1. Home
  2. Networking Firewalls
  3. Speed of firewall with AV/DI

Speed of firewall with AV/DI

Based on the note from Russ the speed of the firewall with all the options turned on is an issue. We would like to have some protection turned on internaly (to the servers in the DMZ) as well as on the external side in case people pick up viruses and bring them in (we have a lot of people with laptops). We aslo don't want the network running at a crawl!

Has anyone done speed tests on the routers with the options on? Or, are there reviews or information from the suppliers?

The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS and up to around 8 to 10Mbps AV, give or take depending on the traffic and the configuration.

CCMiami

Reply to
CCMiami
Loading thread data ...

Hiya. The Sonicwall TZ170 is about the same in performance with GAV/IPS/AS turned on.

The Netscreen 5GT slams into a brick wall with DI/AV turned on. In fact they have wound back the DI options on the 5XT's are aren't adding any more application scope the 5GTs. So it looks like the 5GTs CPU is maxed out.

If you're concerned about throughput the next step up in the Sonicwall range is the Pro 2040.

If you want a COMPLETE UTTERLY SECURE FROM VIRUS'S BEYOND YOUR WILDEST DREAMS network then investigate using a combination of Zoning, IPS/GAV, and a switch that supports Multi-VLAN segementing. The Allied Telesyn 8524M does this. It allows you to stop LAN clients talking to each other and thus spreading nasties.

What you do is through all your desktops and laptops into a LAN zone, your servers into a SERVER zones and IPS/GAV between the zones. Because the switch blocks the clients talking to anything but the Sonicwall they can't spread nasties. You can do it on a TZ170 with the enhanced OS, but you have to watch your throughput versus $$$ versus security ;)

Reply to
Mark

I love statements like that "utterly secure ..etc".

No gateway device provides that unless it can detect viruses in pipes, kazaa, fragmented email messages, encrypted tunnels etc... which is impossible. Not to mention zero-day viruses.

Also, are you planning on creating a separate VLAN for every single client? Have you ever tried to run a network bigger than 5 or 10 users that way?

-Russ.

Reply to
Somebody.

Yes actually. Its really easy to do, have a look at a switch, an Allied Telesyn 8524M. It supports a feature called Multiple VLANs. It allows you to assign an uplink port and automatically segments the rest of the ports. Its fairly simple and straightforward to impliment. Thats a 24 port solution. Then above that you use Protected and Private VLANs for larger installs.

Easy isn't it ;)

Reply to
Mark

Yeah, that's kind of what I was getting too -- i don't doubt that it's

*possible* but I can imagine what a nightmare it would be to run a network with 24 different VLANs for 24 different users!

What happens next then, in your dream scenario. IE what are the mehanics of what you do with these 24 VLANs in your example on the various devices that will be involved?

-Russ.

Reply to
Somebody.

Sonicwall has a unit with all that built in (

formatting link
- perhaps a bit of overkill but it may have some advantages.

Reply to
CCMiami

Yes and no. The Pro 1260 out of the box doesn't isolate the different ports. If you add the Enhanced OS you can zone up and trafifc shape ports. However, you'd need 24 subnets and some fairly complex rules to set things up, you'd have to spend a lot of time nailing things down.

So the two solutions are a little different.

Reply to
Mark

Sounds pretty cool. And as you allude, it's the switch that gives you this ability, not the firewall. Much simpler than, say, Vernier's approach.

-Russ.

Reply to
Somebody.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.