In-Depth

Firewall Drag Race

WatchGuard tackles "firewall sandwich" with a single device

• By Mathew Schwartz
• 04/30/2003

“What's happening in the enterprise marketplace is that the cost for gigabit Ethernet has been dropping, so people are deploying more of a campus security solution in their infrastructure,” says WatchGuard product manager Rodney Mock.

One issue with wiring multiple buildings is headcount. “The question with campus security is, how do you remotely manage a facility that might have two or three buildings in it? So it comes down to, how do we put security out there to manage those users without having to hire security experts?” notes Eric Ogren, senior analyst at Yankee Group in Boston. “You just don’t want to hire a full-time security person to deal with 50 people.”

With WatchGuard’s V200, organizations get lowered total cost of administration, and don’t need to balance load across multiple boxes just to get gigabit monitoring capability, because they just buy one box. (Though to be prudent, presumably they run another simultaneously in case the first fails.)

Traditionally, WatchGuard “sells to small and medium businesses,” says Ogren, but “they’re trying to move upscale.”

“What we see a lot of times is what we call a firewall sandwich, and that's where you might have several security appliances together, then you need to do load balancing across those. With the V200, you really just need the one appliance to have the capacity you need. What that saves you is a lot less management of the solutions you might have put together in the past, plus license management,” says Jean Hodgson, WatchGuard's product marketing manager. Administrators also get one management tool.

In today’s depressed economy, firewalls and VPN appliances are a growth market—in the double digits, says IDC. “Enterprises increasingly see security appliances as the bedrock of their security posture,” notes IDC analyst Charles Kolodgy. Sales-wise, Cisco leads the pack with 37 percent of the market, followed in order by Nokia, Netscreen, Sonicwall, and WatchGuard.

Don’t take that ordering for the best feature set or price point for any particular market segment, however, warns IDC, since different products and price points meet the needs of different customer market segments.

WatchGuard says the V200 is aimed at the mid-size or larger enterprise, with features such as triple-DES encryption for VPNs, dynamic or static IP addresses, throughput speeds to handle lots of users, four embedded RISC processors, and real-time monitoring. It supports up to 40,000 simultaneous VPN tunnels, 1.1 gigabit-per-second VPN throughput, and 2 gigabit-per-second network throughput.

Gigabit capability is more than many companies need today, unless they’re extremely large organizations, managed security providers, or “anyone doing streaming or something depending on latency. You don’t want that latency to build up, with big hiccups and delays,” says Ogren.

Mock says that because the V200 uses an application-specific integrated circuit (ASIC)—in fact a so-called intelligent security ASIC—as opposed to a PC-based firewall or Intel-based server, “it allows you to ensure predictable performance regardless of the load.”

Of course, while “ASICs do have the promise of very high performance processing,” Ogren notes, “at the end of the day you just have to test the box and see what it does.”