By Joel Snyder
Network World, 04/04/05
Original Article on Network World Web Site
SonicWall's new PRO 1260 Enhanced gear combines the brains of its popular TZ-series firewalls with the body of a 25-port managed 10/100M bit/sec switch .
Because the PRO 1260 - released last week - runs an enhanced version of SonicOS software, each port on the firewall can be configured with its own security zone. You can set up an individual firewall for every system in the company's Internet DMZ. This keeps the DMZ from turning into a free-for-all if any one system sitting behind the firewall is cracked because inter-system traffic can be fully controlled.
In our exclusive Clear Choice test, we found the PRO 1260 lives up to its flexibility promise. However, performance issues indicate this firewall might not be the right fit for inter-LAN traffic or Internet connections faster than 3M to 5M bit/sec.
The PRO 1260 offers the features you expect from an all-in-one firewall, including IPSec VPN, firewall-based anti-virus and content filtering, and in-line intrusion-detection and -prevention capabilities. SonicWall also has included e-mail filtering that can block certain types of attachments. Add to these optional features the traditional stateful packet filtering firewall and network address translation (NAT ) capabilities, and you have a traditional small and midsize business firewall package.
While other firewall vendors have commonly built small Ethernet switches into their products, SonicWall provides the capability to treat each port as a separate security zone with its own security policy, NAT rules and even bandwidth management allotments. Because there are 27 ports all told - 24 for the individualized zones, one for an up-link and two dedicated for optional WAN and DMZ usages - that's a lot of control and flexibility.
The PRO 1260 uses a Web-based administrative GUI (although a command-line interface exists via the serial port). SonicWall has taken great pains to make the set of firewall rules viewable (and editable) in any one of three formats - a zone-by-zone grid; a list picked by zone; or just a long list of all rules.
Although we found the GUI easy to use, managing a long security policy would be tedious because of the inability to reuse rules across zones. For example, if you wanted to put the same rule in 20 different zones, you must enter it 20 times. Worse, if you wanted to change it, you must change it 20 times.
We tested the PRO 1260 by putting it in front of 16 production servers, which creates 16 zones and 16 security policies (See "How we did it" ). SonicWall keeps the vendor-specific jargon during setup to a minimum, which made it easy to configure and use the PRO 1260.
We discovered immediately, though, that the PRO 1260 is not a high-performance system. Initially, we turned on everything, including anti-virus and intrusion prevention. We found that the PRO 1260 cannot keep up with a heavy load with all its features enabled (see graphic, above). In discussing these preliminary results with SonicWall, engineers explained the PRO 1260's target is a moderate-bandwidth environment, such as a 3M bit/sec cable modem or dual-T1 network. This contrasts with published performance rates at 90M bit/sec on the company's site.
One important performance consideration for the PRO 1260 is that system limits apply to all traffic that crosses zones. Thus, if you wanted to perform high-speed backups between zones, for example, you would find the speed of the PRO 1260 limiting internal traffic.
We also tested the PRO 1260 as a pure switch by putting two ports in one zone and not applying any security policy. In this case, we had no performance limitations, and the firewall handled our nearly 100M bit/sec load without problems.
Another significant feature in the PRO 1260 is bandwidth limiting. Configured on a per-port basis, this can be used to spread traffic loads out. We found that the feature worked well as long as the offered load and the desired load weren't too far apart in terms of speed (see graphic ).
We tested this feature by setting four ports to max out at 512K bit/sec each, which should have limited total load to 2M bit/sec. In the range between 2M and 4M bit/sec offered load, the SonicWall held actual bandwidth to 2M bit/sec However, once we tried to push more than 4M bit/sec of traffic through the box, the bandwidth-limiting feature didn't function correctly, letting much more than 2M bit/sec through the firewall.
SonicWall's PRO 1260 is a huge step forward in high-port-density firewalls. For about $100 per port, SonicWall can add excellent security management to large numbers of devices. For networks with moderate-speed Internet connections and inter-zone traffic, the PRO 1260 is an inexpensive way to add fine security granularity in a variety of environments.