Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Firewall fact or fiction?

Related linksToday's breaking news
Send to a friendFeedback

By none
Network World, 03/12/01

The firewall business is crowded with more obfuscation than any other part of the network industry. At times, buying a firewall feels more like buying stereo equipment. The choice often comes down to packaging and a convincing sales pitch. Like a stereo pitchman pushing that last 1 dB of imperceptible channel separation, firewall vendors have a history of dubious claims to differentiate their products. In our testing, some of these common performance myths didn't hold up to scrutiny while other facts were confirmed.

Myth: "Dedicated hardware is fastest."

Although the top performer in each test we conducted was a dedicated hardware platform, firewalls running on general-purpose operating systems ranked up there in our testing. For example, CyberGuard's KnightStar and Secure Computing's SideWinder passed raw packets faster than WatchGuard's FireBox II and SonicWall's SonicWall Pro VX.

Fact: "Windows NT is not a very fast firewall platform."

Although we fed the NT-based firewalls, including Computer Associates' eTrust, Network-1's CyberwallPlus and Symantec's Raptor, a high-end dual-CPU 650-MHz platform, SonicWall's StrongARM chip, running at one-third the speed of the Intel-based system (and with only one CPU), handily beat the NT-based firewalls in almost every test. Windows 2000's TCP/IP performance enhancements should be considered a must for any network manager considering a Windows-based firewall.

Myth: "Packet filtering is fastest."

Although firewall vendors have largely conceded that true proxies are too slow for today's enterprise networks, stateful packet filtering (or the half-proxy/half-stateful packet filter being offered by some vendors) can keep up with pure packet filters quite well.

In our tests, products from Cisco, NetScreen and TopLayer, all of which use some form of stateful packet filtering, competed well against CyberGuard in packet-filtering configuration.

Fact: "Different firewalls do different things well."

Products such as Check Point's Firewall-1 and Network Associates' WebShield, which did outstanding in our "protect-the-enterprise" test, fared much worse in other environments, such as pure packet-passing performance. This underscores how important it is for network managers to understand their environments before buying a firewall.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.