Full-featured firewalls

The FortiGate also nailed my anti-virus and URL-filtering tests, stripping all of the infected files and blocking all of the verboten addresses I threw at it, while continuing to serve all legitimate requests. The denial of service attack test didn’t go as smoothly, however. The Syn Flood caused the device to drop 36 percent of legitimate traffic.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

ServGate EdgeForce Accel

Since my previous look at the EdgeForce Accel, ServGate has incorporated several important modifications and enhancements in its version 4 release of the ServGate OS. Like the FortiGate, the Accel combines firewall, VPN, anti-virus and anti-spam (both via McAfee), and URL and Web content filtering. It lacks intrusion detection and prevention; ServGate says this feature is on the product roadmap.

After firing up the box, the first change I noticed was a new dashboard that provides an at-a-glance view of major system summary info. More important changes lie beneath the surface, including a central management console that gives admins full control of remote devices, and a new wizard that speeds up VPN configuration. Customizable security templates, which you can push to multiple devices over a network, and policy-based filtering, which allows you to apply different firewall rules to different areas of your network, are now also part of the bargain.

Other enhancements include a Bayesian spam filter from McAfee and support for RIP I and II routing. ServGate OS 4.0 also delivers ICSA-certified VLAN pass-through, a full command line interface, and a boot-time feature that allows admins to revert to previous versions of the OS.

The EdgeForce Accel bested the FortiGate in my tests of maximum connections per second, turning in 8,500 cps in my raw, sans-services baseline test, and clocking 2,600 cps with all features and filtering enabled. That 70 percent drop was nearly identical to the performance hit suffered by the FortiGate 800, showing that additional security services significantly hinder the firewall’s ability to serve floods of new connections, such as when users log in to the network at the beginning of each day.

Like the FortiGate, the Accel also passed my URL and anti-virus filtering tests with flying colors. But unlike the FortiGate 800, it handled my denial of service attack successfully, continuing to serve all legitimate traffic when fighting off the Syn Flood.

The ServGate did not keep pace with the FortiGate in my tests of maximum concurrent firewall connections and VPN throughput. Although perfectly acceptable, the EdgeForce Accel’s concurrent connection figure of 131,000 fell far short of the FortiGate’s 446,000. And its 10-tunnel and 200-tunnel VPN throughput numbers of 196Mbps and 153Mbps represent just a fraction of what the FortiGate 800 achieved.

Which firewall to choose? If performance and scalability, or brawny VPN capabilities, are your chief consideration, then the FortiGate 800 has the edge. Overall, however, I’d give the nod to ServGate’s EdgeForce Accel, due to its superior management capabilities, easy setup, and solid performance under attack. Whichever firewall you choose, keep in mind that those extra security features will cost you dearly in performance.