If it were on public display, this portion of our Firewall Blowout would be the geek equivalent of the Chicago Auto Show. Our Chicago Neohapsis partner labs focused on the muscle cars: enterprise-class, gigabit-capable network firewall appliances and turnkey systems that support high-availability stateful failover, VPNs and centralized management as well as DI (deep inspection), which we define as having the ability not only to perform stateful packet filtering, but also to inspect packet payloads higher up the OSI model using specific attack signatures and Layer 7 protocol engines.

Historically, firewalls have been assigned blue-collar access-control duties while IDSs (intrusion-detection systems) take on the sexier task of inspecting data traffic for signs of attack or anomalous packets. But over the past couple of years we've seen rebuilds in the firewall space reminiscent of old rods being retrofit with superchargers and nitrous oxide. Gone are the days of sedate firewall packet filters; now only the fast and the furious can compete. The streets are owned by smart firewall appliances at various metamorphic stages of incorporating intrusion-detection and intrusion-prevention functionality.

When we set out to investigate the pros and cons of buying the latest and greatest firewall muscle, our scenario was deceptively simple: We built a three-tiered architecture with an Internet, a DMZ and an internal network. Because we were simulating an enterprise setting, we asked vendors to send redundant hardware. We tested VPN throughput with two identical firewalls in a site- to-site gateway configuration. All other testing was performed in high-availability mode with dual firewalls in active-passive configuration. We specified 500-Mbps throughput and the ability to manage and perform under 50, 250 and 500 firewall rules.

The link for this article located at Security Pipeline is no longer available.