Network Computingwww.networkcomputing.com

As we sat in the lab at 4 a.m., Red Bulls in hand and keyboards at our feet, the sight of powered-down "PIXen" brought tears to our eyes. As the Nokia and Stonesoft units continued their attacks on our sanity, we realized how much happier our lives would have been had everything tested as smoothly as the Cisco devices.

Kidding aside, the Cisco PIX 535 is a hoss of a firewall -- Cisco is finally doing things right on the security front. Offering fix-up inspection mechanisms for half a dozen protocols, TCP-sequence hardening and strict handling of fragmentation, Cisco is putting the smackdown on behind-the-scenes shenanigans (see "The State of TCP State Tracking"). It does a good job with failover, too. The one Achilles' heel that continues to plague Cisco is on the enterprise-management front -- administering dozens of PIXen is difficult, and Cisco is still in the process of improving its Cisco Secure Policy Manager (CSPM). However, for niche one-off HA deployments, the PIX with the built-in PIX Device Manager (PDM) is hard to beat.

The PIX setup is a straightforward process and can be accomplished using the HTTPS-based PDM or the CLI. Most of the default settings are sufficient to supply a robust solution, leaving administrators to focus on rule sets and translation-table configurations. We chose to run the PIX (and all the tested firewalls) in an active/standby mode: One unit is designated the primary; the second, the standby. When the primary fails, the standby assumes the MAC (Media Access Control) and IP addresses of the primary. If an active/active configuration is preferred, one can deploy a set of PIX pairs with HSRP (Hot Standby Routing Protocol), but this setup isn't nearly as eloquent.

The only configuration problem we experienced was related to the interaction between the PIX and our Cisco 3512 switches. Suffice it to say that from now on we're hard-setting the PIX interfaces to 100-Mbps full duplex -- no more of this autonegotiation crap.

Once up, the PIX handles failover like a champ. We were able to push different levels of connections, up to 200,000 simultaneous HTTP connections, through the PIX. During our tests we used Caw units as well as manual connections with SSH (Secure Shell) and FTP. When we failed over the PIX (via the infamous power-cord ripping routine) the FTP and SSH sessions remained intact with little more then a pause. The Web sessions failed over as well; you can view the outcome in "Interpreting Our Results" (below). One thing we found interesting is the difference between using gigabit ports on the PIX versus 100-Mbps ports: Even though our tests averaged well under 50 Mbps, the number of orphaned sessions dropped significantly when we swapped gigabit interfaces for 100 Mbps.

On the monitoring side, the PIX has both CLI and PDM (via the HTTPS) options to check synchronization status; monitor CPU, memory and interface loads; and perform a multitude of other graphical monitoring functions. Overall, we found the PIX to be the right mix of power, performance and usability, with a solid set of security features, to fulfill our HA testing requirements.

PIX 535. Cisco Systems, (408) 526-4000, (800) 326-1941; fax (408) 526-4100. www.cisco.com

NetScreen Technologies NetScreen-1000

To be blunt, the NetScreen-1000s shocked us. Not only because of the blinding array of blinky lights that grace the front panels or because the units come with enough die-cast metal to start your own Hot Wheels shop, but because they just work -- and work well.

Standing about 9U high with enough fiber to choke a donkey, the 100 percent hardware, ASIC-based appliances are a force to be reckoned with -- and they can hold your Red Bull, too. Cisco take note: The PIX line has very little over the NetScreen units -- the 1000s are based on specialized hardware, perform flawlessly, possess TCP-sequence-inspection capabilities, have better cosmetic polish and could probably win in a street fight, as well.

The NetScreen product line has been successful in capturing a good chunk of the small- to midsize-business firewall market. While NetScreen units were often used by enterprises for VPN (virtual private network) deployments, most of the enterprise firewall market has been dominated by Cisco and Check Point. We suspect this will soon change.

Unlike the other products we tested, the NetScreen line is not based on general-purpose Intel or SPARC hardware. NetScreen has designed its firewalls from the ground up, trading the convenience of general-purpose CPUs for the performance advantages of ASIC-based processors.

We were impressed to find, however, that NetScreen hasn't cut any security corners in the process. The NetScreen 1000 was the only firewall besides the PIX to pass the Mike Scher TCP shenanigans test. During our failover tests we successfully blasted 200,000 sessions through the NetScreen 1000s, failed them over and witnessed virtually zero loss of sessions. The units didn't even appear to be breathing hard.

TCP Shenanigans Test Click here to enlarge