- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Part 1 | Part 2 | Next-gen firewalls require external visibility tools SonicWall stands tall in SSL decryption testing | Test methodology | Palo Alto next-gen firewall stacks up well Check Point takes best approach to URL filtering | Fortinet has highest catch rate in IPS testing Basic firewall functionality: Check Point's maturity shows through | Test archive
Network World - When we tested four next-gen firewalls strictly on performance, we found that the products could forward packets at impressive rates, but throughput dropped when advanced security features were turned on. We now dive deep into application identification and control - the defining features of next-gen firewalls - to find out what works and what doesn't.
We discovered that although the four products tested show promise, there's still work to be done. Check Point, SonicWALL and Fortinet were clustered at the top of our scorecard, but still have areas we hope to see improved. Barracuda didn't score as well, but is in the middle of a significant product upgrade.
The defining characteristic of a next-generation firewall is the ability to identify and control traffic at the application layer, so we designed a suite of 40 tests in nine categories to see how well the firewalls lived up to their billing.
No one came close to a perfect score, with SonicWall SonicOS identifying and blocking 26 of our 40 test applications, followed closely by Check Point Security Gateway with 24, Fortinet FortiGate with 21 and Barracuda NG Firewall with 18.
(Editor's Note: In the first part of this test, vendors submitted their biggest, fastest boxes to David Newman's lab in California for performance testing. We allowed vendors to send a smaller, lighter device within the same product family to Joel Snyder's Arizona lab for features testing. In every case except SonicWall's, the actual product name was the same for both tests, just a different model number. In SonicWall's case, we tested the SuperMassive 10800 for performance and the NSA E8500 for features, so to avoid any confusion we're referring to the product here as SonicOS, the operating system both models share.)
In our testing, some apps caused more problems than others. For example, in our quest for recent episodes of "The Big Bang Theory" (porn for geeks), Check Point and SonicWall blocked our BitTorrent client from reaching out and touching Sheldon, while Barracuda and Fortinet didn't.
On the other hand, Check Point couldn't block Skype and none of the products blocked Google's Gmail, which slipped through when we hit the "click here for basic HTML if your browser is not showing you your email" button.
SonicWall has so many sub-divisions of every application, none of which were documented or made any sense to us, that we gave it a failing score when we tried to allow end users to see Facebook, but not post to it — one of vendor marketing's favorite examples of why a next-generation firewall is a good idea. It was possible to block Facebook completely, but you can do that with a URL filter — you don't need a next-generation firewall. SonicWall would have had a higher score if its application identification GUI wasn't so poorly designed.
The Check Point Security Gateway has a fantastic management interface for application identification and control that is much easier to use than the other products we tested. However, the engine underlying that interface doesn't work as well as SonicWall. For example, we could easily create policies that blocked particular parts of Facebook or LinkedIn, but those policies didn't actually work. Only when we blocked all of LinkedIn, for example, did the firewall behave properly.