Skip Links

Network World

  • Social Web 
  • Email 
  • Close
Clear Choice Test Unified Threat Management Firewalls. All-in-one firewalls show spotty performance: Juniper, Cisco, Check Point lead the way in test of 13 unified threat management devices.
Intro to UTM Testing Testing categories Product Summaries Click tabs to expand

Tracking UTM high availability

By Joel Snyder , Network World , 11/12/2007

The high-availability (HA) and scalability features in the enterprise UTM firewalls we tested range from very fancy to dead simple.

We believe that most network managers will go for the “dead simple” end of the spectrum on the theory that the more complicated it is, the more likely it is to fail.

We gave the highest scores to products that recovered within four seconds and took points off when products took more than a minute to restart traffic flows.

Tracking UTM firewall high availability

Juniper, Check Point and and Nokia all excelled in our failover tests, taking virtually no time to migrate data to the standby machine when the primary machine lost power
Vendor Product Supports Active/ Passive Failover Support Active/ Active failover Supports Clustering Time to recovery
Astaro ASG 425a Y Y Y 72 seconds / A/P
Check Point UTM-1 2050 Y Y N 0 seconds / A/A
Cisco ASA5540 with SSM-20 IPS module Y Y N 72 seconds / A/P
Crossbeam C25 Y Y N 0 seconds / A/P
Fortinet FortiGate 3600A Y Y N 64 seconds / A/P
IBM System x3650 Y Y N Not tested*
IBM/ISS Proventia MX5010 Y N N 60 seconds / A/P
Juniper Networks ISG-1000 Y Y N 0 seconds / A/P
Juniper Networks SSG-520M Y Y N 0 seconds / A/P
Nokia IP290 Y Y Y 0 seconds / A/A
Secure Computing Sidewinder 2150D with IPS accel. Y Y N 68 seconds / A/P
SonicWALL PRO 5060 Y N N 8 seconds / A/P
WatchGuard Firebox Peak X8500e Y N N 16 seconds / A/P
* Vendor submitting a single box for testing
Click to see: Tracking UTM Firewall High Availability

While most vendors -- SonicWall and WatchGuard were the exceptions -- also offer active/active HA in which two firewalls load-balance automatically between themselves, we tested active/passive HA in which a hot standby system takes over when the active node goes down. 

The argument here is that any performance benefits achieved from an active/active configuration would pale in comparison to the guarantee that when a HA event occurs to an active/passive configuration, you'll still have just as good performance as before the event. Because a typical HA event might be a hardware failure that could take a box out for 24 to 72 hours, having the same performance before and after would be pretty important.

We made an exception to this rule, for Check Point firewalls, because we had four platforms running the same software, and we wanted to see whether there were differences in the different HA approaches. On Check Point’s own hardware, we tested using Check Point’s active/active and on Nokia hardware, we tested using Nokia’s IPSO clustering.

Our tests showed that the HA features in Check Point’s software running on all hardware platforms and on Juniper products fails over with no traffic blocked (by our four-second definition). We turned off a system and sessions kept flowing through both vendor’s failover UTM firewall. This was true for the Check Point UTM-1 2050, Crossbeam C25, Nokia IP290, and both the Juniper ISG-1000 and SSG-520M firewalls.

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.

Download the white paper.

Unauthorized applications: Taking back control

Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?

Download the white paper.

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to moderator approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed
Save The Date!
What They Are Saying

what are the benefits of project management - Anonymous

Join the Discussion