Feature-stoked firewalls burn brightly

Free Newsletters

Log-in | Register

Feature-stoked firewalls burn brightly But VPN functionality isn't so hot when products face off
By Alyson Behr October 31, 2003			E-mail Printer Friendly Reprints Slashdot It!

Facing ever-increasing network threats, businesses of all sizes are demanding more security features from their firewalls, such as security policy management, IDP (intrusion detection and prevention), and VPN capabilities. Consequently, firewall manufacturers are rising to the challenge and cramming more and more security functionality into their products.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

In our continuing quest to see how firewalls are stacking up, we tested another group of devices. This round included two higher-priced firewalls, the Fortinet FortiGate-500 and WatchGuard’s Vclass V80, as well as the SonicWall Pro 330, an Internet security appliance.

To assess just how capable these souped-up firewalls are, I emulated a multi-protocol network, then launched a range of attacks against the boxes, including Syn, Smurf, Reset, and ARP (Address Resolution Protocol) floods, first separately, then simultaneously. Additionally, I challenged the boxes to meet stated VPN support data, testing for VPN tunnel support and data performance metrics.

The good news is, these contenders stood up nicely, with few exceptions, to my attack tests. The FortiGate-500 wasn’t phased by any of them, and the V80 wasn’t fazed by any but the Syn. The Pro 330, considered the least muscular of all the entries, actually provided strong defense against all attacks except the ARP flood, which isn’t that common an attack.

The not-so-good news, depending on your needs, is that deploying VPN functionality with these firewalls is not reasonably easy, not even with the SonicWall, which the company deems an appliance. The Pro 330 supported close to its marketing claim of 1,000 tunnels, so it has limited capability for VPN support, but it doesn’t ship with the required software and provides support only to other SonicWall devices. Although the FortiGate-500 and V80 are quite robust, they do support tunneling to other firewalls, and tunnels can be built individually or multiples can be constructed using a script. However, there is no way of quickly cloning them.

Fortinet FortiGate-500

This high-end enterprise box falls just below the company’s large enterprise and service provider offerings. It runs on an ASIC-based 1GB Pentium 4 processor, which gives it plenty of processing power compared to the less robust SonicWall box.

The FortiGate-500 is easy to set up, either through the Web-based GUI or command line prompts. The management GUI is easy on the eyes and intuitive, with sections such as the System, Firewall, User, VPN, NIDS, Anti-Virus, E-mail and Web Filters, as well as Logs and Reports, which are easy to select through a left frame menu. There’s no full blown spam filtering but it does filter keywords. Log capabilities are fairly granular and notification options give you five levels of importance going from emergency to informational.

The FortiGate-500 left the other contenders in the dust when it came to delivering rock-solid firewall beef. In the lab, none of the attacks or combination attacks fazed it. It supported 2,400 multi-protocol connections per second and held on to 422,000 sustained connections. I did find that the device began dropping larger numbers of connections intermittently after hitting the 260,000 mark.

To test the FortiGate-500’s VPN muscle, I reconfigured the box to NAT/Route mode. Fortinet provided me with a configuration file that took its staff a couple of hours to build and set up on the firewall, because the FortiGate-500 doesn’t have a means to automatically clone tunnels. The config worked like a charm from the get-go with a 10-tunnel test and supported tunnels with data throughput as high as 1,023. I could run single tunnel tests on any of the tunnels and build tunnels in the 2,000 tunnel range. For some reason, the version of firmware I tested wouldn’t support more than 1,023 simultaneously established tunnels. It delivered 25.2Mbps bi-directional tunnel throughput, which didn’t stand up next to the V80’s numbers but was significantly more muscular than the Pro 330.

SonicWall Pro 330

The Pro 330 provided the best bang for the buck in this roundup. The Pro 330 uses a customized version of the VXWorks OS and is set up via a Web-based GUI. Its management interface is as utilitarian as its form factor with no extra ports, and is sufficient to get the job done in a pretty straightforward manner. Configuration proved somewhat convoluted — I needed to specify IP address ranges attached to the WAN link or designate a gateway through which to route traffic.

Continued
1 | 2 | Next Page »

WatchGuard Technologies Firebox V80

WatchGuard Technologies, watchguard.com

Very Good 8.1

criteria	score	weight
Security	8	25%

Management	8	20%

Ease-of-use	7	15%

Scalability	9	15%

Setup	8	15%

Value	9	10%

Cost:
$9,990

Bottom Line:
The V80 won hands-down in the muscle portion of our VPN capabilities testing. This factor, coupled with respectable firewall performance capability under duress and comparable pricing to the FG500, make it the obvious choice for anyone who places higher value on high-volume VPN delivery.

About our Reviews and Scoring Methodology

SonicWall Pro330

SonicWall, sonicwall.com

Good 6.8

criteria	score	weight
Security	7	25%

Management	6	20%

Ease-of-use	8	15%

Scalability	5	15%

Setup	7	15%

Value	8	10%

Cost:
$2,795

Bottom Line:
The Pro330 provides an easy to use Web management GUI, which does a decent job of managing the firewall's configuration and operation. With typical appliance-like performance, the Pro330 would more than fit the bill for midsized businesses. However, it was the least powerful of this pack.

About our Reviews and Scoring Methodology

Fortinet FortiGate FG500

Fortinet, fortinet.com

Very Good 8.3

criteria	score	weight
Security	9	25%

Management	8	20%

Ease-of-use	8	15%

Scalability	8	15%

Setup	8	15%

Value	8	10%

Cost:
$9,995

Bottom Line:
The clear winner in our firewall performance tests, the FG500 delivers rock-solid performance and protection from attack. If management features combined with reasonable VPN support and unmatched persistent connection numbers are important to you, this firewall is worth the price.

