Enterprise firewalls must have policies to control traffic, ability to create site-to-site VPNs using standards-based IPsec, translate addresses and port numbers (NAT) when needed, and apply basic bandwidth management to traffic. They must also support features such as high availability (active/passive or active/active), virtual LANs, Ethernet link aggregation, and global management systems.
We found that next generation firewall vendors are simply layering application aware features on top of their existing firewalls. That's a good thing, because it makes it more likely that the firewalls don't suffer from the kinds of bugs that any new product can have, and because they're starting out of the gate with a great, tested, feature set. The products we tested, from Check Point, Fortinet, SonicWall, and Barracuda Networks, don't have different names or even different licensing. You don't order a SonicWall next generation firewall; you just order a SonicWall firewall, and it has next-generation features. Same for Check Point, Fortinet and Barracuda Networks.
Next-gen firewalls: Off to a good start
Most readers will be familiar with the Check Point Security Gateway, Fortinet FortiGate and SonicWall SonicOS products already. The Barracuda NG Firewall doesn't have the same market penetration in North America — it comes through Barracuda's acquisition of Austrian firewall manufacturer Phion in 2009 — so the product won't be as familiar to Network World readers.
Barracuda's NG Firewall does have a stateful packet filter but the architecture of the NG Firewall is more like a bastion host application layer firewall (think Digital Equipment Corp's SEAL or Trusted Information Systems' Firewall Toolkit), with embedded proxies for HTTP, SSH, and FTP, an internal mail gateway to handle SMTP traffic, and the option to redirect any traffic passing through the firewall to an application running on the firewall itself.
The Barracuda NG Firewall is a thoroughly modern product, with features such as traffic shaping and UTM protections, integrated IPSec and SSL VPN and even Network Access Control — but the NG Firewall doesn't look much like other popular products in the firewall space.
This means that if you plan to evaluate the Barracuda NG Firewall, add some space in your schedule to get used to the configuration system and plan to spend some time on the phone with technical support, as we did, to understand how all the pieces fit together.
We found that all four products do meet basic criteria for enterprise firewalls, meaning that you could use them as firewalls for your organization without touching the next generation features. We did find some differences, but more in the edge features than the core of what a firewall does. Our test criteria focused on enterprise features, and we found that the least mature firewall product the areas of high availability and bandwidth management is the Barracuda NG Firewall.
For example, the Barracuda NG Firewall's main high availability capabilities are based on active/passive device pairs, without full sharing of session state. The Check Point Security Gateway, FortiGate and SonicOS systems all support active/active clusters with more than two devices, a more attractive option when protecting highly available enterprise networks.
With such a close feature set between products, we looked at more cutting-edge features, such as dynamic routing, global management, and IPv6 support. The leaders in our dynamic routing testing, which focused on BGP integration, were Check Point's Security Gateway and Fortinet's FortiGate, both of which synchronized properly with our Cisco-based BGP router.
In Check Point's case, the dynamic routing is actually a function of the underlying operating system, not the firewall. We were testing the Security Gateway on Check Point hardware, using their new "Gaia" operating system, which integrates technology from Check Point's own Secure Platform (Linux-based) operating system along with Nokia's IPSO (BSD-based) operating system, which came along with the acquisition of Nokia's firewall appliance business a few years ago.
Check Point's Security Gateway slightly edged out Fortinet's FortiGate because the Gaia-based dynamic routing was easier to configure through a fairly complete GUI. Security Gateway also offers command-line interface (CLI) configuration for more complicated settings, and additional protocols such as multicast routing (DVMRP). Fortinet's FortiGate required us to use the CLI, the only time during our testing we had to dive into a command line interface.
SonicWall failed our BGP testing because we were unable to fully synchronize the SonicOS dynamic routing with our systems. In general, SonicWall's support for anything beyond OSPF and RIP protocols is half-hearted at best. For example, one of the reasons we had problems making BGP work properly was that SonicWall does not offer documentation on the dynamic routing system. If you want to use SonicWall in a dynamic routing environment, stick to Open Shortest Path First, which is better documented and supported. In the case of Barracuda NG Firewall, BGP isn't supported at all.
Our evaluation of global management put the Check Point Security Gateway on top by a wide margin. Check Point has always required a centralized management system for their enterprise firewalls, and their experience shows when compared with less sophisticated and less complete products. As part of our testing, Check Point sent along their "not quite a SEIM" product, SmartEvent, which we recommend highly for any "next generation" focused deployment. SmartEvent is a critical component in analyzing the logs from Check Point firewalls; without it, you've got logs but no way to understand traffic flows and patterns.
SonicWall's Global Management System is a huge help in synchronizing firewall configurations, maintaining consistency of objects, and collecting traffic information. Anyone with more than a handful of SonicWall firewalls should strongly consider adding Global Management System to their deployment and management toolkit. Since the SonicWall internal log system is very limited in its capacity, external log analysis through tools such as Global Management System is critical for any debugging or reporting.
Neither Barracuda nor Fortinet sent their global management systems. Barracuda told us that their global management system for the NG Firewall, called Control Center, was primarily useful in defining complex VPN configurations and in analyzing log files from multiple firewalls. Fortinet offers two different management appliances for the FortiGate firewalls, FortiManager (for device management) and FortiAnalyzer (for log analysis).
FortiAnalyzer is a log receiver that replicates and extends the reporting available on the FortiGate itself. Because the FortiGate has a very sophisticated reporting engine and database built-in, we got a good feel for what the FortiAnalyzer was able to do. Anyone who wants to run reports on a FortiGate should add a FortiAnalyzer to their shopping basket. Mixing an SQL database and a firewall in the same box is a recipe for disaster in all but the smallest deployments, making the FortiAnalyzer a "must have" for enterprise users who want to know what is going on with their firewalls.
When we looked at IPv6 support, we were disappointed to discover very weak features in all products. While Barracuda's NG Firewall handled IPv6 on the LAN fairly well, probably because of the underlying Linux operating system, their HTTP and HTTPS proxies did not include IPv6 support, making the NG Firewall useless in any IPv6 firewalling environment. Check Point's Security Gateway did almost as well in LAN support, and does allow IPv6 addresses in firewall rules, but has not included IPv6 support in either their dynamic routing engine or, more importantly, their next-generation firewall application identification and control rules.
SonicOS didn't pass our IPv6 testing because the software build that we were testing didn't have IPv6 support — although other, older, SonicOS software versions do include IPv6 support, and SonicWall told us that they were putting a working IPv6 back in to the next software build. We also found the FortiGate missing features you'd need to make it the firewall handling an IPv6 network, signaling the need for more work to make the FortiGate truly IPv6-ready.
Our evaluation of the traditional firewall features didn't really upset any long-held beliefs. Check Point's Security Gateway, the oldest enterprise firewall in our testing, also shows the greatest maturity. SonicWall and Fortinet, both traditionally strong in the mid-sized organization market, excelled in the features needed in those areas, while the Barracuda NG Firewall, a relative newcomer, displays the rough edges you'd expect of a new product with a shorter development history.
Read more about wide area network in Network World's Wide Area Network section.