2
When we tested four next-gen firewalls strictly on performance, we found that the products could forward packets at impressive rates, but throughput dropped when advanced security features were turned on. We now dive deep into application identification and control - the defining features of next-gen firewalls - to find out what works and what doesn't.
Knowing what's happening on your network is a pre-requisite to controlling the traffic. We call that visibility because it combines all of the information the firewall knows, including session and application information, traffic volumes, and rate information, into a way to "see" into your network -- to give you visibility.
1
Enterprise firewalls must have policies to control traffic, ability to create site-to-site VPNs using standards-based IPsec, translate addresses and port numbers (NAT) when needed, and apply basic bandwidth management to traffic. They must also support features such as high availability (active/passive or active/active), virtual LANs, Ethernet link aggregation, and global management systems.
URL filtering has become a "checkbox" feature on most Unified Threat Management firewalls, and no wonder: it doesn't require a lot of imagination to do it right, and it's hard to really differentiate yourself or do a bad job of it.
We tested next generation firewalls by looking at seven separate areas that we felt would be important to network managers trying to deploy these products in enterprise networks.
1
Palo Alto Networks has bet everything on being a next-generation firewall. Without the next-generation hook, Palo Alto has little chance at breaking into the established world of firewalls, and they've done a good job at defining the category on their own terms.
If one of the main advantages of a next-generation firewall is application and protocol identification and control, then SSL decryption is a basic requirement. We looked at the SSL decryption capabilities of the next-generation firewalls to see how well they would be able to discover applications, protocols, and URLs hidden within encrypted connections.
We tested the intrusion prevention capabilities of each of the next-generation firewalls to determine how well they work and how the IPS integrates with system management.
If you're tempted to think of Cisco's Unified Computing System (UCS) as just another blade server — don't. In fact, if you just want a bunch of blades for your computer room, don't call Cisco — Dell, HP, and IBM all offer simpler and more cost-effective options.
As with any server product, there are lots of ways to configure UCS, including different levels of CPU, memory and storage. Cisco has a 29-page document to help you get it right, and 29 pages are not overkill. To get an idea of what this might cost, we configured two separate systems: one with 40 dual-socket blades, and another with 80 of the same blades.
Twelve leading NAC products put to the test
As the most important supplier of network infrastructure to enterprises, Cisco's NAC products are a natural point of curiosity for network managers. Unfortunately, though, Cisco's approach to NAC has been riddled with in-fighting, false starts, delayed product releases, and a good dose of chaos and confusion.
1
Web-based applications and products like Apple's iTunes have made it easy to turn a laptop or a desktop into a music player. At the same time, thousands of radio stations are re-broadcasting their audio over the Internet to anyone who wants to listen. But what if you want to listen to, say, modern jazz from Mali or pop from Paris without dragging around a laptop? Enter the Internet radio: an appliance that looks like a radio and has an antenna -- but connects over Wi-Fi to the Internet, and streams audio to speakers.
While Web-based music offerings from Apple (iTunes) and others have made it easy to turn a laptop or desktop into a music player, what if you want to listen without dragging around your PC? Enter the stand-alone Internet radio, which looks like a radio and has an antenna, but connects via Wi-Fi to the Internet and streams audio to speakers. We recently tried out five such devices. Check the slides to see what we thought.
Most network equipment vendors are ready to up the ante in terms of how their gear can control access in a NAC deployment.
