Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

Review: Screaming throughput


Cisco this week will enter the rarified air of gigabit speed security when it unveils the Cisco Secure PIX Firewall 535.

And not a moment too soon - with multiple OC-3 (155M bit/sec) links becoming commonplace at service providers and large corporations, a gigabit firewall is no longer a steroid-induced fantasy.

The Network World Global Test Alliance got an exclusive chance to test the performance of this gear and found that the newest member of the PIX Firewall line outguns the rest we've seen. How fast? How does 2G bit/sec grab you?


How we did it
NetResults and other testing charts
Archive of Network World reviews
Subscribe to the Product Review e-mail newsletter


Keep in mind that the PIX 535 is just another member of the PIX family. Although it has more interfaces and faster throughput, everything else about it will be familiar to users of the PIX Firewall. What the PIX 535 gives you is speed. As data centers and campus networks jump to 300M bit/.sec and 450M bit/sec connections in 2001, the corporate firewall will have fallen far behind. The PIX 535 is one of two firewalls we've tested that can truly handle these gigabit speeds. NetScreen's NetScreen 1000 also handles this level of throughput.

Although the PIX 535 shares the same cumbersome, counterintuitive command-line interface with the rest of the PIX family, it breaks loose with impressive performance. Start with the hardware. It's small: 3U (5.25 inches high) is all it takes to firewall off a gigabit of traffic. The PIX 535 has a highly maintainable chassis with dual hot-swap power supplies and nine expansion slots. We swapped cards during our tests, and Cisco has made this easy. It's not quite as accessible as Cisco's 7000 series routers, but you can get to the important parts of the PIX - including the CPU board and all expansion cards - in about 30 seconds.

More important than those nine expansion slots is the hardware sitting behind them: three PCI buses, two of which are 64 bits wide to accommodate the four Gigabit Ethernet interfaces Cisco expects you'll use to connect your PIX 535 to your network. The third PCI bus is a 32-bit bus, which can take four 10/100 Ethernet interfaces and a VPN accelerator card. Driving those buses is a 1-GHz Intel processor (the box is dual-CPU capable, but dual CPUs are not currently supported) and a gigabyte of memory. Everything about this box says "gigabit" - memory, CPU and LAN. Total it up, and you can have up to four Gigabit Ethernet and four 10/100M bit/sec Fast Ethernet interfaces in this system. That's serious bandwidth.

In our most optimistic and easiest test - simulating four huge connections using a Spirent SmartBits 6000 with large packets - the PIX 535 turned in an amazing 2,080M bit/sec performance. That's almost six times faster than the PIX 525, Cisco's closest model, is rated by the company. Of course, you won't see that kind of performance in real-life situations. Our benchmarks show that normal Internet traffic with 2,000 connections through the firewall could expect a steady performance of 400M bit/sec.

Connection establishment also doesn't seem to slow the PIX 535 (see graphic, below). We benchmarked it at approximately 8,500 connection/sec, up to 1.2 million simultaneous connections. That's a ridiculously huge number of connections, and Cisco engineers told us it could go as high as two million, but that's more than we could test in our lab.

At more reasonable connection rates, the PIX 535 hums along nicely. We used Antara's Flamethrower to run a constant stream of 500 connection/sec through the PIX 535 and saw only a few percentage points drop in performance. When we put the Flamethrower into denial-of-service attack mode, the effect was a little more pronounced, with about a 20% drop in throughput.

The PIX 535 has an optional encryption acceleration card (based on IRE's SafeNet DSP), which we benchmarked at speeds of 90M bit/sec using a fairly typical traffic mix and a small number of IP Security associations. This compares favorably with midrange VPN devices from Nokia, Alcatel and NetScreen, which typically hover just below the 100M bit/sec mark in Triple-DES/ SHA-1 encrypting throughput (see graphic, right). The PIX 535 accelerator card does substantially better than normal PCI-based encryption devices we've seen, largely because of bus contention issues. Cisco's engineering and three-bus architecture give a performance boost that normal PC-based firewalls can't compete with.

We learned from our tests that the PIX 535 is very sensitive to configuration and network engineering. For example, our initial encryption tests were done with the VPN accelerator on the same PCI bus as the Fast Ethernet cards we were using for part of the test. PCI buses form a horrible bottleneck in general, and we saw performance drop by as much as 30% in some tests. When we balanced traffic more carefully by spreading it across the three PCI buses, performance improved dramatically. We saw less dramatic results as we balanced traffic across interfaces and buses in our testing, typically in the 10% or lower range.

Final analysis

Is the PIX 535 for you? If you need Gigabit Ethernet performance, you don't have a lot of choices. NetScreen's NetScreen 1000 offers similar speeds when fully configured, but at nearly twice the price of the $95,000 fully configured PIX 535. At speeds that high, though, either may seem a bargain.

The PIX's biggest deficiency is its command-line interface. Similar to Cisco's IOS, the PIX is just different enough to give any IOS expert a headache.

The PIX remains a firewall for companies and application service providers that can live with a small set of firewall rules and don't ask for a lot of flexibility in their security appliances.

While some security experts dismiss the lack of features in the PIX, others find it a solid product, citing the simplicity mantra: Simpler systems are easier to understand and secure, and the PIX is nothing if not simple.

It's also got some nice seasoning on it, with more than five years of predecessors in the PIX line under its belt. Although we were officially running very late beta-test version software, it exhibited traditional Cisco stability and gave us crash-free performance. If you've got an easy-to-express policy and a bunch of bandwidth, the PIX 535 is an incredibly fast performer in a nice package.

RELATED LINKS

Snyder is a senior partner at Opus One, in Tucson, Ariz., specializing in messaging and security. He can be reached at joel.snyder@opus1.com.

Best products: user picks
Close races ruled, but products from Cisco, Compaq and Novell got top ratings by Network World readers in our second annual Best Products survey.
Network World, 11/13/00.

How we did it
Our testing methods.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.