Re: What does VPN throughput mean?

From: Leythos (void_at_nowhere.com)
Date: 12/19/03 

Date: Thu, 18 Dec 2003 23:29:03 GMT

In article <8bdf2d47.0312180925.6fe5aaa7@posting.google.com>,
nospamj@i0ta.com says...
> Greetings:
>
> We are having a struggle at work determining which firewall appliance
> to purchase. The office has approximately 30 people with about 50
> more working in the field and is attached to the Internet via a T1. I
> am the Network Administrator, so naturally I would like something that
> is easy to administer, secure, has some IDS, and other features. So,
> I picked out a nice, feature rich Fortigate 100. According to it's
> literature it has these performance characteristics:
> ------------------------------------
> FG100:
> Concurrent Sessions = 200K
> New Sessions/second = 4K
> Firewall Throughput (Mbps) = 95
> 168-bit Triple-DES Throughput (Mbps) = 25
> Concurrent Users = 10/Unlim
> ------------------------------------
[snip]
> Cisco's website:
> ------------------------------------
> Cleartext throughput: 188 Mbps
> Concurrent connections: 130,000
> 168-bit 3DES IPsec VPN throughput: Up to 140 Mbps with VAC+ or 63 Mbps
> with VAC
> 128-bit AES IPsec VPN throughput: Up to 135 Mbps with VAC+
> 256-bit AES IPsec VPN throughput: Up to 140 Mbps with VAC+
> Simultaneous VPN tunnels: 2000
> ------------------------------------

The PIX515E with VAC (not VAC+) is almost $5,500 from CDW.
The Fortigate 100 is almost $2000 from firewalldepot.com

You are not looking at the same class of firewalls here - the PIX is way
more firewall than the Fortigate.

The WatchGuard Firebox III-1000 is about $4,800 and is faster than PIX
without VAC+

The specs are as follows:
PERFORMANCE
Branch Office VPNs 2000¹
Mobile User VPNs 2000¹
Packet Filter Throughput 200 Mbps
VPN Throughput 75 Mbps
HTTP Proxy Throughput 94 Mbps
Authenticated Users 5000
User License Unlimited

The WatchGuard V60 is also faster than the PIC515E/VAC (not VAC+)

PERFORMANCE
Firewall Throughput 200 Mbps
VPN Throughput 100 Mbps
Branch Office VPNs 400*
Mobile User VPNs 400*
User License Unlimited
*The total number of Branch Office plus Mobile User VPN tunnels.

While the VPN performance far exceeds the T1 you will have, you may find
that you need that type of performance in order to decode at the
hardware level in order to keep the line speed up - you don't want the
firewall do be bogged down doing encrypting and decrypting.

I have no experience with Fortigate, so I would not install them unless
they provided a 1 month demo in our environment for free. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • RE: query on firewall throughput.....
    ... if I have a 100 mbps network card in my workstation and I ... might be the firewall if it only has 10 mbps throughput. ...
    (Security-Basics)
  • Re: firewall throughput number
    ... You're not going to get more throughput than your NIC allows. ... Oddly enough, firewall performance, although often ... > Why will they quote throughput of more than 100 Mbps ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Cisco 2811 vs. ASA 55xx
    ... features you want and save a little $$$, and keep the performance that you ... IOS Firewall) feature set. ... Is this real-world throughput with Firewall rules, NAT, and VPN ... This is only 3 Mbps. ...
    (Firewall-Wizards)
  • Re: What does VPN throughput mean?
    ... >> We are having a struggle at work determining which firewall appliance ... > more firewall than the Fortigate. ... > Branch Office VPNs 2000¹ ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Firewall bake-off?
    ... The problem is that throughput is not the ... important property of a firewall. ... document aspects of the security properties of their products. ... and by "indirect match" I mean checks in which the protocol is ...
    (Firewall-Wizards)