Review: Who's got the fastest firewall?

Crossbeam, IBM win raw performance test; Juniper, Watchguard score on price/performance

By Joel Snyder and David Newman, Network World
December 10, 2007 12:03 AM ET

When we tested firewall performance as part of in our UTM firewall test we focused on how well the products would push inspected packets along with other UTM features, specifically intrusion-prevention systems and antivirus, turned on. However, many enterprise managers will use these devices primarily just as firewalls, and might be curious how fast they’d operate without UTM slowing them down.

Our initial test bed had been tuned for 1Gbps throughput, and eight of the 13 firewalls we tested blew right past the 1Gbps mark without UTM turned on. So, with the help of David Newman from Network Test, we outfitted the test bed with a 2.8Gbps capacity, and re-ran our firewalls through at that higher speed.

How we did it
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter

This second round of testing employed the same product configurations used for the 1Gbps UTM test with two exceptions. WatchGuard and Secure Computing have long offered proxy-based firewalls, claiming higher security than simple packet filters although with a cost in performance. WatchGuard’s Firebox and Secure Computing’s Sidewinder have the flexibility to use either simple packet filters, a generic proxy or an HTTP-specific proxy for HTTP traffic. Since our tests were made using HTTP traffic, we tested all three scenarios and reported all three numbers for each product.

Tracking high-speed firewall performance
Follow-up firewall tests showed that when pushed to speeds faster than 2Gbps, the top raw performers are Crossbeam Systems and IBM. When cost is factored in, however, Juniper Networks' lower-end box and WatchGuard Technologies' Firebox Peak provide the best firewall price/performance punch.

Related Content

Vendor	Product	Price as tested	Raw speed (Mbps)	Performance tuning notes
Astaro	ASG 425a	$30,600	243
Check Point	UTM-1 2050	$50,800	754
Cisco	ASA5540 with SSM-20 IPS module	$53,500	662
Crossbeam	C25 running Check Point Secure Platform	$99,000	2800	Maximum rate of test bed
Fortinet	FortiGate 3600A	$122,000	1240
IBM	System x3650 running Check Point Secure Platform	$68,200	2800	Maximum rate of test bed
IBM ISS	Proventia MX5010	$60,000	1403
Juniper	ISG-1000	$60,000	987
Juniper	SSG-520M	$24,600	1420
Nokia	IP290 running Check Point Secure Platform	$56,000	994 750	NAT disabled; using Nokia cluster NAT enabled; using Nokia cluster
Secure Computing	Sidewinder 2150D with IPS acceleration	$87,500	1810 1030 826	Using packet filters for HTTP Using generic proxies for HTTP traffic Using HTTP proxies for HTTP traffic
SonicWall	Pro 5060	$24,000	587
WatchGuard Price includes cost of a high-availability pair of devices, system and management software, management and one year UTM support subscription.	Firebox Peak X8500e	$20,600	1340 471 385	Using packet filters for HTTP Using HTTP proxies for HTTP traffic Using generic proxies for HTTP traffic

Click to see: Chart of high-speed performance

Overall, we found that if you don’t want to turn on any of the UTM features, you can get outstanding performance with almost half of the boxes we tested running at more than gigabit speeds. Even better news is that some of those high-performance boxes (namely Juniper SSG-520M and WatchGuard’s Firebox Peak X8500e) are offered (we say almost) at a great price. (You can compare pricing for dozens of UTM products in our UTM Buyer's Guide.)