Choosing the right firewall involves weighing a variety of factors. Naturally, you'll want a box that's easy to set up and configure; that complements your anti-virus, anti-spam, and other perimeter security solutions; and that comes at the right price. But even if you meet these needs, your firewall will do you no good unless it can handle your network's highest traffic levels and, at the same time, thwart external attacks.

I recently invited vendors of midrange firewall appliances - products that support between 100,000 and 200,000 concurrent connections and between 1,000 and 2,000 VPN tunnels - to a performance test at Spirent Communications PLC's labs in Calabasas, California. In addition to sizing up setup requirements and feature sets, I used Spirent's test equipment to measure the performance and security capabilities of three entries: ServGate Technologies Inc.'s EdgeForce Accel, SonicWall Inc.'s Pro 3060, and Stonesoft Inc.'s StoneGate SG-500.

I used Spirent's Avalanche 5.2 and Reflector 5.2 test suites, running on Avalanche 2500 and Reflector 2500 hardware, to plumb each firewall's performance capabilities, including performance under load and volume of traffic across a multiprotocol network. I also emulated a number of DDoS attacks - namely Syn, Smurf, Reset, and ARP (Address Resolution Protocol) Flood attacks - to see how successfully each device forwarded legitimate traffic while fending off each threat.

To test VPN performance, I used Spirent's SmartBits 6000 load generator and its newly released TeraVPN 4.0 test suite to measure maximum throughput in a site-to-site tunnel. In addition, I verified data passage on the vendors' stated maximum number of supported VPN tunnels.

In the end, none of the three devices were materially affected by the simulated attacks, which was not surprising, considering this is an essential requirement for any enterprise-class firewall. But I did see significant differences in firewall and VPN performance, with ServGate and SonicWall leading the way.

ServGate EdgeForce Accel
ServGate's EdgeForce product line eschews the much-touted ASIC-based approach for a modular architecture on the grounds that maximum flexibility to defend against network threats is more important than brute muscle. Optional add-on modules allow you to boost the Accel's firewall throughput from a rated 250Mbps to 1Gbps and to take advantage of features such as Web content caching, local logging, virus scanning, and spam filtering.

The EdgeForce Accel I tested came with the works. This 1U, rack-mountable device runs a customised version of Linux on a Pentium III 686MHz processor and uses a Broadcom security chip for encryption processing. It is the only one of the International Computer Security Association-certified reviewees that supports gigabit interfaces. Standard management tasks, such as configuring firewall policies and designating e-mail alerts, are easily handled from within the GUI's drop-down windows.

The Accel supports a garden variety of VPN configuration standards and protocols, and you can specify granular levels of QoS. To ease the management of multiple firewalls in distributed organizations, ServGate will soon release a centralized management console called the Global Manager. This software was not available in time for this review.

In firewall performance tests, the Accel exceeded its own specs of 128,000 concurrent connections, dropping out as it approached 131,000. When tested for maximum connections per second, the device ran into a problem due to the default rate at which it dropped old connections. Because the Accel kept the connection socket open for 120 seconds after the TCP connection closed, it was not releasing old connections fast enough to support the number of new connection requests.

Under this default configuration, the box tested out at 1,100 connections per second with intrusion detection turned on and NAT enabled. ServGate says that when it tested Accel with the TCP session teardown time reduced to 60 seconds and the intrusion detection and NAT features disabled, firewall performance improved to 3,490 connections per second.

Although ServGate claims that when Accel is coupled with the Performance module it can support 2,000 VPN tunnels, I wasn't able to verify this due to time constraints. None of these vendors has a quick means of configuring large numbers of tunnels, but I did manage to configure and verify support for 1,000 tunnels on the ServGate box before time ran out.

Although the Accel supports gigabit interfaces, I tested site-to-site, single-tunnel throughput using 100Mbps cards. Here ServGate knocked the socks off the other entries, clocking in at 198Mbps of bidirectional throughput.

SonicWall Pro 3060
SonicWall's Pro 3060 performed well across the board in the lab. It matched the ServGate EdgeForce Accel at 131,000 concurrent connections and turned in an impressive 4,750 connections per second, fastest of the trio. The box tested slightly short of the 1,000 VPN tunnels SonicWall says the device will support. I was able to pass data through 993 tunnels, with seven tunnels showing malformed payloads. For a single site-to-site tunnel, the Pro 3060's bidirectional throughput was right on SonicWall's mark at 73Mbps. In short, the 3060's VPN performance and scalability don't rival the ServGate's, but they're nothing to sniff at in a box half the price.

Setup was remarkably simple thanks to SonicWall's new wizards, which help ease tedious tasks such as NAT and VPN configuration. The Pro 3060 also sports a nifty feature that saves administrators from brain lapses: a "safe mode" that allows administrators to create and store configurations in ROM and restore them if necessary. You can also boot to any configuration or version of firmware by choosing them from a menu.

The Pro 3060's services - including content filtering, anti-virus, and intrusion prevention options - are nearly as comprehensive as ServGate's, and its monitoring capabilities are solid. The device will conduct an AV ping that ensures current AV protection, and it can deploy and enforce new AV signatures during an attack.

On the downside, because the Pro 3060 did not support Transparent Mode (SonicWall said the software was in beta), I had to configure a NAT policy to bind a range of internal addresses to the WAN port for my tests. Although the SonicWall successfully thwarted my Reset attack, it misidentified it as a Syn Flood.

StoneGate SG-500
If you're looking for a manageable firewall for a remote office, StoneGate's Linux-powered SG-500 is the hands-down, if somewhat pricey, winner in this group. The SG-500 lacks content filtering, anti-virus, and other services, but it offers a central server for remotely configuring multiple devices. I tested the StoneGate SG-500-100, which is rated at 100Mbps of firewall throughput. The lower-priced SG-500-50 model claims 50Mbps.

The SG-500 and the StoneGate Management Center communicate via a VPN tunnel. Ready-made configurations are created and stored on the server and are pushed out to the appliances. Configuring my SG-500 for the test involved returning the firewall to its initialisation state and then querying the management server for the stored configuration. The entire process took no more than 10 minutes.

The management console could be more intuitive, but it includes nice touches such as a CPU-utilisation monitor that none of the other competitors have. Features are as customisable as you would expect for a remote-office solution. You can customise configuration templates, while preventing admins from deleting rules. Logging functions include the option to designate none. You can export logs in CSV (comma-separate variable) or XML format and can clean out unwanted logs using the handy Log Pruning Filter Manager.

In tests, StoneGate achieved a concurrent-connection figure of 110,000, holding its own against the competition, but in terms of TCP connections per second, it fell short, topping out at 1,840.

Because the SG-500 was designed for a branch office, where you'd have only a few site-to-site tunnels through which IPSec clients communicated, I modified the test to verify StoneGate's marketing claim of 2,000 concurrent IPSec tunnels. Ultimately, I was able to create 2,000 IPSec tunnels - or security associations - by setting up four site-to-site tunnels with 250 bidirectional IPSec tunnels in each. The SG-500 barely broke a sweat.

All three of these boxes truly belong in the mid-size enterprise. For maximum bandwidth and VPN muscle, the ServGate EdgeForce Accel is the way to go. It also offers the broadest range of add-on services. If gigabit bandwidth isn't necessary and firewall performance is more important than VPN throughput, the SonicWall Pro 3060 should be on your short list. It handled more connections per second than the ServGate when tested, and it costs significantly less.

Finally, the StoneGate SG-500, although not as swift as the others, turned in quite respectable performance numbers and proved easiest to set up and manage. It's a good choice for even the busiest branch office.