When it comes to performance numbers, the Sidewinder can handle a ridiculous number of concurrent connections--30 KB, second only to the Firebox 4500. Microsoft's ISA came in at a respectable 10 KB. The rate for connections per second came in at 800 in our testing. Sidewinder did a bit better than Check Point's FireWall-1 in the bandwidth test with HTTP application filtering enabled. However, when we ran the same test using stateful packet filtering, it only yielded an increase of 10 Mbps. In comparison, FireWall-1's stateful packet filtering screamed. After working with Secure Computing engineers, we determined the bottleneck was with memory allocation, for which we had no workaround.
Sidewinder G2, Secure Computing Corp., (800) 379-4944, (408) 979-6100. www.securecomputing.com
OK, how many of you know that FireWall-1 NG has application proxies? Not many, I bet. Check Point has been putting in application proxies--Security Servers in Check Point parlance--since version 4.0. We found a huge difference in HTTP performance when Security Servers were active as compared with performance when they were inactive. HTTP performance took a dive when we enabled application scanning, highlighting what we knew all along: Application filtering is much more resource-intensive than stateful packet filtering. However, the price is worth paying because the protection you get with application proxies is much better.
The FireWall-1 management GUI still offers the same rule-based paradigm. It's clean and easy to use and the logging is better than what you'd find with most other firewalls in terms of detail. Symantec's Enterprise Firewall is one that provides more detail. If you want to blend application proxies with stateful packet filtering, FireWall-1 will provide good protection and performance.
Security Servers are added via the resource mechanism. In the resources area you can configure specific protection features, such as URL length for HTTP or MIME types for SMTP. Once the resource is configured, it is added to the rule base just like a regular service and you're done. The types of protection are configured in the SmartDefense dialog for the particular resource. Using HTTP as an example, the HTTP Security Server SmartDefense options are applied to all HTTP Security Servers or to one selected in the rule base. Here we could choose to enforce URL lengths and HTTP Header lengths as well as enforce the use of ASCII characters in the HTTP request and response headers. Because Web server buffer overflows tend to use long strings in header fields and/or pass non-ASCII data in the header, these two selections should block requests that are not HTTP-compliant.
During our performance tests, FireWall-1 NG operated at 766 Mbps during stateful packet filtering. Once we enabled the Security Server, performance dropped to 122 Mbps. It's the same old trade-off--performance versus protection. Bear in mind, however, that using application proxies is not an all or nothing option with FireWall-1 or any of the firewalls we tested. It's possible to mix and match proxy and stateful packet filtering in the same rule base to balance protection and performance on a per-rule basis.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
