Low-cost firewall appliances challenge pricey security platforms

For businesses large and small, firewalls mean more than network security, they also mean unknown amounts of network downtime during configuration and loads of extra expense for consultants and hardware fees. If you need more than traditional firewalling, such as the ability to secure IP telephony or protect application traffic, the solutions become even more expensive and difficult to configure.

Enter the firewall appliance. Previously, these machines represented basic firewall functionality with a concentration on increasing ease of use, thus allowing ordinary IT mortals — instead of expensive network security specialists — to configure and manage them. Now, along with offering straightforward setup, these devices have gotten smarter, incorporating the ability to defend against certain application-layer attacks, and branching out into areas traditionally reserved for more advanced and resource-hungry security products.

How far have firewall appliances come? To find out, we tested three in this roundup — the low-cost Ingate Firewall 1400; the even more affordable Toshiba Magnia SG20, which runs Astaro Security Linux; and the pricier Nokia IP380, which incorporates Check Point’s firewall and VPN software. To help flesh out the key differences between the appliance and the traditional firewall router, we also reviewed one of the latter, the Enterasys XSR-3250. The Enterasys promises tremendous power and flexibility, and like the Nokia, it has a price to match.

We tested our firewalls using Ixia Communications’ Ixia 1600 traffic-generation chassis and WebLoad testing software. WebLoad not only establishes throughput baselines based on real-world traffic flows but also generates a variety of attack streams. We tested each firewall’s performance and defense capabilities by generating stateful traffic, using a mix of protocols and seeing how each responded to four application-layer attacks: the Ping of Death, Smurf, Syn, and Teardrop.

In addition to evaluating performance under load — how well the firewall continued to process legitimate traffic while under attack — we scored our four competitors on the basis of the total volume of traffic it could handle, the amount of effort and time required to configure the device, and the quality of the tools the vendor provided for long-term device management.

Among our appliance contenders, the Toshiba stood out in all categories, including performance, ease of use, and price. The Ingate performed adequately, but it was a step or two behind the Toshiba in performance, security, and manageability. The Nokia also performed well but not as well as expected, considering its high-end Check Point software and high price tag, and the difficulty of configuring it without Check Point expertise. The Enterasys security router performed as expected; as is the Nokia, it’s expensive and difficult to configure, but it blew the doors off the appliances in our performance tests.

Firewall Phone Home

Ingate’s Firewall 1400 is the company’s midrange product aimed at medium to large networks. It performs all the standard firewall functions you’d expect. You can use it to deliver DHCP services, perform NAT, and support as many as 100 VPN tunnels. And of course, the Firewall 1400 also performs packet filtering and stateful inspection. Equally important in today’s environment, the device is designed to handle DoS (denial of service) and DDoS (distributed denial of service) attacks by dropping the offending packets.