- Steve Jobs is a man of a few words
- Internet routing blasts into space
- 15 free downloads to pep up your old PC
- IBM smartphone software translates 11 languages
- New attack fells Internet Explorer
WatchGuard Technologies, a leader in small office/home office firewall/ VPN appliances, is targeting the big boys with a high-end device aimed squarely at Cisco's PIX 535 and NetScreen Technologies' NetScreen-5200.
On the plus side, the $60,000 device is a lot less expensive than competing products from Cisco, NetScreen or Nokia, and its management graphical user interface will be familiar to users of other WatchGuard products.
And in our tests, WatchGuard's V200 set up an impressive 42,000 concurrent IP Security (IPSec) tunnels, a useful capability when dealing with huge numbers of dial-up users in an corporate setting.
But on the minus side, the latest beta unit bore out the adage that security always comes with a performance cost. Even with a much-reduced number of IPSec tunnels in place, the V200's latency and throughput were much degraded compared with its performance when configured as a firewall.
The V200 offers firewall, VPN and network address translation via two Gigabit Ethernet interfaces. The V200 also offers Border Gateway Protocol routing and two out-of-band interfaces for high-availability applications.
We assessed the V200 with seven different performance measurements (see how we conducted our test). Besides determining IPSec tunnel capacity, we also measured latency and throughput with IPSec configured and with two and 1,000 firewall rules in place.
We established 42,000 tunnels using Spirent Communications' SmartBits analyzer running TeraVPN test software. These were fully formed tunnels that dial-up users would build when connecting through a V200. Each tunnel consisted of an Internet Key Exchange (IKE) session and pair of one-way security associations.
It's important to apply this three-element definition of tunnels - one IKE session plus two one-way security associations - when assessing VPN gear for dial-up use. A common trick in VPN specsmanship is to set up impressively large numbers of security associations but neglect to mention that all security associations were set up with one IKE session.
The issue is that many IPSec devices employ high-speed silicon for encryption but not for key exchange. The V200 has eight ASICs for acceleration of key exchange, encryption and firewall rule processing.
The V200 offered impressive tunnel capacity, but the beta version shone a bit less brightly when it came to moving packets through those tunnels. We measured throughput with 42,000 pairs of security associations between a pair of V200 devices, and we also tried a few test runs with 4,096 concurrent tunnels, but there wasn't any traffic level we could offer where packet loss was zero.
This isn't to say that the V200s can't forward traffic through all 42,000 pairs of security associations. In some cases (such as with 1,440-byte frames, the optimal length for IPSec testing), the amount of packet loss was trivial. Nonetheless, the Internet Engineering Task Force defines throughput as the highest rate with zero loss.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment