Download
1 / 80
800 likes | 912 Views
Secospace USG9100 Competition Analysis. Overview. Objective. Know about the products of both HS and peer vendors; defeat rival products with our invincible features.
E N D
Objective • Know about the products of both HS and peer vendors; defeat rival products with our invincible features. • For any question or query, you may contact Song Xuzhao, the marketing representative of the USG9100. Any idea to better the slide is appreciated, especially suggestions from the front-line colleagues, who are acquainted with the products of peer vendors.
HS 10-Gigabit Security Gateway Product Family USG9110 USG9120 USG9310 USG9320 • 10G to 120G performance • ATCA • Distributed architecture • High performance & low power consumption • 10G to 80G performance • Mass VPN access • Distributed architecture • NP+multi-core processor
Product Overview — Brand Names • The USG9100 series includes the USG9110 (5 U) and the USG9120 (14 U). This series mainly targets at non-operator markets. So far, HS has not OEMed the USG9100 series.
Product Overview • Orientation • High-end 10-Gigabit security gateway with multiple functions • Sorting out inferior 10-Gigabit FWs in non-operator markets • Target market • Non-operator 10-Gigabit FW market • Highlights • High performance & low power consumption • Excellent performance • ATCA distributed scalable architecture
Super 100-Gigabit FW — the USG9100 • Advanced ATCA+multi-core+distributed architecture • —Providing high scalability and reducing the TCO • Brilliant FW performance • —Safeguarding key services • Excellent VPN performance • —Adapting to the encrypted transmission of mass services • Extensive interfaces • —Facilitating flexible networking • Sound reliability • —Ensuring service consistency and stability with 330000-hour MTBF • Low power consumption & easy deployment • —Consuming lowest power of less than 20W/G in the industry, applicable to standard cabinets The super 100-Gigabit high-end FW delivers industry-leading performance and reliability, which effectively guarantees the security of large IDCs, big Web sites, and high-end applications on vertical industry networks.
10-Gigabit FWs in the Industry + Cisco mainly adopts security boards. Its security products gain the first market share relying on the leading role in routing and switching technologies. • Cisco • Juniper ASA 5580-40 6500 switch+FW board • Fortinet • HS Juniper has advanced security technologies. The SRX series is launched in 08/09. Its performance and functions are in leading roles. • H3C • TOPSEC SRX3000 SRX5000 • Lenovo Fortinet is the founder of UTM. Its products are outstanding in UTM features and management, but the performance and FW functions are poor. • Supporting 10GE interfaces; FW through > 10 Gbps; transaction price > $30000 FortiGate 5000 KingGuard 9000 NGFW F5000-A5
Integrated Architecture Analysis of 10-Gigabit FWs Security board Independent device CEO Centralized Distributed Integrating interface cards and service boards Separating interface cards from service boards + + + F5000-A5 SRX series MS-DPC FWSM ASA 5580-40 FortiGate 5000 X series USG9100 SecBlade Juniper, Cisco, and H3C, dedicated in routing and switching devices, provide both independent devices and security boards. Other professional security product vendors provide independent devices only. Most new products in the market adopt distributed architecture to promote integrated performance. Moreover, interface cards and service boards are separated to enhance reliability and networking flexibility.
Strength Emphasis • Advanced performance The USG9100 provides up to 120G throughput, 48000000 concurrent connections, 3000000 new connections per second, 96G VPN performance, and 480000 IPSec concurrent tunnels. All these ensure the best performance of the USG9100 in the industry. • Distributed architecture The USG9100 adopts the standard ATCA architecture, which provides excellent scalability (both the performance and interfaces can be expanded smoothly). The USG9100 also adopts distributed SPUs to implement load balancing and hot backup among SPUs. • Interface density The USG9100 provides a maximum of 96 x GE interfaces or 12 x 10GE interfaces. In Q1, 2010, we will provide the high-density LPU, which provides 2 x 10GE+16 x GE interfaces. • High reliability Dual MPUs, dual-system hot backup, key component redundancy, 99.999% reliability, and 38-year MTBF. Recommend users to adopt dual-system hot backup networking to ensure high reliability. • Selling price The selling price of the USG9100 is much lower than that of products from overseas vendors. • High performance and low power consumption The power consumption of the USG9100 is lower than 20 W/G. The total power consumption of the USG9110 is 800 W and that of the USG9120 is 2000 W.
