Facing ever-increasing network threats, businesses of all sizes are demanding more security features from their firewalls, such as security policy management, intrusion detection and prevention (IDP), and VPN capabilities. Consequently, firewall manufacturers are rising to the challenge and cramming more and more security functionality into their products.
In our continuing quest to see how firewalls are stacking up, we tested another group of devices. This round included two higher-priced firewalls, the Fortinet FortiGate-500 and WatchGuard Technologies’ Vclass V80, as well as the SonicWall Pro 330, an Internet security appliance.
To assess just how capable these souped-up firewalls are, I emulated a multi-protocol network, then launched a range of attacks against the boxes, including Syn, Smurf, Reset, and Address Resolution Protocol (ARP) floods, first separately, then simultaneously. Additionally, I challenged the boxes to meet stated VPN support data, testing for VPN tunnel support and data performance metrics.
The good news is, these contenders stood up nicely, with few exceptions, to my attack tests. The FortiGate-500 wasn’t phased by any of them, and the V80 wasn’t fazed by any but the Syn. The Pro 330, considered the least muscular of all the entries, actually provided strong defence against all attacks except the ARP flood, which isn’t that common an attack.
The not-so-good news, depending on your needs, is that deploying VPN functionality with these firewalls is not reasonably easy, not even with the SonicWall, which the company deems an appliance. The Pro 330 supported close to its marketing claim of 1000 tunnels, so it has limited capability for VPN support, but it doesn’t ship with the required software and provides support only to other SonicWall devices. Although the FortiGate-500 and V80 are quite robust, they do support tunnelling to other firewalls, and tunnels can be built individually or multiples can be constructed using a script. However, there is no way of quickly cloning them.
This high-end enterprise box falls just below the company’s large enterprise and service provider offerings. It runs on an ASIC-based 1GB Pentium 4 processor, which gives it plenty of processing power compared to the less robust SonicWall box.
The FortiGate-500 is easy to set up, either through the Web-based GUI or command line prompts. The management GUI is easy on the eyes and intuitive, with sections such as the system, firewall, user, VPN, NIDS, antivirus, email and Web filters, as well as logs and reports, which are easy to select through a left frame menu. There’s no full-blown spam filtering but it does filter keywords.
The FortiGate-500 left the other contenders in the dust when it came to delivering rock-solid firewall beef. In the lab, none of the attacks or combination attacks fazed it. It supported 2400 multi-protocol connections per second and held on to 422,000 sustained connections. I did find that the device began dropping larger numbers of connections intermittently after hitting the 260,000 mark.
SonicWall Pro 330
The Pro 330 provided the best bang for the buck in this round-up. The Pro 330 uses a customised version of the VXWorks OS and is set up via a Web-based GUI. Its management interface is as utilitarian as its form factor with no extra ports, and is sufficient to get the job done in a pretty straightforward manner. Configuration proved somewhat convoluted — I needed to specify IP address ranges attached to the WAN link or designate a gateway through which to route traffic.
When it came time to deliver data, the SonicWall, running on the somewhat limiting PDA-size StrongArm 233MHz processor, turned in a maximum 340 connections per second with the total number of persistent connections hitting the 96,000 mark. It wouldn’t handle the larger loads and didn’t ramp as well with mixed protocol data as the other two firewalls. However, it did a decent job of withstanding my attacks with the exception of a 28.4 per cent unsuccessful transaction rate on the ARP attack.
WatchGuard Vclass V80
The V80’s initial setup can be handled either through WatchGuard’s Vcontroller software via a Port 443 SSL connection to the box or from Cisco-like command line prompts. Changes are made directly to the CPU and updated to the database so the V80 doesn’t require reboots unless the modifications cause an interface change.
Vcontroller’s six-step setup wizard is self-explanatory and simple to move through, yet it does not compromise potential customisation. Some important capabilities include enabling Dynamic Host Configuration Protocol (DHCP) on the private side and sending out email alerts based on designated alarm conditions.
The V80’s default policy allows no traffic in. You can configure settings within the nifty Hacker Prevention screen using a setup wizard, making it possible to catch an attack that slips past the logic built in to the ASIC chip. I was able to set packet-per-second thresholds for several common nasties such as Internet Control Message Protocol (ICMP), Syn, User Datagram Protocol (UDP), point of demarcation (POD) and IP source route attacks. Additionally, V80 allows you to look at all the servers on your network, choose the weakest, and set parameters to that one. These customisable settings make this a very flexible, scalable product.
WatchGuard acquired RapidStream in April 2002 and as part of the product merger process, RapidStream’s RapidStream Security Appliance (RSSA) series morphed into the Vclass series. Hardware architecture remains the same, but there have been software upgrades.
WatchGuard’s most recent software release includes application-layer inspection HTTP and SMTP, Border Gateway Protocol (BGP) -routing support, DHCP relay, and WAN fail-over.
The V80 supported a respectable 1150 connections per second, sustained 125,960 persistent connections, and was unaffected by any of the attacks I tossed at it. I did notice, however, that the latency through the box increased every minute, then returned to the previous level almost as if a timer went off.
Its VPN capabilities proved the most powerful of my group’s, supporting data passage through 7968 tunnels and providing a 63Mbps bi-directional data performance figure.
The V80 and FortiGate-500 proved they are in the same solution and cost class, although with slightly different strengths. If firewall muscle is of primary importance, the FortiGate-500 is the clear choice. If you’re more in need of VPN capability, the WatchGuard is the ticket. Both were impervious to the range of attacks we slung at them. The Pro 330 is the least powerful of the group but it only costs one third of the price of the other two, and would be suitable for most medium-size businesses.