UTM performance takes a hit

IPS, antivirus scanning reduce gigabit firewall speeds to megabit levels

Because every network requires a different way of measuring performance and most UTM products offer thousands of deployment options, it's hard to draw even general conclusions about how these products will behave in your network. However, we can say that most enterprises will want to proceed cautiously when adding UTM features, such as intrusion-prevention systems and antivirus scanning, to their perimeter firewall boxes, because of their unpredictable impact on total system performance.

In our baseline testing with only the firewalling capabilities turned on, eight of the 14 appliances easily exceeded our 1Gbps measurement goal. When we turned on their UTM features, however, systems that breezed through the 1,000Mbps mark slowed dramatically. Out of 56 test results collected with various UTM features turned on, 36 registered results that were 250Mbps or less. Read the latest WhitePaper - NAC: A Multi-Symptom Remedy

With IPS configuration, your choice of signatures can make the difference between a speedy firewall and a snail. The top IPS performer, IBM Internet Security Systems' Proventia MX5010, shows that you can get a high-speed IPS riding on top of a firewall. Other platforms require careful tuning and an educated selection of what you want to protect before you can achieve predictable and acceptable performance.

Antivirus scanning has a similar cost in most platforms (the Fortinet FortiGate 3600A is an exception) that also makes it a dangerous add-on, taking some platforms to their knees and turning gigabit firewalls into megabit slowpokes.

We ran baseline traffic through the firewalls using Spirent Communications' Avalanche and Reflector load testing products. We set up a load of 1Gbps spread across four ports, with the Reflector serving up Web pages on 20 simulated Web servers on two of the ports, and Avalanche simulating 500 Web clients on the other two.

Deployment question

In each case where we faced a deployment-option question, we optimize for security rather than speed. Yet one man's security might be another man's overkill, especially when the performance penalty for these security features is significant.

Enabling HTTP inspection, a feature that provides some intrusion prevention, caused almost no performance penalty in our Cisco ASA5540, reducing throughput from 660Mbps to about 640Mbps. Enabling HTTP inspection and choosing an advanced feature (such as blocking ActiveX content) caused an 80% drop in total throughput.

Picking a configuration for performance measurements got more complicated when we tested with UTM features enabled. Check Point Software's IPS technology, called Secure Defense, is a good example. With several hundred IPS options for different types of applications and different attacks, there is no way just to turn on IPS. You have to decide which of the signatures you want to use. When you turn on anything above the default settings, the performance impact is huge.

When we tested the Nokia IP290 running Check Point's firewall software with Secure Defense disabled, and then enabled with default settings, we saw a tiny performance hit (from 1003M to 993Mbps). When we followed Check Point's recommended settings for providing IPS for servers (which scans for more attacks), we saw an 85% drop in performance.

To get our IPS performance results, we used two scenarios -- one asking the firewalls to protect servers and one asking them to protect client systems. With server-protective IPS, there are more potential attacks, but the IPS doesn't have to look at as much traffic. For example, in our HTTP testing, it took about 20Mbps of traffic to a server to generate 1000Mbps of traffic coming back from it. Server-protective IPS has to look only at the traffic to the server.

On all firewalls, we set up a modest policy, letting HTTP through between segments with network address translation (NAT) enabled. We weren't trying to find out the top speed for each of the products; most of the boxes we tested had stated capacities faster than our 1Gbps test bed. Our objective was to ascertain how much of a drop we were going to find when we turned on UTM features.

The security features of many of the firewalls we tested comprise a spectrum of options. For example, Secure Computing will let you run the Sidewinder with packet filters or a generic proxy, neither of which have the same security model as the full application-aware proxy it also supports. With packet filters, the Sidewinder maxed out our test bed; with a generic proxy it nearly hits 1Gbps. However, any enterprise paying the US$80,000 price tag would do so for the full proxy capabilities. When we turned those on, raw performance fell to a respectable 826Mbps.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?