December 15, 2000, 1:01 PM — Two vendors are addressing a new problem companies face: How do you protect sites served by gigabit-speed Internet connections?
Cisco and NetScreen are the first to introduce gigabit firewalls that support
high-speed VPN encryption needed to carry business transactions securely over public IP networks. Both companies' products support Triple-DES encryption at speeds slower than 1G bit/sec, but as a practical matter companies won't need to encrypt all traffic flowing over the Internet connections.
The need for high-speed firewall protection will grow as more service providers emerge offering 1G bit/sec links to the Internet that corporations use for e-commerce or supporting VPNs that link enterprise sites, says John Lawler, an analyst with Infonetics Research.
One such provider, Yipes, says it is evaluating NetScreen's 1000ES firewall/VPN box to support a high-speed managed firewall service it is rolling out this week at subgigabit speeds, says Eric Zines, Yipes' director of product marketing.
NetScreen's enterprise offering, NetScreen-1000ES, supports a 1G bit/sec firewall that performs Triple-DES encryption at 600M bit/sec.
The encryption is faster than Cisco's new PIX 535 firewall, which means enterprise customers can use the encryption more widely if needed.
"If the encryption results in a severe performance degradation, you might decide not to turn it on, which is not a good idea from a security point of view.
Usually, you want all the pieces to work at the line rate," Lawler says. The NetScreen-1000ES also has a failover option.
NetScreen-1000ES also supports five separate virtual LAN segments, and customers can define different levels of security for each segment.
The NetScreen-1000ES is available now for a base price of $65,000.
Cisco's PIX 535 firewall appliance (see review) sports a 1G bit/sec firewall and supports 100M bit/sec Triple-DES encryption via a VPN accelerator card (VAC).
The nine-slot PIX 535 chassis supports one- or four-port 100M bit/sec Ethernet cards to connect with LAN devices, a Gigabit Ethernet uplink card and a VAC that performs encryption with its own processors.
The device includes intrusion-detection capabilities for about 50 standard attacks and can be configured to block them and trigger alarms if those attacks are under way.
Cisco sells a base model of the PIX 535 as well as an enhanced model that increases RAM from 12M bytes to 1G byte and includes software that enables the box to fail over to a standby PIX 535.
The PIX 535 is available this month at a base price of $60,000, and a price of $75,000 for increased RAM and failover capability. Cisco VACs cost $7,500.