About our Reviews and Scoring Methodology

E-mail

Printer Friendly

Reprints

Slashdot It!


	Alyson Behr is an InfoWorld contributing editor. Contact her at alyson_behr@infoworld.com.

TOP NEWS:

» Four quick tips for choosing an IM security product
71 percent of businesses will invest in real-time messaging this year. If you're one of them, be sure to protect your enterprise

» Forrester analysts ID hot IT jobs
Research group finds 16 IT roles with a promising future

» Nvidia claims 10 hours of HD video on Tegra chip
The Tegra 600 and 650 can be used with hard disk drives and are designed partly for mobile Internet devices

» Database vendors add Google's MapReduce
Greenplum and Aster Data Systems will support Google's programming technique, developed for parallel processing of large data sets across commodity hardware

» Network management: Tips for managing costs
New technologies, changing requirements, and ongoing equipment maintenance and upgrades cost money, but there are ways to manage expenses

» EMC targets SMBs, branch offices with new low-end storage
Celerra NX4 highlights include thin provisioning, snapshot technology for data recovery and backups, and Web-based console for management of storage volumes

Migrating to Vista
Join Windows Vista Expert, Richard Whitehead as he presents the benefits and challenges of migrating to Windows Vista. Sponsored by Novell

» Click here to view this Webcast

Planning For A Disaster
This new, comprehensive Solutions Guide is your one stop source for Disaster Recovery. In it you'll learn how to reduce the likelihood of a disaster and to create a rock solid business continuity plan should you face a disaster situation. Sponsored by Equallogic

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Coordinating Marketing and Sales Across the Entire Revenue Cycle - In this complimentary IDC analyst report, discover why coordinating the activities of marketing and sales is essential for...
Success Factors for Highly Effective Inside Sales Teams - This complimentary Whitepaper reveals that many inside salespeople have less than 2 years of experience. Be sure to back...
New from AT&T: Fixed-Mobile Convergence for High Performance - The newest fixed-mobile convergence (FMC) strategies could enable enterprises to increase the productivity and effectiveness...
Maximizing Mobility in Communications - Learn how recent advances in wireless technology, particularly faster links and more powerful receiving devices, have greatly...
Securing the Converged Enterprise I - Balancing the many benefits of convergence with the associated security risks can be tricky. While convergence eases communications...
Windows Vista: Necessity and Opportunity - The Vista era of Windows is here. Yet most organizations will retain Windows XP alongside new Vista PCs for some time. Your...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
Microsoft - Learn about the software-based VoIP solution from Microsoft. Xerox - Print for pennies per page with Xerox color! Click to learn more. AT&T - Machines That Speak: The Machine-to-Machine Wireless Network AT&T - AT&T Article: Reinventing the Telephone with VoIP AT&T - New from AT&T: Discover Fixed-Mobile Convergence Now AT&T - AT&T Business Continuity Survey on Risk Management AT&T - The Top 10 Best Practices for Server Virtualization Planning AT&T - Securing the Converged Enterprise I AT&T - Securing the Converged Enterprise II AT&T - An AT&T White Paper: Enterprise IPTV Solution AT&T - An AT&T Article: When Content is King Villanova University - Prepare for CISSP(R) or CompTIA(R) Certification - 100% Online! Nortel - Nortel data networks can save you up to 40% on energy costs. AT&T - Maximizing Mobility in Communications AT&T - The Spirit of Innovation: 100 IT Leaders Speak Out CA - Manage your IT more effectively. InterSystems - Use Ensemble - quickly create composite applications. Intel - Processor-enabled Virtualization. That's IT as it should be. CA - Plan IT better, Manage IT better. Rackspace - Rackspace: The True Value of a Hosting Provider AMD - The Future is Fusion. Only from AMD. Learn more. Symantec - Symantec(TM) Network Access Control: Comprehensive Network Access Control Oracle - Nucleus Report: Who's ready for SMB? TradeKey - Manufacturer directory of storage devices and data security products Symantec - Enterprise-class Disaster Recovery for Virtual Server Environments		Adobe - Delivering On The Promise Of eLearning Active Endpoints - Get ActiveVOS. Design, develop, deploy, manage services-based apps. Eaton - Distributing Power to Blade Servers Radware - Business-Smart Automation for Optimizing Your Virtualized Data Center HP - Secure your network with HP's thin client computers. AppAssure - 3 Best Practices for Reducing Exchange Downtime Electric Cloud - Agile Development: 5 Steps to Continuous Integration Oracle - Best Practices for Successful SOA Governance MKS - Get Power and Simplicity of UNIX while working in Windows HP - HP Color LaserJet CP4005n printer. Now $899. SHOP NOW Dell - Dell Latitude: Battery life up to 19 hours. Learn more. Equallogic - Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Equallogic - Four Steps to Disaster Recovery and Business Continuity Using iSCSI HP - Get Extreme Storage for Extreme Business with HP. Dell/Equallogic - PS Series Best Practices Deploying Microsoft(R) Exchange Server 2007 in an iSCSI SAN Dell - Windows Vista: A Cyber Security Shield HP - HP LaserJet P4014n printer Starting at $699 after $100 IS. SHOP NOW HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - HP StorageWorks products-control, consolidation and confidence. Platespin - Consolidated Disaster Recovery Using Virtualization Platespin - 8 Phases of a Successful Consolidation Initiative AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist

TOP NEWS:

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

TECH WATCH

COLUMNISTS

MORE INFOWORLD BLOGS

Sponsored Technology Links