WatchGuard vs NetScreen

Company Background

Formerly known as Seattle Software Labs (merged with Mazama Software Labs)
Located at Seattle, Washington
Founded in 1996
Product originated from prior firewall product, Mazama Packet Filter (MPF), which was designed by ex-Networx engineers
Market share is unknown
Home Page / Additional News

General Information

WatchGuard introduced Firebox in 1996 as an appliance-based network security solution running on a standalone, dedicated PC with its own embedded, hardened, real-time Linux-based operating system. First Sneak preview was released by Network Computing on September 24 1996.

WatchGuard positions the Firebox as a cost-effective, secured, easy to install and maintain firewall than others that based on general-purpose operating system. Its target markets are small to medium-sized businesses.

WatchGuard also targets the Education/School segment by its "WatchGuard SchoolMate" product which is a firewall designed specifically for use in schools. It composes of WatchGuard 100, WebBlocker and Graphical Monitor.

Product Comparison

Description	Firebox 100	Firebox II	NetScreen-10	NetScreen-100
Dimension	15"W x 4"H x 13"D	15.5"W x 2.85"H x 10.5"D	17.5"W x 2.06"H x 10.8"D	17.5"W x 2.06"H x 10.8"D
Weight	14 pounds	8 pounds	8 pounds	8 pounds
Hardware	166MHz Pentinum Class processor PC with a floppy drive	200MHz Pentinum Class processor PC	Integrated circuit board with PowerPC processor	Integrated circuit board with Motorola RISC processor
Memory	32 MB SDRAM	64 MB SDRAM	32 MB SDRAM	64 MB SDRAM
serial port	DB-9 serial port	2 DB-9 serial port	DB-15 console port	DB-15 console port
Flash Memory	None	8 MByte	4 MByte	4 MByte
PCMCIA card slot	None	2 Type II PCMCIA CARDBUS card slots	1 Type II PCMCIA	1 Type II PCMCIA
Network Interface	Three RJ-45 10/100 Mbit/sec ports	Three RJ-45 10/100 Mbit/sec ports	Three 10BaseT ports	Three autosensing 10/100BaseT ports
Operating System	hardened Linux	hardened Linux	Proprietary operating system	Proprietary operating system
Price	Discontinued	$6,500 plus options	$11,000 to 12,000 (1 year HW warranty included), Unlimited user licenses	$23,600 to 25,600 (1 year HW warranty included), Unlimited User licenses
Support Service	FAQ and patches available for the public Support Web avaiable to registered end users No phone support (?)	Same as Firebox 100	FAQ, software update and patches available to registered end users Email 8-6 PST phone support	Same as NetScreen-10

