps to bring the total inspection to 20Gpbs. They get SSL/TLS inspection when they need it and maintain network performance and throughput. They receive 10 Gbps and 100 Gbps ports as part of the platform and use them whenever they need them. The virtual firewall instances that suit their needs and that are used for this analysis are the Fortinet FortiGate-VM VM-00 NGFW with Enterprise Threat Protection that deliver just under 1 Gbps full inspection per VM-00 instance.
Hardware-based NGFW:
With fixed appliances, they buy a firewall with at least 30 Gbps of full SSL/TLS inspection capability at the start because they need to make sure they have enough capacity for the next 3 years. The appliance that suits their needs and that is used for this analysis is the Fortinet Fortigate 3600E with Enterprise Threat Protection.
How do the costs compare?
To create a vNGFW with the Corsa platform, they license the service on a monthly basis and receive 20 Gbps of compute to run Fortinet VM-00 licenses. TCO includes the monthly platform subscription (with maintained infrastructure and virtualized infrastructure manager) and the cost of perpetual Fortinet VM-00 licenses and 3-years Enterprise Threat Protection enabled.
3-year TCO of Virtualized NGFW = $301,000.
To go the hardware-based NGFW route, they purchase the FortiGate 3600E with Enterprise Threat Protection licensed for 3 years plus 3 years of support.
Hardware-based NGFW = $533,000.
Corsa solution represents a saving of over 40%.
With this analysis alone, you can see how a software-defined firewall makes financial sense. But there’s more.
Entry Cost Analysis
Another important financial consideration is the immediate up-front cost to make the purchase. In the case of the vNGFW, the first few months of expense is usually required at signing and includes a one-time platform fee and three months of compute licensing. This amounts to $25,000. You need to add to this the VM licenses.
Total cost of entry = under $85,000.
With NGFW, your initial investment needs to cover the hardware purchase and the first year of support and maintenance.
Total cost of entry = $278,000
3x lower upfront investment with vNGFW.
Even for the most skeptical reader, these numbers are compelling. If you wondered whether there’s an economical way to elastically scale security while maintaining network performance, the results are in. And this is just one real-life example; every network is different but you should be able to see similarities with your own security needs. Whether you’re a very large enterprise with huge traffic inspection needs, an enterprise with insane growth and exploding data usage, or an enterprise who knows exactly what inspection capacity you need, the 3-year TCO using the Corsa solution provides at least 35% in savings, and 3 – 5 times lower upfront costs.
Find out more about the significant cost savings you can realize from a virtual NGFW built on a turnkey network security virtualization platform, in our Corsa white paper, TCO of Virtualizing Network Security.
(Note: We have done comparisons for a single firewall. Pricing figures have been pulled from publicly available sources and are MSRP. Feature, service and support is identical when comparing vNGFW to NGFW.)