- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
In August, we tested Palo Alto Networks' PA-4020, the first fully application-aware firewall to be commercially marketed. When we attempted to test performance on the PA-4020 we ran into a hitch: Palo Alto's application identification logic discovered that we were using Spirent test tools.
While this was an interesting validation of their application identification logic, it came with a downside. Palo Alto uses the same tools, and as part of its internal test procedures, company engineers had disabled security inspection for the "Spirent" application — with no way to turn it back on.
Palo Alto has since updated its firmware to allow for security inspection of traffic generated by the test gear. We tested the PA-4020 using a heavy load of HTTP traffic to see how it would behave.
The PA-4020 has a specified performance of 2Gbps of threat protection throughput. Our results show performance about 20% lower than Palo Alto's specifications for the intensive all-HTTP testing we conducted on the PA-4020.
We also found that no matter which security features we enabled or disabled, the PA-4020 turned in the same performance: approximately 1.627Gbps of throughput. This included intrusion-prevention systems (IPS) (both enabled and disabled), antivirus (both enabled and disabled), and content filtering (both enabled and disabled), all on top of basic firewall and network address translation. This behavior is quite different from what we saw in all other UTM tests we've conducted recently, where performance varied based on which services were enabled. For example, when we tested SonicWall's e7500 last April, it was faster (1.9 Gbit/sec) with only IPS enabled, about the same (1.6 Gbit/sec) with A/V enabled, and slower (1.3Gbps) with all security services enabled.
We contacted Palo Alto to ask why performance was the same whether security features are enabled or not and were told that this was a side effect of how their application identification code works. According to Palo Alto representative, because an HTTP applications can "change types" in the middle of a single TCP connection, all security features on the PA04020 are running at all times on HTTP applications. For example, a TCP connection that starts out as standard HTTP on a non-standard port might need to be re-classified as webmail once the server responds and the PA-4020 can see more of the traffic. Because the policies for each application can be different, the security inspection logic for the PA-4020 is engaged at all times on HTTP traffic.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (2)
Policies for different protocols might be differentBy Joel Snyder on October 7, 2008, 12:19 amThere are a lot of UTM firewalls out there (in fact, most of the firewalls on the market out there are UTM firewalls) that don't have the A/V, IPS, or content filtering...
Reply | Read entire comment
So I am stumped.By Anonymous on October 6, 2008, 3:51 pmWho buys a security product only to turn off the security?
Reply | Read entire comment
View all comments