Weakness Avoidance • Interface density: Currently, the interface density of our board is relatively poor, but the maximum number of interfaces is large. In Q1, 2010, we will launch the high-density LPU, which provides 2 x 10GE+16 x GE interfaces. • LPU: The number of LPUs corresponds to that of SPUs. If high-density interfaces are required, great pressure is imposed on the selling price of the USG9100. • Power supply: External power supply. • UTM feature: The USG9100 currently lacks the UTM feature, which should be avoided. In high-end application scenarios, the enabling of the UTM feature leads to performance decrease and results in the network bottleneck. Therefore, the UTM feature is not practical in high-end application scenarios.
Juniper SRX5000 • Juniper NS 10-Gigabit FW series includes the NS-5200 and NS-5400, which provide 10G and 34G throughput respectively. The NS series supports multiple 10GE interfaces, and is the earliest independent 10-Gigabit FW in the industry. The NS series adopts the traditional ASIC+CPU architecture and the number of new connections per second is small. Therefore, the NS series cannot apply to current networks where DDoS attacks and burst traffic frequently occur. Juniper SRX3000 NS-5200/5400 ③ • Juniper launched the SRX5600/5800 high-end FWs in September 2008. The SRX5600/5800 are based on the MX480/960 router platforms. A single slot provides 40G switching capability. The advertised integrated throughput of the SRX5600/5800 is 60 Gbps/120 Gbps. • Juniper SRX3400/3600 (20 Gbps/30 Gbps throughput) are entry-level 10-Gigabit FWs.
Juniper SRX5000 • Juniper launched the SRX5600/5800 high-end FWs in September 2008. The SRX5600/5800 are based on the MX480/960 router platforms. A single slot provides 40G switching capability. The advertised integrated throughput of the SRX5600/5800 is 60 Gbps/120 Gbps. • Key message: Speed Ahead • Advertised features: • Scalable performance • System and network resiliency • Interface flexibility • Network segmentation • Robust routing engine • Comprehensive threat protection • Main functions: FW, QoS, routing, and IPS SRX5800 SRX5600
Components of Juniper SRX5000 Control panel Upper fantray IOC SCB SPC RE SCB — Switch Control Board Lower fantray RE — Routing Engine Air intake IOC: Input Output Card, supporting 4 x 10GE and 40 x GE SPC: Service Processing Card, supporting 10G large-packet throughput and lower than 1G small-packet throughput RE: Routing Engine, supporting 1.3 GHz and 2 GB DRAM SCB: Switch Control Board, supporting backup
Components Analysis of Juniper SRX5000 Chassis: The SRX5600 adopts the 8-U chassis and the SRX5800 adopts the 16-U chassis. SCB: The SRX5600 can be configured with two SCBs (1+1) and the SRX5800 can be configured with three (2+1). RE: The RE is installed on the SCB. The switch platform supports dual routes, but the RE supports only one. The 1.3 GHz Celeron-M chip is adopted and the 2 GB memory is configured. Complete separation of control and data planes SPC: The SPC provides 15G large-packet throughput, smaller than 1G small-packet throughput, and 5G mixed-packet throughput. The advertised throughput is 20 Gbps. IOC: The IOC supports 40 x GE and 4 x 10GE interfaces, but not POS interfaces. The IOC adopts the switch fabric architecture; the integrated processing capability is ordinary. (The USG9100 supports POS interfaces, but the interface density and LPU capacity are not as good as Juniper SRX5000 series.) According to the specifications, the indexes (such as the number of new connections per second, number of concurrent connections, and number of policies) of the SRX5600 and those of the SRX5800 are the same. That is, these specifications do not increase linearly in accordance with the number of SPCs. Therefore, we can conclude that all services are forwarded by the RE, and the integrated throughput and reliability of Juniper SRX5000 series rely on the RE. As a result, its reliability and scalability are much poorer than those of the USG9100.
Quotation Mode of the SRX5800 Series • Quotation mode: • Frame (including the RE and SCB)+IOC+SPC • Quotation example: • SRX5800 40G throughput+2 REs+2 SCBs+4 x 10GE+24 x GE+dual power supplies: catalog price: ¥15680000 • SRX5800 80G throughput+2 REs+2 SCBs+4 x 10GE+24 x GE+dual power supplies: catalog price ¥22080000 • Juniper's maximum discount: 89%
USG9100 vs. SRX5000 • Comprehensive linear scalable architecture The USG9100 adopts the real distributed architecture. Its throughput, number of new connections per second, and number of concurrent connections can be expanded linearly. But for Juniper SRX5000, only the throughput can be expanded linearly, but not the other specifications, which approves that Juniper SRX5000 does not adopt the real scalable architecture. • Advantageous integrated performance Except the integrated throughput and large-packet throughput, the small-packet throughput, mixed-packet throughput, number of new connections per second, number of concurrent connections, and VPN performance of the USG9100 stick out. The SRX5000 cannot be mentioned in the same breath with the USG9100, especially the small-packet throughput. The SRX5000 cannot defend against large-scale DDoS attacks. • High reliability Dual main processing units: According to the purchase list, Juniper SRX5000 does not support dual main processing units. Mutual backup among SPCs:This feature is not mentioned in the promotion of Juniper SRX5000. MTBF: This data is not mentioned in the promotion of Juniper SRX5000. The USG9100 supports dual-system hot backup. The SRX5000 supports the active/standby mode only and is of poor reliability. The boards of the SRX5000 do not support hot swapping. Juniper solves the problem on continuous transmission through the chassis cluster. • Virtual FW The USG9100 supports 1024 virtual FWs, but the SRX5000 does not. The new software platform of the SRX5000 has not comprehensively integrated the original functions. • Interface The USG9100 supports POS interfaces, but the SRX5000 does not. The interface density of the USG9100 is high. A single LPU of the USG9100 supports 4 x 10GE or 40 x GE interfaces. • Anti-DDoS The number of new connections per second of the SRX3000 is small and the anti-DDoS capability is poor. • Slot The IOC and SPC of the SRX5000 share the same slot. The SPU of the USG9100 corresponds to the LPU (one-to-one), and the USG9100 supports 4/12 pairs of SPUs and LPUs. The SPC and IOC of the SRX5600 are the same as those of the SRX5800. • Selling price The selling price of the SRX5000 is much higher than that of the USG9100. Therefore, they seldom compete with each other through selling prices. • Management The SRX5000 is managed through the NSM, but the NSM cannot receive security alarms from the SRX3000. That is, this security management platform does not notify what kind of attacks occur on the network, nor whether the network is under attack. After the IPS function of the SRX5000 is enabled, the configuration interface becomes unstable and the attack database is incoherent. The management of the IPS function can hardly be implemented. The IPS performance is poor, the configuration is difficult to implement, and the management is hard to realize. All these indicate that the SRX5800 may be a high-speed FW; however, before Juniper solves the manageability problem, the IPS function of the SRX5000 is not applicable. Fore details, go to http://www.networkworld.com/reviews/2009/022309-juniper-firewall-test.html http://www.cww.net.cn/tech/html/2009/3/16/2009316162046380.htm http://cisco.chinaitlab.com/firewall/779297.html.
Weakness Avoidance of the USG9100 • Integrated performance: The throughput (large packet/mixed packet/small packet), number of concurrent connections, and number of new connections per second should be emphasized. Guide customers to know that the capability of processing large packets cannot present the actual performance of a FW and only the integrated performance makes sense. • Interface density: We are not good in interface density. 2 x 10GE+16 x GE high-density LPUs will be provided in the coming year. • Selling price: The selling price of the USG9100 is much lower than that of the SRX5000.
Juniper SRX5000 Juniper SRX3000 NS 5200/5400 ③
SRX3600 Juniper SRX3000 • Juniper SRX3400/3600 are entry-level 10-Gigabit FWs launched in March, 2009. The throughput ranges from 10 Gbps to 30 Gbps. The advertised integrated throughput of Juniper SRX3400/3600 is 20 Gbps/30 Gbps. • Key message: advanced scalability and service integration • Advertised features • Flexible performance expansion and I/O expansion • Powerful network and security services • Various detection methods • IPS function • Network and Security Manager for centralized management • Simple and flexible deployment • Main functions: FW, NAT, DDoS defense, QoS, ALG, IPSec/SSL VPN, and IPS SRX3400
Components of Juniper SRX3400 Front panel of the SRX3400 Rear panel of the SRX3400 IOC: Input Output Card, supporting 2 x 10GE or 16 x GE interfaces (optical/electrical) SPC: Service Processing Card, supporting 5G throughput (large packet) and 1G throughput (small packet) respectively RE: Routing Engine, PowerPC platform NPC: Network Processing Card, forwarding traffic between IOCs and SPCs SFB: Switch Fabric Board, supporting 8 x GE (electrical)+4 x GE (optical) interfaces
Components of Juniper SRX3600 Front panel of the SRX3600 Rear panel of the SRX3600 IOC/SPC/RE/NPC/SFB:the same as those of the SRX3400
Components Analysis of Juniper SRX3000 Chassis: The SRX3400 adopts the 3-U chassis and the SRX3600 adopts the 5-U chassis. Juniper SRX3000 series adopts the central backplane. SCB: One SCB is integrated in the chassis of the SRX3400/3600. NPC: The SRX3400 can be configured with one or two NPCs and the SRX3600 can be configured with one to three NPCs. RE: The RE is installed on the SCB (or Ethernet IOC). The switch platform supports dual routes, but the RE supports only one, and single main processing unit is adopted. SPC: The SPC provides 5G large-packet throughput and 1G small-packet throughput. The USG9100 provides 5G small-packet throughput, 8G mixed-packet throughput, and 10G large-packet throughput. IOC: The IOC supports 16 x GE or 2 x 10GE interfaces, but not POS interfaces. The IOC adopts the switch fabric architecture; the integrated processing capability is ordinary. (The USG9100 supports POS interfaces, but the interface density and LPU capacity are not as good as Juniper SRX5000 series.) Maximum number of boards (SRX3400): Seven slots in total (four in the front panel and three in rear panel). The IOC should be installed in the front panel and the NPC in the rear panel. The SPC can be installed either in the front or rear panel. The maximum number of SPCs is four, IOCs four, and NPCs two. Maximum number of boards (SRX3600): 12 slots in total (six in the front panel and six in rear panel). The IOC should be installed in the front panel and the NPC in the rear panel. The SPCs can be installed either in the front or rear panel. The maximum number of SPCs is seven, IOCs six, and NPCs three. According to the specifications, the indexes (such as the number of new connections per second and number of policies) of the SRX3400 and those of the SRX3600 are the same. That is, these specifications do not increase linearly in accordance with the number of SPCs. Therefore, we can conclude that all services are forwarded by the NPC, and the integrated throughput and reliability of Juniper SRX3000 series rely on the NPC. As a result, its reliability and scalability are much poorer than those of the USG9100.
