Feature-stoked firewalls burn brightly

Facing ever-increasing network threats, businesses of all sizes are demanding more security features from their firewalls, such as security policy management, IDP (intrusion detection and prevention), and VPN capabilities. Consequently, firewall manufacturers are rising to the challenge and cramming more and more security functionality into their products.

In our continuing quest to see how firewalls are stacking up, we tested another group of devices. This round included two higher-priced firewalls, the Fortinet FortiGate-500 and WatchGuard’s Vclass V80, as well as the SonicWall Pro 330, an Internet security appliance.

To assess just how capable these souped-up firewalls are, I emulated a multi-protocol network, then launched a range of attacks against the boxes, including Syn, Smurf, Reset, and ARP (Address Resolution Protocol) floods, first separately, then simultaneously. Additionally, I challenged the boxes to meet stated VPN support data, testing for VPN tunnel support and data performance metrics.

The good news is, these contenders stood up nicely, with few exceptions, to my attack tests. The FortiGate-500 wasn’t phased by any of them, and the V80 wasn’t fazed by  any but the Syn. The Pro 330, considered the least muscular of all the entries, actually provided strong defense against all attacks except the ARP flood, which isn’t that common an attack.

The not-so-good news, depending on your needs, is that deploying VPN functionality with these firewalls is not reasonably easy, not even with the SonicWall, which the company deems an appliance. The Pro 330 supported close to its marketing claim of 1,000 tunnels, so it has limited capability for VPN support, but it doesn’t ship with the required software and provides support only to other SonicWall devices. Although the FortiGate-500 and V80 are quite robust, they do support tunneling to other firewalls, and tunnels can be built individually or multiples can be constructed using a script. However, there is no way of quickly cloning them.

Fortinet FortiGate-500

This high-end enterprise box falls just below the company’s large enterprise and service provider offerings. It runs on an ASIC-based 1GB Pentium 4 processor, which gives it plenty of processing power compared to the less robust SonicWall box.

The FortiGate-500 is easy to set up, either through the Web-based GUI or command line prompts. The management GUI is easy on the eyes and intuitive, with sections such as the System, Firewall, User, VPN, NIDS, Anti-Virus, E-mail and Web Filters, as well as Logs and Reports, which are easy to select through a left frame menu. There’s no full blown spam filtering but it does filter keywords. Log capabilities are fairly granular and notification options give you five levels of importance going from emergency to informational.

The FortiGate-500 left the other contenders in the dust when it came to delivering rock-solid firewall beef. In the lab, none of the attacks or combination attacks fazed it. It supported 2,400 multi-protocol connections per second and held on to 422,000 sustained connections. I did find that the device began dropping larger numbers of connections intermittently after hitting  the 260,000 mark.

To test the FortiGate-500’s VPN muscle, I reconfigured the box to NAT/Route mode. Fortinet provided me with a configuration file that took its staff a couple of hours to build and set up on the firewall, because the FortiGate-500 doesn’t have a means to automatically clone tunnels. The config worked like a charm from the get-go with a 10-tunnel test and supported tunnels with data throughput as high as  1,023. I could run single tunnel tests on any of the tunnels and build tunnels in the 2,000 tunnel range. For some reason, the version of firmware I tested wouldn’t support more than 1,023 simultaneously established tunnels. It delivered 25.2Mbps bi-directional tunnel throughput, which didn’t stand up next to the V80’s numbers but was significantly more muscular than the Pro 330.

SonicWall Pro 330

The Pro 330 provided the best bang for the buck in this roundup. The Pro 330 uses a customized version of the VXWorks OS and is set up via a Web-based GUI. Its management interface is as utilitarian as its form factor with no extra ports, and is sufficient to get the job done in a pretty straightforward manner. Configuration proved somewhat convoluted — I needed to specify IP address ranges attached to the WAN link or designate a gateway through which to route traffic.

When it came time to deliver data, the SonicWall, running on the somewhat limiting PDA-size StrongArm 233MHz processor, turned in a maximum 340 connections per second with the total number of persistent connections hitting the 96,000 mark. It wouldn’t handle the larger loads and didn’t ramp as well with mixed protocol data as the other two firewalls. However, it did a decent job of withstanding my attacks with the exception of a 28.4 percent unsuccessful transaction rate on the ARP attack.

The Pro 330 built and passed data through 843 tunnels, almost meeting the FortiGate-500 figure, but its data performance throughput figure was limited to 5.5Mbps. It began dropping tunnels when it got to 843 and logged a Payload Malformed error message in TeraVPN. The throughput test showed a small amount of CRC (cyclic redundancy check) errors as well as some tunnel fragmentation.

WatchGuard Vclass V80

The V80’s initial setup can be handled either through WatchGuard’s Vcontroller software via a Port 443 SSL connection to the box or from Cisco-like command line prompts. Changes are made directly to the CPU and updated to the database so the V80 doesn’t require reboots unless the modifications cause an interface change.

Vcontroller’s six-step setup wizard is self-explanatory and simple to move through, yet it does not compromise potential customization. Some important capabilities include enabling DHCP (Dynamic Host Configuration Protocol) on the private side and sending out e-mail alerts based on designated alarm conditions.

The V80’s default policy allows no traffic in. You can configure settings within the nifty Hacker Prevention screen using a setup wizard, making it possible to catch an attack that slips past the logic built in to the ASIC chip. I was able to set packet-per-second thresholds for several common nasties such as ICMP (Internet Control Message Protocol), Syn, UDP (User Datagram Protocol), POD (point of demarcation) and IP source route attacks. Additionally, V80 allows you to look at all the servers on your network, choose the weakest, and set parameters to that one. These customizable settings make this a very flexible, scalable product. The GUI is split into three parts comprised of activities, policy, and administration sections.

WatchGuard acquired RapidStream in April 2002 and as part of the product merger process, RapidStream’s RSSA (RapidStream Security Appliance) series morphed into the Vclass series. Hardware architecture remains the same, but there have been software upgrades. WatchGuard’s most recent software release includes application-layer inspection HTTP and SMTP, BGP (Border Gateway Protocol)-routing support, DHCP relay, and WAN fail-over.

The V80 supported a respectable 1,150 connections per second, sustained 125,960 persistent connections, and was unaffected by any of the attacks I tossed at it. I did notice, however, that the latency through the box increased every minute,  then returned to the previous level almost as if a timer went off or there was some internal event occurring.

Its VPN capabilities proved the most powerful of my group’s, supporting data passage through 7,968 tunnels and providing a 63Mbps bi-directional data performance figure. The version of firmware I tested doesn’t support AES (Advanced Encryption Standard) encryption or Group 5. It builds tunnels at a maximum rate of two per second, which also happens to be its tear-down time, so I improvised, configuring it for 3DES encryption and Group 2 instead.

The V80 and FortiGate-500 proved they are in the same solution and cost class, although with slightly different strengths. If firewall muscle is of primary importance, the  FortiGate-500 is the clear choice. If you’re more in need of VPN capability, the WatchGuard is the ticket. Both were impervious to the range of attacks we slung at them. The Pro 330 is the least powerful of the group but it only costs one third of the price of the other two, and would be suitable for most midsize businesses.