Abstract

NetScreen Technologies, Inc. commissioned The Tolly Group to evaluate its NetScreen-100, an enterprise class firewall and Internet Protocol Security (IPSec) Virtual Private Network gateway. This purpose-built, Fast Ethernet security device was benchmarked by The Tolly Group and compared to the following three devices: a Check Point Software Technologies, Ltd. FireWall-1/VPN-1; a Nokia IP650; and a Cisco Systems, Inc. Firewall Series PIX-515. For all devices under test, The Tolly Group conducted application throughput and zero-loss throughput tests in an IPSec tunnel configuration. Engineers also measured zero-loss throughput and TCP/IP session-processing rate in a firewall configuration.

Summary: Tolly Group Evaluation of NetScreen-100 vs. Check Point FireWall-1/VPN-1, Nokia IP650, and Cisco PIX-515 (January 2001)

NetScreen Technologies commissioned The Tolly Group to evaluate the performance of its NetScreen-100 enterprise-class firewall and VPN appliance against Check Point FireWall-1/VPN-1, Nokia IP650, and Cisco PIX-515. The focus was on verifying throughput performance for firewall and IPSec VPN functions in high-speed environments, simulating enterprise and branch office deployments. Tests included application throughput, zero-loss packet forwarding in IPSec tunnels, firewall performance, and TCP connection rates.

In IPSec tunnel throughput tests, NetScreen-100 far outperformed its competitors, forwarding 134 Mbit/s of FTP traffic and 59 Mbit/s of SAP R/3 traffic. By comparison, Check Point, Nokia, and Cisco reached maximum FTP throughput of 43 Mbit/s, 16 Mbit/s, and 9 Mbit/s, respectively. For SAP R/3 traffic, the gap remained significant. In zero-loss IPSec tests, NetScreen-100 achieved up to 95% of theoretical maximum throughput with 1,024-byte packets, while competitors struggled to exceed 10%. Firewall throughput tests showed similar results, with NetScreen-100 achieving 100% line-rate performance on larger packets, while the others showed marked performance degradation, especially with small packet sizes.

NetScreen-100 also excelled in TCP connection scalability, processing 19,048 connections per second, vastly surpassing Check Point’s 1,600 connections per second and Cisco’s 3,402 connections per second. Nokia IP650 failed to sustain even 200 concurrent connections without loss. The evaluation concluded that NetScreen-100, with its purpose-built hardware architecture, delivers enterprise-grade firewall and VPN performance at Fast Ethernet speeds, offering a compelling solution for environments needing high throughput, low latency, and secure connectivity without sacrificing performance.

The NetScreen-100’s architecture delivered a significant performance advantage over Check Point, Nokia, and Cisco competitors due to its purpose-built, hardware-accelerated design, which contrasts sharply with the software-based architectures of its rivals.