Quotation Mode of the SRX3000 Series • Quotation mode: • Frame (including the RE and SCB)+interface board+SPC, 89% discount • Quotation example: • SRX3400: 30G throughput+1 x NPC+2 x 10GE+4 x SPC+12 x GE (delivered)+DC, discounted price: ¥470000 • SRX3600: 30G throughput+1 x NPC+2 x 10GE+4 x SPC+12 x GE (delivered)+DC, discounted price: ¥510000
Strength Emphasis of the USG9100 • Comprehensive linear scalable architecture The USG9100 adopts the real distributed architecture. Its throughput, number of new connections per second, and number of concurrent connections can be expanded linearly. But for Juniper SRX3000, only the throughput and number of concurrent connections can be expanded linearly, but not the other specifications, which approves that Juniper SRX3000 does not adopt the real scalable architecture. • Advantageous integrated performance The large-packet throughput, small-packet throughput, mixed-packet throughput, number of new connections per second, number of concurrent connections, and VPN performance of the USG9100 stick out. The SRX3000 is just an entry-level 10-Gigabit product, its performance cannot be mentioned in the same breath with those of the USG9100, especially the small-packet throughput. The SRX3000 cannot defend against large-scale DDoS attacks. The processing capability of a single board of the SRX3000 is just half that of the USG9100. • High reliability Juniper SRX3000 does not support dual main processing units. Mutual backup: The USG9100 supports load balancing and mutual backup among SPUs. Anomalies on a single board do not affect the system running. This feature is not mentioned in the promotion of Juniper SRX3000. MTBF: 99.9999% reliability, 500000 hours/57 years MTBF. This data is not mentioned in the promotion of Juniper SRX3000. The SRX3000 supports the active/standby mode only. The boards of the SRX3000 do not support hot swapping. Juniper solves the problem on continuous transmission through the chassis cluster. • Virtual FW The USG9100 supports 1024 virtual FWs, but the SRX3000 does not. • POS interface The USG9100 supports the interfaces of extensive specifications, including 10GE interfaces, to facilitate networking. The SRX3000 does not support such interfaces. • Anti-DDoS The number of new connections per second of the SRX3000 is small and the anti-DDoS capability is poor. • Selling price The selling price of the USG9100 is low. • IPS The SRX3000 supports the IPS function. Once the IPS function is enabled on the SRX3000, the performance decreases sharply. Therefore, the SRX3000 is not applicable to high-end applications. The SRX3000 is managed through the NSM. According to the test result of Spirent, after the IPS function is enabled, the NSM can hardly manage the SRX3000. Therefore, the IPS function of the SRX3000 exists in name only. • Management The SRX3000 is managed through the NSM, but the NSM cannot receive security alarms from the SRX3000. That is, this security management platform does not notify what kind of attacks occur on the network, nor whether the network is under attack.
Juniper SRX5000 Juniper SRX3000 NS 5200/5400 ③
Specifications Comparison The USG9100 can defeat Juniper products in terms of FW and VPN performance, and number of extension slots. Try to avoid the comparison on IPS and URL functions.
Quotation Mode of the NS5000 Series Quotation example: • NS5200: 10G throughput+2 x 10GE+8 x GE+dual power supplies • Catalog price: ¥5920000 • NS5400: 30G throughput+2 x 10GE+8 x GE+dual power supplies • Catalog price: ¥7008000 • Juniper's maximum discount: • 89% • Quotation mode: • Frame+IOC+management module
USG9100 vs. NS-5000 • Selling price The selling price of the USG9100 is an advantage. Particularly, to implement the IPS function on the NS-5000, customers need to purchase related licenses every year. • Performance Because the NS-5000 adopts the ASIC architecture, the number of new connections per second is small. Consequently, the NS-5000 cannot deal with large-scale sudden network incidents. Moreover, the performance of the NS-5000 is much lower than that of the USG9100.
ASA 5580 6500/7600+FWSM
HS vs. Cisco Cisco high-end 10-Gigabit FWs include: • Independent FW:ASA 5580-20/ASA 5580-40 These two products were launched in 2008. They are both 4 U high and of the same appearance. The one with better configuration may be packed to the lower-end one, or different CPUs are adopted for packing the two models. The ASA 5580-20/ASA 5580-40 adopts the multi-core processor, supports 10GE interfaces, and provides the FW/VPN feature. The throughput (large packet/small packet) is 6.5 Gbps/1.7 Gbps and 14 Gbps/2.7 Gbps respectively. The performance of the USG9100 is much better than that of these two Cisco products. • Router/Switch+security board: • 6500/7600 switch/router+FWSM This is the main solution of Cisco and applies to scenarios where Cisco devices are already deployed. The main advantage is that the solution is easy to deploy and of low upgrade costs. But the security board adopts the X86 chip, the performance of this solution cannot be mentioned in the same breath with the USG9100. In addition, this solution is not widely applied. • XR12000 high-end router+MSB The MSB adopts the NP+CPU architecture. A single board provides 8G throughput. This solution is not widely applied in China, and thus the specifications are not clear. Moreover, the deployment costs are high. ASA 5580-20 ASA 5580-40 FWSM MSB
Specifications Comparison The ASA 5580-40 is an almost-Gigabit product. The line-speed processing cannot be implemented on small packets. The ASA 5580-4 is not a direct rival for the USG9100. The USG9100 can defeat it in terms of the FW/VPN performance, number of GE interfaces, types of interfaces, and number of extension slots. Try to avoid the comparison on the number of 10GE interfaces and SSL VPN performance.
