Network Computingwww.networkcomputing.com

Side Bar

How We Tested

Related Links

Keeping Your Network Safe And Sound, Buyers Guide, October 1, 1997 Footloose And Fancy Free With Three Socks 5-Based Proxy Servers, Reviews, June 15, 1998 Seven Firewalls Fit for Your Enterprise, Features, November 15, 1998 Cashing In on E-Commerce:Rushing Headlong After E-Commerce Gold: Is the Mine Safe?, Features, December 15, 1998 Cisco 1720 Ensures Secure Links, Sneak Previews, February 8, 1999

Other Reviews this issue

Trend InterScan Seures Top Virus-Protection Spot By Jeffrey H. Rubin and Timothy M. O'Shea

Company Directory

Browse our directory to get data, starting with a particular company.

Reader Service

Allows you to request additional product information from our advertisers.

Print The Full Article

ClickHere

E-mail this URL

ClickHere

Buy the Book

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

Click to view the Report card on RADWARE FireProof

Typically, when you configure your network to pass traffic through multiple firewalls, you must set up complex router schemes or specialized firewalls. Configuring routers to load-balance multiple routes effectively also requires a proprietary mechanism, such as Cisco Systems' Hot Standby Routing Protocol (HSRP), to communicate between the routers. Some firewalls, including Check Point Software Technologies' FireWall-1, can communicate state information among themselves to achieve rapid failover with minimal loss of network traffic. To your network's client machines, however, the two firewalls appear as separate default routes and are a hassle to administer and work around as single points of failure. Keeping clients segmented into different configurations with different default gateways does nothing to load-balance traffic, nor does it offer redundancy. In the end, multiple firewalls mean lots of additional work and many more devices to manage, configure and monitor for failure.

In contrast, RADWARE's FireProof, a dynamic load-balancing system, directs traffic through the firewalls behind it and is designed to immediately detect a firewall failure. With FireProof, client configuration is identical across the network, and the entire solution is represented as a single firewall to your internal network. The addition of a second FireProof unit to your network provides complete redundancy, creating an extremely reliable multiple firewall configuration. FireProof works with any firewall, so you can keep existing equipment in place.

We tested FireProof in our University of Wisconsin-Madison Real World Labs® in conjunction with a pair of NetScreen Technologies NetScreen-100 firewalls. But before we began testing, we explored alternative methods for setting up a redundant configuration with multiple firewalls: It's not an easy task (see "FireProof Redundant Configuration" and "Alternate Redundant Configuration," Below).

Our tests showed that FireProof is a worthwhile investment for multiple firewall installations. This completely fault-tolerant solution eases management and redundancy woes associated with complex router and network configurations. We found FireProof most well-suited for multiple firewall installations requiring fault tolerance without extensive tinkering or proprietary protocols. The extra load-balancing box that offers added redundancy is worth the $6,500-per-box price.

We set up a trusted network behind a single FireProof unit and two NetScreen-100 firewalls. After configuring the firewalls with IP addresses and default security policies, we were able to insert FireProof into the network as its new default gateway. We then directed our clients to route traffic to FireProof's IP interface and configured FireProof with the firewall IP information and weighting metrics. A one-time configuration of the hosts on the trusted network also was necessary to configure the new network's default gateway. This can be avoided by changing the IP address on the router and assigning the existing default route's IP address to FireProof.

FireProof's primary value lies in its menu of management options along with its load-balancing capabilities. During our tests, we were able to add the second firewall without interrupting any traffic. Once a firewall is marked as "shutdown," FireProof stops sending traffic to it, letting you gracefully remove firewalls for service without causing any problems with client traffic.

We managed FireProof with RADWARE's Config Master software, an easy-to-use and easy-to-navigate SNMP-based management tool. Using Config Master's real-time performance monitors, we determined the amount of forwarded traffic and number of dropped frames. Additionally, we verified client IP session information from within Config Master. However, we would have preferred a cross-platform management tool or a Web-based interface. (RADWARE says it's working on a Java/ Web-based management tool.)

To test the performance and reliability of FireProof, we ran traffic-generating benchmarks and found FireProof's performance suitable for the needs of most access links with a sustained throughput of approximately 80 Mbps to 83 Mbps. We reached approximately 104 Mbps with only one firewall between the trusted and untrusted segments.

While we were testing FireProof Model C (based in the I960C Intel processor), RADWARE began shipping Model H (which is based on the I960H processor). This new model is said to be close to wire speed.

We recommend FireProof for network installations with a need for highly redundant firewall configurations with slower access links. Performance will be an issue for gigabit and some Fast Ethernet networks.

Send your comments on this article to Gregory Yerxa at gyerxa@nwc.com.