Feature Comparison

Feature	WatchGuard	NetScreen
Firewall Technology	Stateful Inspection Transpart Proxies for HTTP, SMTP, FTP	Dynamic Stateful Packet Filtering Circuit-Level Proxies
Installation Procedure	Configuration Wizard	Command line interface thru serial console Web interface thru HTTP
Operation Mode	Drop-in Multiple Networks	Transparent Network Address Translation
Optional third interface	Yes (called Optional Network)	Yes (called DMZ)
Administration Interface	Command line interface thru serial console Network connection thru windows program runs on 95/98/NT40 or Linux program	Command line interface thru serial console Network connection with TELNET Network connection with Web Interface to built-in Web Server Secured network connection through IPSec VPN tunnel Central Management System software
Administrator Account	Two Read Only with pass phrase Read Write with pass phrase	One Username and password with Read Write privilege
Authentication	Built-in authentication server RADIUS-compliant authentication servers NT Primary Domain Controllers	Built-in authentication server supports up to 1600 users RADIUS-compliant authentication servers NT Domain User database support thru RADIUS SecureID (1.6)
Outgoing Addressing Scheme	IP Masquerading	Network Addressing Translation
Incoming Addressing Scheme	Port forwarding for SMTP and DNS services only	Two methods: IP Mapping (one-to-one mapping) for all services Virtual IP (one-to-many mapping) for HTTP, HTTPS, TELNET, FTP, SMTP and POP3
Logging	Logging and notification host with encryption WatchGuard Global Console	Built-in log file Syslog WebTrend syslog support (1.6) NS-Global Management System (1.6)
Notification/Alert	various methods with launch interface and repeat count specified Email Email with backtrace and finger Pager Popup window Custom program	Email to 2 specific email addresses
Firewall Attack	Block Spoofing Attacks Block IP Options Block Port Space Probes Block Address Space Probes Auto-block source of packets not handled Allow all outgoing UDP connections	Detect SYN Attack Detect Tear Drop Attack Detect Ping of Death Attack Detect IP Spoofing Attack Default Packet Deny Filter IP Source Route Option Java/Active X Blocking (1.61)
Historical Reports	Additonal cost	WebTrend and Unix Syslog for Historical Reports
Graphical Monitor	Additonal cost	Central Management Software
URL Blocking	Additional cost - WatchGuard WebBlocker (Cyber Patrol by MicroSystem Software)	Additional cost - WebSense by NetPartners
Enhanced Management Package	Additional cost - package included Historical Reports, Graphical Monitor and WatchGuard WebBlocker	WebTrend, Unix Syslog, and Central Management Software
SNMP Support	None	MIB-II Support
Traffic Shaping	None	Included (10 & 100)
Load Balancing	None	Included with 100
Redundancy	None	Yes with 100
VPN	WatchGuard customer VPN solution propretiary protocol protocol supports 40-bit and 128-bit RSA RC4 support IETF IPSec with 56-bit DES and Triple-DES IKE HMAC MD5 and HMAC SHA-1	Support IETF IPSec with Key Management IKE with preshared keys manual key management Encryption Algorithm 40-bit DES 56-bit DES Triple DES (US version only) Authentication Algorithm HMAC MD5 HMAC SHA-1 (1.6)
VPN Remote Client	supports PPTP with RSA RC4 encryption	supports IETF IPSec with supports 56-bit DES available in 95/98/NT
Central Management	WatchGuard Global Console on 95/NT/Linux	NetScreen Global on NT
Performance	Unknown. Below wire-speed performance	Network InterOp KeyLabs Firewall Test: Best performance number at 64 clients 4123.3 connections/sec Best price/performance ratio Low latency
ICSA Certified	Yes	Yes
Year 2000 Compliance	Unknown	Yes
Award	Tester's Choice Award from Data Communication for Firewall on 3/97 Best Buy Award from Network Solutions for Firewall on 8/97 Editor's Choice Award from Communication News for Firewall on 6/98 Editor's Choice Award from Network Solutions for Firewall on 7/98	KeyLabs' Top Honors for ease of configuration and price/performance ratio. Tester's Choice Award from Data Communication for traffic management feature on 11/98 Tester's Choice Award from Data Communication for Firewall on 5/99

WatchGuard Weakness & NetScreen Strength

	WatchGuard Weakness	NetScreen Strength
Operating System Vulnerability	Linux has known network related vnlerability that required constant patching. Vulnerability Example	Proprietary Operating System with very minimal network stack and application level support
Startup Process	getting thru the Configuration Wizard takes a while by answering a bunch of questions and the Wizard is not that intelligent	the process requires only specifying the IP addresses for the ethernet interfaces
Incoming Services Supported in NAT mode	With IP Masquerading, it supports SMTP and DNS services only. If you have server running other services, it has to be connected on the External side of the firewall. With Port Forwarding, it exposes the Firebox's External IP address.	Supports all services with IP Mapping (MIP) and 6 services with Virtual IP (VIP). In both cases, the NetScreen's untrusted IP address is not exposed.
Detection and Blocking	Since the External IP address is exposed through port forwarding, features on detection and blocking port scanning tools are a must. This auto-blocking mechanism can turn into a denial-of-service attack.	External IP address is not exposed through any services except remote administration is enabled (HTTP protocol only).
Default Policy for New Service defined	Any Inside hosts have access to the Outside World with the newly defined service	defining new service is independent of policy definition. No access to outside with newly defined service until an outgoing policy is specified manually.
Firewall Policy Matching Performance	Implemented in software. The speed is totally depended on the CPU speed. 15 policies cut the performance more than 50%.	Implemented on a custom-designed chipset. Supports up to 4000 policies with wirespeed performance.
VPN performance	Implemented by software in network driver level. The speed is depended on the CPU speed and traffic load	Encryption function is implemented on a custom-designed chipset