Quotation Mode of the ASA 5580 Series • Quotation mode: • Frame (multiple specifications)+interface card • Quotation example: • ASA 5580-20: 10G throughput+2 x 10GE+8 x GE+dual power supplies • Catalog price: $165990 • ASA 5580-40: 20G throughput+2 x 10GE+8 x GE+dual power supplies • Catalog price: $270990 • Cisco's maximum discount: 80%
Competition Analysis of the ASA 5580 Series Strength: • High scalability • The ASA 5580-20 supports a maximum of 10G throughput and 4 extension slots (up to 24 x GE/8 x GE+8 x 10GE interfaces). • The ASA 5580-40 supports a maximum of 20G throughput and 6 extension slots (up to 32 x GE/8 x GE+12 x 10GE interfaces). • The USG9110 supports a maximum of 40G throughput and 4 extension slots (32 x GE/4 x 10GE interfaces). • The USG9100 provides high-density GE interfaces, and supports 24GE LPUs; Cisco products only provide 4GE interface cards. Weakness: • The 10GE interface density of the USG9100 is low. If many 10GE interfaces are required, the USG9100 is in a disadvantageous position. • High 10GE interface costs: the ASA: $20000/10GE interface; the USG9100: ¥1125000/10GE interface
Tactics to Compete with the ASA 5800 Strength emphasis: • The USG9100 provides the FW throughput of over 20 Gbps, but the ASA 5800 cannot. • The USG9100 provides high-density GE interfaces (over 32 GE interfaces), but the ASA 5800 cannot. • The USG9100 passes certain qualifications and certifications. • The USG9100 adopts the distributed architecture, but the ASA 5800 does not. • The USG9100 supports performance expansion, but the ASA 5800 cannot. • The ASA 5800-40 is a centralized X86 server with backward architecture. The ASA 5800-40 adopts AMD OPTERON8300 CPU, 2600 MHz basic frequency, and 8 GB memory. Currently, the X86 architecture is out of favor in bidding documents. Weakness avoidance: • The 10GE interface density of the USG9100 is low. Try to avoid the comparison on 10GE interfaces. The increase of the number of 10GE interfaces imposes high pressure on the selling price of the USG9100. • The ASA 5580 is an entry-level 10-Gigabit FW, and its performance indexes cannot be mentioned in the same breath with the USG9100. But, the ASA provides the cluster function, and a maximum of 10 ASAs can be deployed, which greatly improves the performance and reliability.
ASA 5540-80 6500/7600+FWSM
Analysis of Cisco FWSM FMSM overview: The FWSM is the Catalyst 6500 series multi-Gigabit FW module. The FWSM supports the switching matrix and can exchange data with the bus and switching matrix. The FWSM can provide the FW function on Cisco Catalyst 6500 series switch and Cisco 7600 series Internet router. A single FWSM provides 5G throughput. A maximum of 4 FWSMs can be deployed on a switch, enabling the integrated switch to provide FW 20G throughput. Advertised key message: 1. Service integration: providing customers with solutions integrating the functions of routing, switching, security, and VPN. 2. Adapting to future requirements: providing 4 x 5 Gbps = 20 Gbps throughput. 3. Low integrated costs: purchase FW modules only, which can be used on the 6500 or 7600 frame. 4. Good ease-of-use: Cisco PIX GUI can be directly used to manage the FWSM, and the support of Cisco management frame and AVVID is available. 5. Reliability: integrating the reliability of both the integrated 6500/7600 and PIX technology.
