WatchGuard Technologies, a leader in small office/home office firewall/ VPN appliances, is targeting the big boys with a high-end device aimed squarely at Cisco's PIX 535 and NetScreen Technologies' NetScreen-5200.

On the plus side, the $60,000 device is a lot less expensive than competing products from Cisco, NetScreen or Nokia, and its management graphical user interface will be familiar to users of other WatchGuard products.

And in our tests, WatchGuard's V200 set up an impressive 42,000 concurrent IP Security (IPSec) tunnels, a useful capability when dealing with huge numbers of dial-up users in an corporate setting.

But on the minus side, the latest beta unit bore out the adage that security always comes with a performance cost. Even with a much-reduced number of IPSec tunnels in place, the V200's latency and throughput were much degraded compared with its performance when configured as a firewall.

The V200 offers firewall, VPN and network address translation via two Gigabit Ethernet interfaces. The V200 also offers Border Gateway Protocol routing and two out-of-band interfaces for high-availability applications.

We assessed the V200 with seven different performance measurements (see how we conducted our test). Besides determining IPSec tunnel capacity, we also measured latency and throughput with IPSec configured and with two and 1,000 firewall rules in place.

IPSec tunnel capacity

We established 42,000 tunnels using Spirent Communications' SmartBits analyzer running TeraVPN test software. These were fully formed tunnels that dial-up users would build when connecting through a V200. Each tunnel consisted of an Internet Key Exchange (IKE) session and pair of one-way security associations.

It's important to apply this three-element definition of tunnels - one IKE session plus two one-way security associations - when assessing VPN gear for dial-up use. A common trick in VPN specsmanship is to set up impressively large numbers of security associations but neglect to mention that all security associations were set up with one IKE session.

The issue is that many IPSec devices employ high-speed silicon for encryption but not for key exchange. The V200 has eight ASICs for acceleration of key exchange, encryption and firewall rule processing.