UTM performance: The yo-yo effect

Network World - In our testing of the SonicWALL TZ200 and TZ210 systems, we discovered a significant performance impact when UTM features were enabled on typical Internet traffic. SonicWALL's specification sheets warn that there will be a reduction. For example, the TZ200 data sheet has a typical Internet performance specification of 50Mbps (our tests actually turn it in closer to 100Mbps) and UTM performance of 35Mbps, a 30% drop. But our testing showed a much heavier impact, with the TZ200 turning in only about one-third of its rated UTM number. What gives?

The answer isn't tremendously complicated, but it provides some key buying strategies for network managers interested in UTM firewalls. SonicWALL's explanation is that some malware signatures were added to the firewall, and this caused the performance slowdown. We've heard the same story in every industry that uses signatures: intrusion prevention, antimalware, and antispam. The result is a yo-yo of performance, with new signatures temporarily causing a slowdown until a faster approach is identified, followed by a speedup — until the next slowdown.

In our test, we happened to catch SonicWALL at the low point of its performance, but this teaches a good lesson: don't buy security appliances hoping that you'll always get consistent performance matching the specification sheets. Just as antivirus vendors can and do occasionally send out a bad update that blocks everything or nothing, security products can and do suffer from periodic slowdowns.

In our testing, we find that a typical worst-case performance for many of the firewalls that go through our lab is a 10:1 ratio. When they're at their best, with no UTM features on, they are often 10 times faster than when they're most stressed out with high levels of traffic and all UTM features enabled. There are no guarantees, of course, but this suggests that a fairly safe rule of thumb is to select products that have unfiltered performance ratings about 10 times as fast as your expected normal traffic load.

This suggests that firewall buyers who intend to use UTM features should consider very carefully the performance specifications of devices they're evaluating. Antimalware features such as antivirus tend to have the highest impact, with intrusion-prevention system features somewhere in the middle, and content filtering (URL filtering) generally having the lightest impact of all. If you’re going to check all the boxes and turn on all the protections, make sure you keep in mind our 10-to-1 rule when picking the firewall for your network.

Return to test.

Reprinted with permission from

For more information about enterprise networking, go to NetworkWorld.com
Story copyright 2009 Network World, Inc. All rights reserved.