Are there any performance considerations when utilizing the CNNF or WAAS on the defenders?
1152
Created On 10/04/22 11:51 AM - Last Modified 07/11/24 19:22 PM
Question
- Are there any performance considerations when utilizing the CNNF WAAS on the twistlock defenders?
- Do CNNF and WAAS impact the overall performances?
Environment
- Prisma Cloud Compute
- Twistlock
- CNNF
- WAAS
Answer
- WAAS (Web-Application and API Security, formerly known as CNAF, Cloud Native Application Firewall) is a web application firewall (WAF) designed for HTTP-based web applications deployed directly on hosts, as containers, application embedded or serverless functions. WAFs secure web applications by inspecting and filtering layer 7 traffic to and from the application. WAAS has a performance considerations but the impact is limited to CPU and memory yet there’s no latency. It's a CPU centric operation to inspect all the traffic (25% of a core). But this of course would scale with the number of containers / the amount of traffic.
- System performances will differ based on environmental factors such as network bandwidth, resource saturation, protection configurations that are enabled, cluster density, traffic volume, alert frequency, in addition to many other site-specific details.
- Check Performance Planning for more info.
- CNNF (Cloud Native Network Firewall) is a Layer 4 container-aware virtual firewall and network monitoring tool. Network segmentation and compartmentalization is an important part of a comprehensive defense in depth strategy. CNNF works as an east-west firewall for containers and hosts. It limits damage by preventing attackers from moving laterally through your environment when they’ve already compromised your perimeter.
- It has no considerable performance considerations. We interrupt the TCP handshake so we aren't really inline here. We just care about "should we allow this connection" and then we are out. In alerting mode, when working correctly, CNNF has no performance impact. In prevent mode, the overhead should be negligible. However, it's always advisable to disable it in the case the customer doesn't use this feature.