Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Review: Screaming throughput

Cisco this week will enter the rarified air of gigabit speed security when it unveils the Cisco Secure PIX Firewall 535.

And not a moment too soon - with multiple OC-3 (155M bit/sec) links becoming commonplace at service providers and large corporations, a gigabit firewall is no longer a steroid-induced fantasy.

The Network World Global Test Alliance got an exclusive chance to test the performance of this gear and found that the newest member of the PIX Firewall line outguns the rest we've seen. How fast? How does 2G bit/sec grab you?

How we did it
NetResults and other testing charts
Archive of Network World reviews
Subscribe to the Product Review e-mail newsletter

Keep in mind that the PIX 535 is just another member of the PIX family. Although it has more interfaces and faster throughput, everything else about it will be familiar to users of the PIX Firewall. What the PIX 535 gives you is speed. As data centers and campus networks jump to 300M bit/.sec and 450M bit/sec connections in 2001, the corporate firewall will have fallen far behind. The PIX 535 is one of two firewalls we've tested that can truly handle these gigabit speeds. NetScreen's NetScreen 1000 also handles this level of throughput.

Although the PIX 535 shares the same cumbersome, counterintuitive command-line interface with the rest of the PIX family, it breaks loose with impressive performance. Start with the hardware. It's small: 3U (5.25 inches high) is all it takes to firewall off a gigabit of traffic. The PIX 535 has a highly maintainable chassis with dual hot-swap power supplies and nine expansion slots. We swapped cards during our tests, and Cisco has made this easy. It's not quite as accessible as Cisco's 7000 series routers, but you can get to the important parts of the PIX - including the CPU board and all expansion cards - in about 30 seconds.

More important than those nine expansion slots is the hardware sitting behind them: three PCI buses, two of which are 64 bits wide to accommodate the four Gigabit Ethernet interfaces Cisco expects you'll use to connect your PIX 535 to your network. The third PCI bus is a 32-bit bus, which can take four 10/100 Ethernet interfaces and a VPN accelerator card. Driving those buses is a 1-GHz Intel processor (the box is dual-CPU capable, but dual CPUs are not currently supported) and a gigabyte of memory. Everything about this box says "gigabit" - memory, CPU and LAN. Total it up, and you can have up to four Gigabit Ethernet and four 10/100M bit/sec Fast Ethernet interfaces in this system. That's serious bandwidth.

In our most optimistic and easiest test - simulating four huge connections using a Spirent SmartBits 6000 with large packets - the PIX 535 turned in an amazing 2,080M bit/sec performance. That's almost six times faster than the PIX 525, Cisco's closest model, is rated by the company. Of course, you won't see that kind of performance in real-life situations. Our benchmarks show that normal Internet traffic with 2,000 connections through the firewall could expect a steady performance of 400M bit/sec.

Connection establishment also doesn't seem to slow the PIX 535 (see graphic, below). We benchmarked it at approximately 8,500 connection/sec, up to 1.2 million simultaneous connections. That's a ridiculously huge number of connections, and Cisco engineers told us it could go as high as two million, but that's more than we could test in our lab.

At more reasonable connection rates, the PIX 535 hums along nicely. We used Antara's Flamethrower to run a constant stream of 500 connection/sec through the PIX 535 and saw only a few percentage points drop in performance. When we put the Flamethrower into denial-of-service attack mode, the effect was a little more pronounced, with about a 20% drop in throughput.

The PIX 535 has an optional encryption acceleration card (based on IRE's SafeNet DSP), which we benchmarked at speeds of 90M bit/sec using a fairly typical traffic mix and a small number of IP Security associations. This compares favorably with midrange VPN devices from Nokia, Alcatel and NetScreen, which typically hover just below the 100M bit/sec mark in Triple-DES/ SHA-1 encrypting throughput (see graphic, right). The PIX 535 accelerator card does substantially better than normal PCI-based encryption devices we've seen, largely because of bus contention issues. Cisco's engineering and three-bus architecture give a performance boost that normal PC-based firewalls can't compete with.

We learned from our tests that the PIX 535 is very sensitive to configuration and network engineering. For example, our initial encryption tests were done with the VPN accelerator on the same PCI bus as the Fast Ethernet cards we were using for part of the test. PCI buses form a horrible bottleneck in general, and we saw performance drop by as much as 30% in some tests. When we balanced traffic more carefully by spreading it across the three PCI buses, performance improved dramatically. We saw less dramatic results as we balanced traffic across interfaces and buses in our testing, typically in the 10% or lower range.

Final analysis

Is the PIX 535 for you? If you need Gigabit Ethernet performance, you don't have a lot of choices. NetScreen's NetScreen 1000 offers similar speeds when fully configured, but at nearly twice the price of the $95,000 fully configured PIX 535. At speeds that high, though, either may seem a bargain.

The PIX's biggest deficiency is its command-line interface. Similar to Cisco's IOS, the PIX is just different enough to give any IOS expert a headache.

The PIX remains a firewall for companies and application service providers that can live with a small set of firewall rules and don't ask for a lot of flexibility in their security appliances.

While some security experts dismiss the lack of features in the PIX, others find it a solid product, citing the simplicity mantra: Simpler systems are easier to understand and secure, and the PIX is nothing if not simple.

It's also got some nice seasoning on it, with more than five years of predecessors in the PIX line under its belt. Although we were officially running very late beta-test version software, it exhibited traditional Cisco stability and gave us crash-free performance. If you've got an easy-to-express policy and a bunch of bandwidth, the PIX 535 is an incredibly fast performer in a nice package.


Snyder is a senior partner at Opus One, in Tucson, Ariz., specializing in messaging and security. He can be reached at

Best products: user picks
Close races ruled, but products from Cisco, Compaq and Novell got top ratings by Network World readers in our second annual Best Products survey.
Network World, 11/13/00.

How we did it
Our testing methods.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.