Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Firewall fact or fiction?

Related linksToday's breaking news
Send to a friendFeedback

By none
Network World, 03/12/01

The firewall business is crowded with more obfuscation than any other part of the network industry. At times, buying a firewall feels more like buying stereo equipment. The choice often comes down to packaging and a convincing sales pitch. Like a stereo pitchman pushing that last 1 dB of imperceptible channel separation, firewall vendors have a history of dubious claims to differentiate their products. In our testing, some of these common performance myths didn't hold up to scrutiny while other facts were confirmed.

Myth: "Dedicated hardware is fastest."

Although the top performer in each test we conducted was a dedicated hardware platform, firewalls running on general-purpose operating systems ranked up there in our testing. For example, CyberGuard's KnightStar and Secure Computing's SideWinder passed raw packets faster than WatchGuard's FireBox II and SonicWall's SonicWall Pro VX.

Fact: "Windows NT is not a very fast firewall platform."

Although we fed the NT-based firewalls, including Computer Associates' eTrust, Network-1's CyberwallPlus and Symantec's Raptor, a high-end dual-CPU 650-MHz platform, SonicWall's StrongARM chip, running at one-third the speed of the Intel-based system (and with only one CPU), handily beat the NT-based firewalls in almost every test. Windows 2000's TCP/IP performance enhancements should be considered a must for any network manager considering a Windows-based firewall.

Myth: "Packet filtering is fastest."

Although firewall vendors have largely conceded that true proxies are too slow for today's enterprise networks, stateful packet filtering (or the half-proxy/half-stateful packet filter being offered by some vendors) can keep up with pure packet filters quite well.

In our tests, products from Cisco, NetScreen and TopLayer, all of which use some form of stateful packet filtering, competed well against CyberGuard in packet-filtering configuration.

Fact: "Different firewalls do different things well."

Products such as Check Point's Firewall-1 and Network Associates' WebShield, which did outstanding in our "protect-the-enterprise" test, fared much worse in other environments, such as pure packet-passing performance. This underscores how important it is for network managers to understand their environments before buying a firewall.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.