- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
Part 1 | Part 2 | Next-gen firewalls require external visibility tools SonicWall stands tall in SSL decryption testing | Test methodology | Palo Alto next-gen firewall stacks up well Check Point takes best approach to URL filtering | Fortinet has highest catch rate in IPS testing Basic firewall functionality: Check Point's maturity shows through | Test archive
Network World - Enterprise firewalls must have policies to control traffic, ability to create site-to-site VPNs using standards-based IPsec, translate addresses and port numbers (NAT) when needed, and apply basic bandwidth management to traffic. They must also support features such as high availability (active/passive or active/active), virtual LANs, Ethernet link aggregation, and global management systems.
We found that next generation firewall vendors are simply layering application aware features on top of their existing firewalls. That's a good thing, because it makes it more likely that the firewalls don't suffer from the kinds of bugs that any new product can have, and because they're starting out of the gate with a great, tested, feature set. The products we tested, from Check Point, Fortinet, SonicWall, and Barracuda Networks, don't have different names or even different licensing. You don't order a SonicWall next generation firewall; you just order a SonicWall firewall, and it has next-generation features. Same for Check Point, Fortinet and Barracuda Networks.
Most readers will be familiar with the Check Point Security Gateway, Fortinet FortiGate and SonicWall SonicOS products already. The Barracuda NG Firewall doesn't have the same market penetration in North America — it comes through Barracuda's acquisition of Austrian firewall manufacturer Phion in 2009 — so the product won't be as familiar to Network World readers.
Barracuda's NG Firewall does have a stateful packet filter but the architecture of the NG Firewall is more like a bastion host application layer firewall (think Digital Equipment Corp's SEAL or Trusted Information Systems' Firewall Toolkit), with embedded proxies for HTTP, SSH, and FTP, an internal mail gateway to handle SMTP traffic, and the option to redirect any traffic passing through the firewall to an application running on the firewall itself.
The Barracuda NG Firewall is a thoroughly modern product, with features such as traffic shaping and UTM protections, integrated IPSec and SSL VPN and even Network Access Control — but the NG Firewall doesn't look much like other popular products in the firewall space.
This means that if you plan to evaluate the Barracuda NG Firewall, add some space in your schedule to get used to the configuration system and plan to spend some time on the phone with technical support, as we did, to understand how all the pieces fit together.
We found that all four products do meet basic criteria for enterprise firewalls, meaning that you could use them as firewalls for your organization without touching the next generation features. We did find some differences, but more in the edge features than the core of what a firewall does. Our test criteria focused on enterprise features, and we found that the least mature firewall product the areas of high availability and bandwidth management is the Barracuda NG Firewall.
For example, the Barracuda NG Firewall's main high availability capabilities are based on active/passive device pairs, without full sharing of session state. The Check Point Security Gateway, FortiGate and SonicOS systems all support active/active clusters with more than two devices, a more attractive option when protecting highly available enterprise networks.