The Tolly Group Verifies iPolicy Networks’ 6420 Intrusion Prevention Firewall Dramatically Outperforms Fortinet’s FortiGate-3600 Anti-virus Firewall

iPolicy Networks’ Single Pass Architecture Demonstrates Dramatic Performance Advantages When Running Multiple Security Applications

FREMONT, Calif., November 2, 2004 – iPolicy Networks, inventor of the Intrusion Prevention Firewall for real-time network protection, today announced its iPolicy-6420 Intrusion Prevention Firewall appliance has been certified “Up to Spec” by The Tolly Group. Furthermore, in a head-to-head comparison, the tests showed that the iPolicy-6420 dramatically outperforms the comparably rated Fortinet FortiGate-3600 Anti-virus Firewall appliance in critical areas such as UDP frame loss, TCP/UDP connection rates and maximum concurrent TCP connections when multiple security applications are enabled. This report demonstrates that the iPolicy-6420 Intrusion Prevention Firewall is dramatically superior in making the network the first line of defense against today’s external and internal security threats. In particular, the iPolicy-6420 proved able to complete very high rates of connections and TCP application (layer 7) transactions with a fully loaded network. The FortiGate-3600 completed very few new connections in a similarly loaded network and failed to complete a single TCP application transaction. The results suggest that the FortiGate-3600 itself creates a denial of service condition when there is legitimate heavy traffic.

The iPolicy-6420 is based on a new generation patent-pending Single Pass software architecture. iPolicy Networks commissioned the lab tests to independently verify the performance differences between a multi-function security appliance based on a traditional architecture such as the FortiGate-3600, and an appliance based on the Single Pass architecture such as the iPolicy-6420.

“We are pleased to receive such positive, objective, third-party validation of the high performance of our product, which is based on our patent-pending Single Pass Inspection Engine™ technology,” said Prabhu Goel, chairman and CEO of iPolicy Networks. “Customers can be assured that the specifications, performance, quality and reliability of our product will meet their expectations. The Tolly Group’s ‘Up to Spec’ certification is the first of many more industry certifications to come, which will further validate iPolicy Networks’ commitment to quality, performance and customer satisfaction.”

While breadth and depth of security applications are very important criteria when assessing the ability of a device to protect a network, performance cannot be ignored. Indeed, performance measurements are essential for understanding the ability of multi-function security appliances to protect high-speed networks from external and internal threats without degrading throughput or quality of service. Parameters such as sustainable throughput, new connection rate and the number of simultaneous sessions supported when all security functions are enabled, measure a security appliance’s ability to deliver protection without compromising network performance while maintaining service quality. The testing methodology used by the Tolly Group examined these factors in simulated real-world conditions for varied frame rates and packet sizes, including the Internet traffic mix (IMIX).

UDP Frame Loss - Sustainable Throughput
Frame loss measures the number of packets that are dropped by the device under test. Low frame loss at high throughput is critical for security devices that protect the multi-gigabit data links in large enterprises and service provider networks. The iPolicy-6420 appliance demonstrated near zero percent frame loss for all tests while Fortinet’s FortiGate 3600 suffered as much as a ninety percent frame loss when tested with 256-byte packets at the rated 4 Gigabits per second traffic rate. Frame loss percentage was measured on both appliances with firewall, IDS/IPS, URL filtering and anti-virus applications enabled.

TCP/UDP New Connection Rate
The TCP/UDP connection rate measures the number of new user connections per second that the device under test can service. Security devices with sustainable high TCP/UDP connection rates will not be bogged down by large numbers of concurrent users or by denial of service attacks that could crowd out legitimate users. The iPolicy-6420 has been proven to be in a class by itself when compared with previous generation architecture security appliances such as the FortiGate-3600.The IPolicy-6420 supported 100% of all new TCP connections when 30,000 new TCP connections per second were attempted, with firewall, IDS/IPS, URL filtering and anti-virus applications enabled. This is 200 times the number of successful new connections per second of the FortiGate-3600 which completed just 0.5% of the new TCP connections under the same conditions. To demonstrate multi-function security appliance behavior at very high connection rates Tolly test engineers attempted 90,000 new UDP sessions per second at a throughput of 1 gigabit per second using 1,500 byte UDP frames. The iPolicy-6420 sustained 89,995 new connections per second, dramatically higher than theFortiGate-3600 which could only sustain 2,577 new connections per second.