Analysis of Cisco FWSM — Existing Problems Architecture: • Limitation:Cisco FWSM relies on the Sup720 engine and must interwork with the Sup720 engine. Thus, the FWSM is not applicable to the first- and second-generation engine SE1 and SE2. • The FWSM is claimed to be on the basis of Cisco's PIX technology, but the PIX technology is actually based on civil X86 processor, which cannot meet the requirement for high performance. • Each FWSM has its independent operating system and management interface. This further imposes the complexity and configuration error possibility. Performance and reliability: • Poor performance: The small-packet throughput of the FWSM is 1700 Mbps; the number of new connections per second is 4000 (that of the USG9100 is 100000). • Poor reliability: Each FWSM has its independent operating system and management interface. This further imposes the complexity and configuration error possibility. • Incompatibility of operating systems:The FWSM is purchased by Cisco from another company. The operating system is incompatible with the Catalyst operating system, and thus many FW features cannot be implemented. • The FWSM supports mutual hot backup, but the switchover duration ranges from 10 seconds to several minutes, which is unacceptable for core IDC networks. Features: • No VPN: The FW should provide three main functions, namely, security, NAT, and VPN. The FWSM does not support the VPN (including L2TP, GRE, and IPSec) function. If the VPN function is required in networking, additional investment is needed. • Poor DoS defense: Due to the small number of new connections per second, the FWSM is easily flooded with mass network attack traffic. The DoS defense, however, is one of the main functions of a FW. • The transparent and composite modes are not supported. Services: • The product services of Cisco completely relies on Chinese distributors, but the technology capability of distributors (even if it is a level-1 distributor), is much poorer than that of dedicated vendors. • The demand change due to network change needs to be reported to Cisco R&D center, and the R&D center responds to the change. This leads to a long duration. Nevertheless, this process of HS is much shorter. Selling price:The selling price of the FWSM module is high. Worse still, its functions are not comprehensive. Therefore, customer's investment is much higher than what is expected.
Networking Analysis of Cisco FWSM • The FW access method is single; only the access through the serial connection is valid, and the off-line mode is not supported. Because the serial connection is adopted, the NAT traversal function of the FW cannot be implemented on certain services. • The FW module (IDS module) does not support hot swapping and the costs are high. If dual FW modules are adopted for networking, only the failover mode is supported, but not load balancing, resulting in the waste of investment. • It is advertised that the FW module supports 1000000 concurrent sessions. But in actual networking, when a host worm sql 1434 is sent from the internal network to the external network, the integrated device breaks down, resulting critical network incident.
Specifications Comparison Cisco 6500/7600+N x FWSM is the main rival of the USG9100.
Cisco FWSM vs. USG9100 • Note: If the 6500/7600 is deployed, the expansion costs are low. • Analysis of the selling price: Typical 6500+FWSM configuration: 6500 host+main processing engine+FW package+interface card costs$239690. Note: The security package includes the FWSM and related licenses and the discount is 72% (this discount is for the FW collective purchase of China Mobile in 2007). • The costs of the FWSM are higher than that our products with the same configuration. In the FW collective purchase in 2007, Cisco's discount is 72%.
FortiGate 5000 Series FortiGate 3000 Series Fortinet is the pioneer in new-generation real-time network security defense technologies. It provides a series of integrated network and information security solutions. Fortinet launches the FortiGate, which is a network security platform based on ASIC acceleration. In addition to the FW, VPN, and IPS functions, the FortiGate also delivers the application-layer functions such as anti-virus/worm and Web content filtering, as well as anti-spam and anti-spyware. Furthermore, Fortinet puts forwards the concept of UTM.
FortiGate 5000 Series FortiGate 5000 series The FortiGate 5000 is based on the standard ATCA architecture, and is a frame product with high scalability and modular design. The frames currently include: FortiGate 5020 (2 slots) FortiGate 5050 (5 slots) FortiGate 5140 (14 slots) The frames can be configured with different modules, including the FortiGate 5001, FortiGate 5001FA2 with the FortiAccel technology, powerful FortiGate 5005FA2, and FortiGate 5003 switching modules. With these modules, more functions are available. The entire FortiGate 5000 series supports the FortiGate 5001 module, but the FortiGate 5003 switching module applies to the FortiGate 5050 and FortiGate 5140 frames only.
