News Stay informed about the latest enterprise technology news and product updates.

Branch office gigabit firewalls offer value for high-performance needs

Lower-cost UTMs with gigabit firewalls for small branches improve WAN security performance without the expense, space and power requirements of a larger branch or data center appliance. But the investment may not be worthwhile unless branches are using the Internet for more than Web browsing.

Gigabit firewalls and gateway devices are becoming a requirement for even the smallest of branches, putting pressure on enterprises to find low-cost options.

In a small branch office with about a dozen users who access network services remotely and use the Internet primarily for Web browsing, a legacy 100 to 300 Mbps firewall will most likely meet their needs. But those speeds may not cut it for highly centralized enterprises that deliver throughput-hungry services over the wide area network (WAN) or for highly decentralized enterprises that have intensive Web-based services housed locally in a branch's demilitarized zone (DMZ). Lower-cost unified threat management (UTM) devices for small branches with gigabit firewalls can improve WAN security performance without the expense, space and power requirements of a larger branch or data center appliance.

"Ten years ago, nobody cared that [a branch office firewall] was slow because your Internet connection was slower," said Christopher Daniluk, president of Rhythmic Technologies, a systems integrator based in Herndon, Va., which resells Fortinet's UTM appliances.

More on WAN security

Get expert advice: What's the difference between LAN and WAN security?

What you need to know about WAN security and optimization combo appliances if you backhaul Web traffic from the branch

Learn how one global enterprise simplified WAN security with next-generation firewalls

With connectivity speeds improving, Daniluk's enterprise customers are seeking higher-performance firewalls in branch locations to handle more intense WAN applications. But Fortinet's small branch UTM, the FortiGate 60-B, offers only a 100 Mbps firewall.

The next size up, the FortiGate 110C, offers a gigabit firewall but usually costs three times more than enterprises want to spend at their smaller sites, he said.

"It's not gigabit that they want -- it's more-than-100-megabit that they want, and what a lot of them want it for is backup… [because] they need to have 400 to 500 megabits to finish in time for their backup window," Daniluk said. "It's not necessarily useful for a single 15- to 20-user office to have a gigabit of throughput on their firewall, but it is pretty useful for a distributed larger business to use."

Joining other WAN security vendors, Fortinet recently announced a lower-cost UTM appliance with a gigabit firewall for small branches with the release of its 60-C appliance, which supports 500 concurrent virtual private network (VPN) tunnels and costs $895 for the hardware and software security bundle.

There has been a steady increase in the amount of data and content sent to the dealerships over the Internet -- training videos, software release updates and price book downloads.
Bradley Ruff
Research and Development Specialist and Technical Team LeadHarley-Davidson Dealer Services

"We sold a lot of 110Cs [to branches] that didn't necessarily need the added expense -- a $3,000 firewall was what was in the next range up -- but specifically because people needed the gigabit performance [in the branch]," Daniluk said. "A lot of them were buying bigger units than they needed to, but a lot of them were also deferring purchases because they didn't want to spend the money [on larger WAN security appliances]."

Earlier this year, Check Point Software Technologies launched a gigabit firewall in its UTM-1 Edge, which starts at $750 and supports 400 concurrent VPN tunnels. In May 2009, Juniper Networks unveiled four new models of its SRX Series services gateways for branch offices -- the SRX 100, 210, 240 and 650 -- which offer 650 Mbps to 7 Gbps firewalls in addition to other security services, routing and switching. The lowest-end model starts at $699, while the highest-end model starts at $16,000.

Although Gigabit firewalls are becoming standard and are not quite as "awe-inspiring as they used to be," branch offices can probably get by on their slower legacy models unless special circumstances demand otherwise, according to John Kindervag, a senior network security analyst at Forrester Research.

"They probably don't need that much speed unless, for some reason, they have a really fast Internet connection or they have somehow integrated all of their network traffic in the branch to go through that firewall," Kindervag said. "Maybe they're using a lot of the DMZ capabilities, so they put the firewall in the center of their network -- but just for Internet connectivity? Probably not; but if you've got a lot of resources it's inspecting, that's conceivable."

Decentralized applications in DMZ call for gigabit firewall

Bradley Ruff, research and development specialist and technical team lead for Harley-Davidson Dealer Services (HDDS), the dealership arm of the American motorcycle manufacturer, doesn't approach WAN security from a conventional perspective.

Instead of branch offices, he oversees hundreds of independently owned dealerships, each of which houses its own Web-facing application servers. Dealers connect their main locations to a service or retail location via an IPsec VPN tunnel but are not directly connected back to HDDS. Tech support and other dealer services are offered over the Internet.

UTM services hinder gigabit firewall performance

Enterprises must remember that a gigabit firewall doesn't necessarily translate into fast UTM capabilities, which actually slow down device performance, according to James Kawamoto, senior product manager in Juniper's security products group. Turning on other services such as antivirus or intrusion prevention systems (IPS), can eat up precious central processing unit (CPU) resources.


Juniper's custom silicon on its SRX series mitigates some of these problems, Kawamoto said. Its SRX 210 box offers a 750 Mbps firewall but achieves only 80 Mbps for IPS and 30 Mbps for antivirus services. Fortinet also credits the proprietary silicon on its FortiGate 60-C for gigabit firewall performance, but still offers only 60 Mbps for IPS and 20 Mbps for antivirus services.

"When you enable services on a box, the data sheet numbers really do not meet up to spec, so whatever is listed on a data sheet typically will not perform in your network in a real-world environment," Kawamoto said. "There's no vendor that has been able to have extremely high levels of performance. It does bring down the performance box. It [comes down to which] vendor can bring it down the least."

With such a decentralized design, Ruff and his team decided about six years ago that the dealerships' inconsistent approach to WAN security needed some standardization.

"Despite [having antivirus] software on the servers, they were still getting infected with malware, and there was nothing to protect them from attacks or hijack," Ruff said. "Some dealerships had a firewall in place, but many did not. The result was downtime, loss of productivity and an increase in the amount of time spent cleaning malware from systems or re-imaging them."

HDDS has since deployed 330 of Fortinet's 60-B UTMs and is in the process of upgrading them to 60-Cs, expecting that gigabit firewalls will soon become a necessity for dealerships so that they can process the increase of traffic to the perimeter.

"There has been a steady increase in the amount of data and content sent to the dealerships over the Internet -- training videos, software release updates and price book downloads are some of the data that is delivered via our website," Ruff said. "While we're still dependent on the ISP at the dealership, we don't have to worry about the performance of our deployed solution."

Although data center consolidation continues to be a trend, enterprises like HDDS that are decentralizing network resources will benefit from higher-performance firewalls and UTM devices, according to Chris Simmons, director of product strategy at Fortinet.

"We're seeing a large number of branch offices have the need for servers deployed on their local area networks -- common applications are email servers and voice [over IP] servers," Simmons said. "But whenever you're going between the DMZ and the internal LAN, you don't want WAN speeds. You don't want to slow that traffic down, so by incorporating the gigabit firewall performance, we're able to have DMZ access those internal networks very quickly and very efficiently."

Let us know what you think about the story; email: Jessica Scarpati, News Writer

Dig Deeper on Branch office network design

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.