May 07, 2012, 11:57 AM — When we tested four next-gen firewalls strictly on performance, we found that the products could forward packets at impressive rates, but throughput dropped when advanced security features were turned on. We now dive deep into application identification and control - the defining features of next-gen firewalls - to find out what works and what doesn't.
We discovered that although the four products tested show promise, there's still work to be done. Check Point, SonicWALL and Fortinet were clustered at the top of our scorecard, but still have areas we hope to see improved. Barracuda didn't score as well, but is in the middle of a significant product upgrade.
The defining characteristic of a next-generation firewall is the ability to identify and control traffic at the application layer, so we designed a suite of 40 tests in nine categories to see how well the firewalls lived up to their billing.
No one came close to a perfect score, with SonicWall SonicOS identifying and blocking 26 of our 40 test applications, followed closely by Check Point Security Gateway with 24, Fortinet FortiGate with 21 and Barracuda NG Firewall with 18.
(Editor's Note: In the first part of this test, vendors submitted their biggest, fastest boxes to David Newman's lab in California for performance testing. We allowed vendors to send a smaller, lighter device within the same product family to Joel Snyder's Arizona lab for features testing. In every case except SonicWall's, the actual product name was the same for both tests, just a different model number. In SonicWall's case, we tested the SuperMassive 10800 for performance and the NSA E8500 for features, so to avoid any confusion we're referring to the product here as SonicOS, the operating system both models share.)
In our testing, some apps caused more problems than others. For example, in our quest for recent episodes of "The Big Bang Theory" (porn for geeks), Check Point and SonicWall blocked our BitTorrent client from reaching out and touching Sheldon, while Barracuda and Fortinet didn't.
On the other hand, Check Point couldn't block Skype and none of the products blocked Google's Gmail, which slipped through when we hit the "click here for basic HTML if your browser is not showing you your email" button.