Because the PRO 1260 runs an enhanced version of SonicOS software, each port on the firewall can be configured with its own security zone. You can set up an individual firewall for every system in the company's Internet DMZ. This keeps the DMZ from turning into a free-for-all if any one system sitting behind the firewall is cracked because inter-system traffic can be fully controlled.
In our test, we found the PRO 1260 lives up to its flexibility promise. However, performance issues indicate this firewall might not be the right fit for inter-LAN traffic or Internet connections faster than 3Mbps to 5Mbps.
The PRO 1260 offers the features you expect from an all-in-one firewall including IPSec VPN, firewall-based antivirus and content filtering, and in-line intrusion-detection and -prevention capabilities. SonicWall also has included email filtering that can block certain types of attachments. Add to these optional features the traditional stateful packet
filtering firewall and network address translation (NAT) capabilities, and you have a traditional small and midsize business firewall package.
While other firewall vendors have commonly built small Ethernet switches into their products, SonicWall provides the capability to treat each port as a separate security zone with its own security policy, NAT rules and even bandwidth management allotments. Because there are 27 ports all told - 24 for the individualised zones, one for an up-link and two dedicated for optional WAN and DMZ usages - that's a lot of control and flexibility.
The PRO 1260 uses a Web-based administrative GUI (although a command-line interface exists via the serial port). SonicWall has taken great pains to make the set of firewall rules viewable (and editable) in any one of three formats - a zone-by-zone grid, a list picked by zone, or just a long list of all rules.
Although we found the GUI easy to use, managing a long security policy would be tedious because of the inability to reuse rules across zones. For example, if you wanted to put the same rule in 20 different zones, you must enter it 20 times. Worse, if you wanted to change it, you must change it 20 times.
We tested the PRO 1260 by putting it in front of 16 production servers, which creates 16 zones and 16 security policies. SonicWall keeps the vendor- specific jargon during setup to a minimum, which made it easy to configure and use the PRO 1260.
We discovered immediately, though, that the PRO 1260 is not a high-performance system. Initially, we turned on everything, including antivirus and intrusion prevention. We found that the PRO 1260 cannot keep up with a heavy load with all its features enabled. In discussing these preliminary results with SonicWall, engineers explained the PRO 1260's target is a moderate-bandwidth environment, such as a 3Mbps cable modem or dual-T1 network. This contrasts with published performance rates at 90Mbps on the company's site.
One important performance consideration for the PRO 1260 is that system limits apply to all traffic that crosses zones. Thus, if you wanted to perform high-speed backups between zones, for example, you would find the speed of the PRO 1260 limiting internal traffic. We also tested the PRO 1260 as a pure switch by putting two ports in one zone and not applying any security policy. In this case, we had no performance limitations and the firewall handled a load of almost 100Mbps without problems.
Another significant feature in the PRO 1260 is bandwidth limiting. Configured on a per-port basis, this can be used to spread traffic loads out. We found that the feature worked well as long as the offered load and the desired load weren't too far apart in terms of speed.
We tested this feature by setting four ports to max out at 512Kbps each, which should have limited total load to 2Mbps. In the range between 2Mbps and 4Mbps offered load, the SonicWall held actual bandwidth to 2Mbps. However, once we tried to push more than 4Mbps of traffic through the box, the bandwidth-limiting feature didn't function correctly, letting much more than 2Mbps through the firewall.
SonicWall's PRO 1260 is a huge step forward in high-port-density firewalls. For about $US100 per port, SonicWall can add excellent security management to large numbers of devices. For networks with moderate-speed Internet connections and inter-zone traffic, the PRO 1260 is an inexpensive way to add fine security granularity in a variety of environments.
How we did it
We installed the PRO 1260 Enhanced running v3.0 Enhanced SonicOS in our lab network in front of 16 production Web servers to check security functionality and configurability. After running without incident for several days, we moved the PRO 1260 Enhanced onto our test bench for performance tests.
On the test bench, we used Spirent Communications' WebAvalanche and WebReflector to generate HTTP traffic and push it through the PRO 1260. To measure throughput capacity, we created a profile of HTTP transactions ranging in size from 2.2Kbits to 1300Kbits. This profile was chosen to approximate the observed HTTP traffic on a production Web farm.
We connected four of the ports on the PRO 1260 to the Spirent systems and used this profile. We gradually increased the number of connections per second until the HTTP response time added by the PRO 1260 Enhanced went above 200ms, which we consider an upper-limit for latency added by an Internet firewall. We also used the PRO 1260 monitoring tools to watch CPU load. As response times hit and went through the 200ms limit, the CPU load was in the high 90 per cent range, indicating that the PRO 1260 was overloaded.
When we enabled antivirus scanning, we used the standard settings for the PRO 1260. But because we were sending HTTP traffic through the box, most of these settings should not have varied system performance.
When we enabled the intrusion-prevention system (IPS), we set the PRO 1260 to detect and block high priority events. We configured four input and four output ports on the PRO 1260 box. We turned off antivirus and IPS scanning, and enabled bandwidth limiting on traffic coming from the simulated HTTP servers to an aggregate of 2Mbps. We then measured traffic from the simulated servers to see how well the bandwidth was limited. We also ran a test run without any bandwidth limiting to compare bandwidth usage when no limits were enabled.
The product is distributed in Australia by ACA Pacific, Dovetail and Lan 1.
RRP: Pricing starts at $2018.