(12/04/2000) – Cisco Systems Inc. this week will enter the rarified air of gigabit speed security when it unveils the Cisco Secure PIX Firewall 535.
And not a moment too soon – with multiple OC-3 (155M bit/sec) links becoming commonplace at service providers and large corporations, a gigabit firewall is no longer a steroid-induced fantasy.
The Network World Global Test Alliance got an exclusive chance to test the performance of this gear and found that the newest member of the PIX Firewall line outguns the rest we’ve seen. How fast? How does 2G bit/sec grab you?
Keep in mind that the PIX 535 is just another member of the PIX family. Although it has more interfaces and faster throughput, everything else about it will be familiar to users of the PIX Firewall. What the PIX 535 gives you is speed. As data centers and campus networks jump to 300M bit/sec and 450M bit/sec connections in 2001, the corporate firewall will have fallen far behind. The PIX 535 is one of two firewalls we’ve tested that can truly handle these gigabit speeds. NetScreen Technologies Inc.’s NetScreen 1000 also handles this level of throughput.
Although the PIX 535 shares the same cumbersome, counterintuitive command-line interface with the rest of the PIX family, it breaks loose with impressive performance. Start with the hardware. It’s small: 3U (5.25 inches high) is all it takes to firewall off a gigabit of traffic. The PIX 535 has a highly maintainable chassis with dual hot-swap power supplies and nine expansion slots. We swapped cards during our tests, and Cisco has made this easy. It’s not quite as accessible as Cisco’s 7000 series routers, but you can get to the important parts of the PIX – including the CPU board and all expansion cards – in about 30 seconds.
More important than those nine expansion slots is the hardware sitting behind them: three PCI buses, two of which are 64 bits wide to accommodate the four Gigabit Ethernet interfaces Cisco expects you’ll use to connect your PIX 535 to your network. The third PCI bus is a 32-bit bus, which can take four 10/100 Ethernet interfaces and a VPN accelerator card. Driving those buses is a 1-GHz Intel processor (the box is dual-CPU capable, but dual CPUs are not currently supported) and a gigabyte of memory. Everything about this box says “gigabit” – memory, CPU and LAN. Total it up, and you can have up to four Gigabit Ethernet and four 10/100M bit/sec Fast Ethernet interfaces in this system. That’s serious bandwidth.
In our most optimistic and easiest test – simulating four huge connections using a Spirent PLC’s SmartBits 6000 with large packets – the PIX 535 turned in an amazing 2,080M bit/sec performance. That’s almost six times faster than the PIX 525, Cisco’s closest model, is rated by the company. Of course, you won’t see that kind of performance in real-life situations. Our benchmarks show that normal Internet traffic with 2,000 connections through the firewall could expect a steady performance of 400M bit/sec.
Connection establishment also doesn’t seem to slow the PIX 535. We benchmarked it at approximately 8,500 connection/sec, up to 1.2 million simultaneous connections. That’s a ridiculously huge number of connections, and Cisco engineers told us it could go as high as two million, but that’s more than we could test in our lab.
At more reasonable connection rates, the PIX 535 hums along nicely. We used Antara’s Flamethrower to run a constant stream of 500 connection/sec through the PIX 535 and saw only a few percentage points drop in performance. When we put the Flamethrower into denial-of-service attack mode, the effect was a little more pronounced, with about a 20 percent drop in throughput.
The PIX 535 has an optional encryption acceleration card (based on IRE’s SafeNet DSP), which we benchmarked at speeds of 90M bit/sec using a fairly typical traffic mix and a small number of IP Security associations. This compares favorably with midrange VPN devices from Nokia Corp., Alcatel SA and NetScreen, which typically hover just below the 100M bit/sec mark in Triple-DES/ SHA-1 encrypting throughput. The PIX 535 accelerator card does substantially better than normal PCI-based encryption devices we’ve seen, largely because of bus contention issues. Cisco’s engineering and three-bus architecture give a performance boost that normal PC-based firewalls can’t compete with.
We learned from our tests that the PIX 535 is very sensitive to configuration and network engineering. For example, our initial encryption tests were done with the VPN accelerator on the same PCI bus as the Fast Ethernet cards we were using for part of the test. PCI buses form a horrible bottleneck in general, and we saw performance drop by as much as 30 percent in some tests. When we balanced traffic more carefully by spreading it across the three PCI buses, performance improved dramatically. We saw less dramatic results as we balanced traffic across interfaces and buses in our testing, typically in the 10 percent or lower range.
Final analysis
Is the PIX 535 for you? If you need Gigabit Ethernet performance, you don’t have a lot of choices. NetScreen’s NetScreen 1000 offers similar speeds when fully configured, but at nearly twice the price of the estimated at CDN$142,500 fully configured PIX 535. At speeds that high, though, either may seem a bargain.
The PIX’s biggest deficiency is its command-line interface. Similar to Cisco’s IOS, the PIX is just different enough to give any IOS expert a headache.
The PIX remains a firewall for companies and application service providers that can live with a small set of firewall rules and don’t ask for a lot of flexibility in their security appliances.
While some security experts dismiss the lack of features in the PIX, others find it a solid product, citing the simplicity mantra: Simpler systems are easier to understand and secure, and the PIX is nothing if not simple.
It’s also got some nice seasoning on it, with more than five years of predecessors in the PIX line under its belt. Although we were officially running very late beta-test version software, it exhibited traditional Cisco stability and gave us crash-free performance. If you’ve got an easy-to-express policy and a bunch of bandwidth, the PIX 535 is an incredibly fast performer in a nice package.
Snyder is a senior partner at Opus One, in Tucson, Ariz., specializing in messaging and security. He can be reached at joel.snyder@opus1.com.
Prices listed are in Cdn currency.