New Connections/Transactions Per Second under Loaded Network Conditions
Security appliances for large enterprises or service providers must support a very large number of concurrent connections. Both the iPolicy-6420 and the Fortigate-3600 are rated for 1 million concurrent connections. An appliance already securing a heavily loaded network must be able to service new connection requests and complete new transactions to be acceptable. The iPolicy- 6420 completed all 15,000 new connections per second attempted and completed the associated TCP application (layer 7) transactions with zero performance degradation, while maintaining 930,000 already active connections with firewall, IDS/IPS, URL filtering and anti-virus applications enabled. By contrast, the FortiGate-3600 only established 29 successful new connections per second under the same scenario, a performance shortfall of 500 to 1. Furthermore, the FortiGate-3600 completed zero application transactions in this scenario, in essence creating a denial of service condition on the network for legitimate traffic.

Summary
iPolicy Networks’ iPolicy-6420 Intrusion Prevention Firewall and Fortinet’s FortiGate-3600 Anti-virus Firewall are multi-function security appliances that claim similar key specifications including 4 Gbps throughput, 1 million concurrent sessions and provide firewall, IDS/IPS, URL filtering, and anti-virus defenses. However, The Tolly Group tests reveal that under real network conditions, the iPolicy Networks’ Intrusion Prevention Firewall, based on new generation Single Pass architecture, performs as rated with all security functions enabled, while dramatically outperforming the comparable Fortinet security appliance which is based on a conventional architecture. It is vital that network managers understand the relative performance metrics of different generations of multi-function security appliances when considering the purchase of equipment to protect their high performance networks from today’s internal and external threats. In particular, they must ensure that a security appliance not cause a serious denial of service to legitimate traffic, by failing to perform at rated specifications under heavy traffic conditions.

The Tolly Group Report is freely available for viewing and download from the Tolly Group Website at http://www.tolly.com/DocDetail.aspx?DocNumber=204138 or from
www.ipolicynetworks.com/docs/tolly.pdf. A white paper on the Single Pass architecture is available at http://www.ipolicynet.com/registration/white_9_04.html

About The Tolly Group
The Tolly Group, an independent testing and strategic consulting organization based in Boca Raton, FL, offers a full range of services designed to furnish both the vendor and end-user communities with authoritative and unbiased information. Additionally, The Tolly Group is recognized worldwide for its expertise in assessing leading-edge technologies. For more information on The Tolly Group’s services, visit its Web site at www.tolly.com, E-mail info@tolly.com, call (561) 391-5610, or fax (561) 391-5810.

About iPolicy Networks
iPolicy Networks is the developer of the world's first Intrusion Prevention Firewall product line delivering real-time, consistent security enforcement for enterprises, carriers and managed security service providers worldwide. iPolicy Networks’ Intrusion Prevention Firewall security appliances support multiple security services all operating in tandem through a Single Pass Inspection Engine™ using a single rule tree. This unique approach to network security enables customers to realize a comprehensive security model that delivers network security at superior performance under heavy traffic flows. The Intrusion Prevention Firewall protects data networks from a wide range of security threats with no compromise to network performance while offering a significant reduction in TCO. It is complemented by the iPolicy Security Manager (ISM), which allows customers to configure, manage, monitor, and report on security across the entire global network, enabling consistent security enforcement across the network and helping with compliance to regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and European Data Privacy Directive. iPolicy Networks competes with Juniper / NetScreen (JNPR), Check Point Software Technologies (CHKP), Cisco Systems (CSCO) and Fortinet.
iPolicy Networks is located in Fremont, Calif., and is privately held. For more information, please visit our Web site at www.ipolicynetworks.com or call +1.510.687.3288