- 12 iPhones Apps That Will Make You a Networking Star
- 10 Careers Robots Are Taking From You
- Big Data Gold Isn't Always Where You Would Expect It
- 6 Tips to Build Your Social Media Strategy
Network World - Next-generation firewalls claim to identify application-layer attacks and enforce application-specific policies while delivering top-notch performance, even with advanced security features turned on.
In the first installment of this two-part Clear Choice test, we tackle the performance issue, evaluating NGFWs from Barracuda, Check Point, Fortinet and SonicWall (recently acquired by Dell). On May 7, we'll present Joel Snyder's analysis of the features and functionality of these same devices.
Our overall conclusion is that next-gen firewalls are getting faster, and the tradeoff between speed and security is definitely getting smaller, but it's still there.
While all devices moved traffic at multi-gigabit rates while doing application inspection - the feature that separates a next-gen firewall from a traditional firewall - forwarding rates fell when we offered SSL traffic, and plummeted when we turned on SSL decryption.
In our tests, SonicWall's SuperMassive, the most expensive of the four products, moved traffic the fastest, even when forwarding SSL traffic. In multiple cases it maxed out the capabilities of our test bed. For example, when doing application inspection of clear-text traffic, it moved traffic at or near 20Gbps. That's even faster than Palo Alto's PA-5060, which hit 17Gbps in a test we conducted last year.
Fortinet's FortiGate 3950B also pushed the limits of our test bed and finished a close second to SonicWall in tests involving clear-text traffic. It also handled slightly more TCP connections than the SonicWall device.
There was no performance slowdown with either the SonicWall or Fortinet devices when IPS and unified threat management (UTM) features were turned on. Conversely, turning on IPS and unified threat management (UTM) in the Barracuda and Check Point systems carried a heavy performance cost.
Check Point ran away with our toughest test. The Check Point 12610 proved by far the fastest at SSL decryption across all device configurations and was the only system tested to break the 1Gbps barrier (The SonicWall device ran faster still, but only when we changed our test configuration to offer more flows (see sidebar).
Barracuda, the lowest-cost device in our test, delivered a solid 12Gbps when we measured clear-text throughput using mixed content types.
We measured forwarding rates for mixed and static-length HTTP and SSL content (both using HTTP and SSL); forwarding rates with SSL decryption enabled; and TCP scalability (see "How We Did It"). Of these, we put the greatest emphasis on the mixed HTTP tests, because they most closely approximate the loads handled by firewalls in enterprise networks.
A key goal of these tests was to compare results with those of the Palo Alto PA-5060 we evaluated in 2011 using the same methodology.
The mixed-content tests involved a variety of object sizes, like enterprise traffic, ranging from 1KB to 1.536MB, and a variety of content types, including .jpeg images, PDF documents, binary files and text objects.