Social Web
Email
Close

Clear Choice Test Unified Threat Management Firewalls. All-in-one firewalls show spotty performance: Juniper, Cisco, Check Point lead the way in test of 13 unified threat management devices.

Intro to UTM Testing	Testing categories	Product Summaries	Click tabs to expand

Why test all-in-one firewalls for the enterprise?
How to test all-in-one firewalls
The bottom line of our testing: Netresults and Scorecard
Podcast: What Joel Snyder thinks, but could not actually prove about testing enterprise UTM

x close

A closer look at UTM hardware architecture

By Joel Snyder , Network World , 11/12/2007

Share/Email
Tweet This
Comment
Print

This test showed that UTM firewalls come in all speeds, shapes and sizes.

One of the appliances we received was simply an off-the-shelf server (IBM’s System x3650). Other devices ranged from very lightly customized (Secure Computing put an IPS accelerator board and a customized BIOS in a Dell box to yield its Sidewinder 2150D) to the heavily engineered chassis found in the Juniper ISG-1000 and the Fortinet FortiGate 3600A.

Vulnerability Management Buyer's Checklist: Download now

In general, though, firewall vendors have taken advantage of the enormous boon that Intel has provided in low-cost, high-performance CPUs that are aimed at general-purpose computing. Much of the customization in the devices we received was aimed at increasing port density and value engineering by removing parts (such as graphics adapters) that add cost but not value.

Tracking UTM Firewall hardware options

For the specific models of the UTM firewalls tested, both the hardware configurations as well as the possible options varied wildly. For testing, vendors selected their configurations.

Vendor	Product	Ports (in Ethernet speeds unless noted)	Power Supplies	Expansion Slots	Options available to model tested
Astaro	ASG 425a	6x1000,2xSFP	1	0	No options available
Check Point	UTM-1 2050	4x1000,4x100	1	0	No options available
Cisco	ASA5540 with SSM-20 IPS module	4x1000,1x100	1	1	IPS or A/V engine available
Crossbeam	C25	12x1000,1x100	2	3	Ability to swap and 4-port gigabit Ethernet module for a 4-port SFP or FailOpen IPS module.
Fortinet	FortiGate 3600A	8x1000,2xSFP	2	1	4-port SFP or storage module.
IBM	System x3650	8-1000 as tested	2	4	2X1000 or 4x1000
IBM/ISS	Proventia MX5010	10x1000	2	0	No options available
Juniper Networks	ISG-1000	4x1000	1	2	2xSFPor 4xSFP, 4x100,2x1000
Juniper Networks	SSG-520M	4x1000	1	6	1x1000, 4x100, 8x1000,16x1000, 2xT1/E1, 1xT3/E3, 1xDSL, 6xSFP
Nokia	IP290	6x1000	1	1	2x1000; 2x1000 FailOpen IPS
Secure Computing	Sidewinder 2150D with IPS accel.	8x1000	2	2	12x1000
SonicWALL	PRO 5060	6x1000	1	0	No options available
WatchGuard	Firebox Peak X8500e	8x1000	1	0	No options available

Click to see: Tracking UTM Firewall hardware options

Starting from the ground up, power options abound as the Crossbeam C25, FortiGate 3600A, IBM System x3650, IBM/ISS Proventia MX5010, and Secure Computing Sidewinder 2150D all sport two power supplies, either as an option or as part of the base configuration. Although two power supplies make a system less efficient in its use of electricity (see UTM power-consumption story), they do guard against one of the most common failures: accidentally unplugging the wrong system.

Related Content

The same is true of slots. With most of these devices coming out of the box with at least four, Gigabit Ethernet ports as well as VLAN support, having expansion slots may be overkill, although it does give you a lot of options. Consider the Juniper SSG-520M, which lets you pick from 16 expansion cards, including WAN and DSL interfaces.

Crossbeam and Nokia also offered “failopen” Ethernet cards, which pass traffic through in the event of total system failure. You wouldn’t want “failopen” for a normal firewall, but these can be useful in an IPS deployment where the firewall features are secondary or simply “defense in depth” backups.