By Hezi Bahry, Product Manager, CloudGuard IaaS, published April 8, 2020

I have come to realize, over many years of purchasing various products, that the product price is one of the most misleading parameters in the decision-making process.

Buying a cheaper product may be an easy decision at the time of purchase, but it often isn’t justified in the long run, especially when you are left with lower quality, a reduced feature set or poor after-sales support that you may eventually need.

The same is true for cloud security products.

During the evaluation process, customers often make a final decision according to the pricing and business terms, without giving enough priority to other parameters, including:

  • The quality of the threat prevention security technologies, including high catch-rate of known and unknown threats
  • Ease of deployment and ease of use, which reduces the time required for these tasks
  • Automation capabilities, which improve the agility and efficiency of the cloud security team

And many other considerations, but most importantly security performance.

In my previous blog post, I wrote about the improvements that the latest release of R80.40 Unified Security added to CloudGuard IaaS.

One of the most significant improvements is the increase of performance. This blog post will focus on the performance improvements which can be achieved by CloudGuard IaaS customers by upgrading to the latest R80.40 release.

The performance of a cloud network security solution is generally measured by the network throughput of the virtual security appliance under some standard network traffic load (which should be representative of real-world traffic).

As such, performance also has an economic impact, because solutions with higher performance require fewer purchased resources to achieve any required throughput.

In other words, customers who are evaluating cloud security solutions should also consider the performance per dollar (or preferred currency) that they receive from their cloud security vendor when making a decision.

The new R80.40 release introduces significantly improved throughput values. These can be found in the Technical Specifications tables in the CloudGuard IaaS product webpage.

For example, the R80.40 throughput values are as follows for AWS instances:

 

Test Coverage and throughput 2 vCPUs 4 vCPUs 8 vCPUs
Firewall 6.2 Gbps 8.6 Gbps 15.3 Gbps
Firewall + IPS 4.0 Gbps 7.2 Gbps 13.2 Gbps
NGFW (Firewall + IPS + Application Control 2.8 Gbps 5.0 Gbps 11.3 Gbps
NGTP (NGFW + URL Filter + Anti-Virus + Anti-Bot) 1.2 Gbps 2.4 Gbps 4.7 Gbps

 

The previous throughput values using R80.20 were as follows:

 

Test Coverage and throughput 2 vCPUs 4 vCPUs 8 vCPUs
Firewall Not tested Not tested Not tested
Firewall + IPS 3.5 Gbps 3.5 Gbps 3.5 Gbps
NGFW (Firewall + IPS + Application Control 2.6 Gbps 3.5 Gbps 3.5 Gbps
NGTP (NGFW + URL Filter + Anti-Virus + Anti-Bot) 1.0 Gbps 1.9 Gbps 3.4 Gbps

 

(Note that for this round of throughput testing, we added a test when using the Firewall only, which was not tested before.)

From the results of the current and previous testing, we can see significant increases in throughput, including a 377% increase in throughput for 8 vCPU instances when running Firewall and IPS (Intrusion Prevention System)       technologies, from 3.5 Gbps to 13.2 Gbps.

There are two main reasons for these performance improvements:

The first is the effort that Check Point’s product and engineering teams invest in implementing performance algorithms and heuristics. This is because we understand the impact of increased performance and we are driven to provide the best value to our customers.

Secondly, CloudGuard IaaS is highly integrated with native technology services provided by the cloud vendors. The various Check Point product and engineering teams collaborate closely on a weekly basis with their cloud provider counterparts, ensuring any new services launched are aligned in maintaining optimal CloudGuard IaaS performance.

An example of the benefit to customers from the close coordination between Check Point and the cloud vendors is CloudGuard IaaS support for AWS c5n instances. “c5n instances leverage the fourth generation of custom Nitro card and Elastic Network Adapter (ENA) device to deliver 100 Gbps of network throughput to a single instance. These instances are ideal for network intensive applications, including HPC workloads, data lake and analytics software, and network appliances.” AWS customers using CloudGuard IaaS, who upgrade to the R80.40 release and use c5n instances can now benefit from this increased throughput. After upgrading, increased performance will be experienced for all AWS instances.

Similarly, customers using Microsoft Azure and other cloud vendors will also benefit from these performance improvements.

In summary, the economical unit of cloud security is comprised of many parameters, one of which includes performance.

Check Point recognizes this as an important decision-making parameter and has demonstrated this through its latest R80.40 release.

Customers who use CloudGuard IaaS should take advantage of this.

Decision-makers looking for their next cloud network security solution should be aware of this as part of their decision process.

I hope this blog post has been interesting and valuable for you.

If you have any feedback, requests or suggestions, please contact your local Check Point account representative or partner, or contact us here.

If you’re not yet a CloudGuard IaaS customer, you can schedule a demo with one of Check Point’s cloud security engineers here.

To understand how to design and implement secure cloud architectures, check out this white paper.

Follow and join the conversations about Check Point and CloudGuard on TwitterFacebookLinkedIn and Instagram.

You may also like