Product Review: HP ProLiant DL320

Product: HP ProLiant DL320 Firewall/VPN/Cache Server

Product Homepage: click here

ISA Server 2004 (ISA firewall) is a stateful packet and application layer inspection firewall specifically designed to provide a unique level of protection for Microsoft servers and services. In contrast to the ISA Server 2000 firewall, the ISA 2004 firewall is a completely reworked product from the ground up to provide a high level of network security on all interfaces, including VPN interfaces. Out of the box, the ISA firewall is a brick. No traffic moves to or through the ISA firewall unless you allow it.

Now that the ISA firewall is a full-fledged stateful packet and application layer inspection firewall, people expect it to be packaged like one. When you buy a network firewall, you expect to purchase a box that’s setup and ready to go. You don’t want to get a white box, install the operating system, harden the operating system, install the firewall software, harden the firewall software, and then plug it in and hope you’ve done everything right.

What we need are ISA hardware firewalls. ISA hardware firewalls are built and designed to provide you a pre-installed, pre-hardened, and pre-tested hardware and software configuration that gives you the highest level of security and performance you can squeeze out of an ISA firewall device. ISA hardware firewalls take the drudgery and configuration errors out of the loop and allow you to plug in the ISA hardware firewall and start configuring the firewall right out of the box.

This is where the HP ProLiant DL320 firewall/VPN/cache product comes in.

The HP ProLiant DL320 is built on HP’s reliable and high performance DL320 G3 hardware. The HP ISA hardware firewall is targeted at the experienced ISA firewall administrator who wants a pre-built and pre-hardened ISA firewall delivered to the door, ready to plug in and deploy. The HP DL320 gives you a clean ISA firewall experience by focusing on hardware performance optimization and leaving you the option to install add-in software as you like, something you can’t do with all the ISA hardware firewalls on the market today.

Installing the HP DL320 Hardware ISA Firewall

The DL320 is a pre-installed version of ISA Server 2004 on a hardened version of Windows Server 2003. I found the HP DL 320 ISA firewall’s “out of box experience” a real no-brainer. First, plug the power cord, network cables, keyboard and mouse connectors into the box and start it up. After the box starts up a simple and intuitive installation wizard appears that asks questions about IP addressing information for each of the firewall’s interfaces, the name you want to assign to the device, and whether or not you want the firewall to join the domain (which I always recommend). The entire installation wizard process takes about five minutes and when you’re done the firewall restarts itself.

Configuring the HP DL320 Hardware ISA Firewall

Log in after the restart you’re presented with the ISA firewall’s MMC management console. At this point, you are ready to configure firewall policy to meet your company’s network security requirements. If you already have a good understanding of how the ISA firewall is configured, you’re all set. If you’re still new to the ISA firewall, you can use the voluminous resources available on the www.microsoft.com/isaserver, www.isaserver.org Web sites, or consult our book, Configuring ISA Server 2004 for detailed instructions on how to configure the DL320. All of the ISA Server 2004 features and those of the Windows Server 2003 operating system are available to you so you can do any desired fine-tuning and tweaking.

This is what I think is one of the major advantages of the HP DL320 approach to hardware ISA firewalls. HP doesn’t add new interfaces or procedures that fall outside of the ISA firewall’s out of box design specs. Because you get a pure and unadulterated ISA firewall configuration interface and experience, you can leverage all the configuration and troubleshooting information available online and in our books. This means you can use the print and online resources already available for the ISA firewall, which can save you a significant amount of cash on product support costs.

HP DL320 Networking and Application Layer Inspection Features

The DL320 doesn’t add too much to the ISA firewall’s networking or application layer inspection (deep packet inspection) feature set. However, you do have the option to purchase and install networking and application layer inspection enhancements and install them on the HP DL320, which isn’t the case for all hardware ISA firewalls on the market today. This is consistent with the HP approach of giving you the full ISA firewall experience. You get all the advantages of an optimized ISA hardware firewall platform together with the ability to customize the firewall to meet your organization’s requirements.

However, the absence of numerous networking and application layer inspection enhancements is counterbalanced by its exceptional performance. I did informal performance testing on the DL320 and found that when could saturates a 15Mbps FiOS line and processor utilization never went over 5%. That’s excellent performance as throughput is the major factor affecting processor utilization in ISA hardware firewall appliances.

In addition to its strong networking performance, I found the DL320 to be the most responsive and best performing firewall of those discussed in this review. You will definitely notice this enhancement responsiveness if you’re ever worked with white-box ISA firewalls. With the DL320, you’re not sitting around for what seems like forever when you configure and update firewall policy. You click the Apply button and DL320 does it and does it fast.

Enhancing DL320 Firewall Performance with Virus Throttle

That’s not to say that the HP DL320 doesn’t contain any bells and whistles. One sweet network layer enhancement to the DL320 is the HP Virus Throttle. Virus Throttle works at a very low layer of the network stack (even before the ISA firewall’s low layer components) and mitigates firewall performance issues secondary to worm infestation on both ISA firewall Protect Networks and external hosts.

Virus Throttle looks at the number of packets per second on each interface and if it exceeds the threshold number you set, it automatically “dials-down” the host(s) sending those packets. Virus Throttle is a powerful tool that enables you to mitigate potential Denial of Service issues related to network worm infestation. For example, suppose your network is infected with a Blaster-like worm. Hosts on the network try to send tens of thousand packets/second to hosts on the Internet. Virus Throttle detects the excessive connection rate and throttles the hosts sending the packets. This gives you time to respond to incidents while keeping the DL320 humming, without users experiencing any connectivity issues. Virus Throttle turns out to be a key component for your DL320 hardware ISA firewall’s five-nines uptime requirement.

Lights Out Management with HP iLO

HP provides one network management feature that I haven’t seen available on any other ISA hardware firewall I’ve worked with: integrated “lights out” (out of band) management of the firewall. If for some reason the DL320 ISA hardware firewall becomes unresponsive and you can’t access the device over the network using in-band channels, the HP DL320’s iLO remote management feature will provide total lights-out management.

This is a big advantage, because if something goes wrong with the DL320 ISA hardware firewall device that would require you to be there in person, you should be able to avoid a trip to the office. The iLO software will definitely save you time and money by saving you from making on-site visits to press the power button.

HP DL320 Software Specs

Table 1 provides a rundown of the HP DL320’s software specs. One thing that really sets the HP DL320 ISA hardware firewall apart from other ISA hardware firewalls (and white box installs) I’ve worked with is its networking performance. The HP DL320 has almost a gigabit of throughput on clear text processing (and this isn’t with large packets, which is what most firewall vendors use to pump up their numbers). Also, check out the Web proxy performance: almost 300Mbps! The HP DL320 is one screaming blended stateful packet inspection and proxy firewall.

Another thing to take special note of is the option to purchase the HP DL320 ISA hardware firewall with built-in SSL offload using the AXL300 card. This will significantly improve your SSL VPN connections to OWA, OMA, ActiveSync and HTTP over RPC. Combining the ISA firewall’s unique protection for Microsoft Exchange Servers and services with SSL offload and the DL320’s blazingly fast hardware platform is a setup for pats on the back and extra social credits for ISA firewall admins who make the DL320 as their ISA hardware firewall of choice.

Table 1: HP ProLiant DL320 G3 Software Specs

FEATURE	HP ProLiant DL320
Routing support	OSPF, RIPv1, RIPv2, NAT, NAT traversal for IPSec (NAT-T)
VPN server/gateway

VPN client

Max VPN users

PPTP/L2TP/IPSec/SSL (for OWA/OMA/EAS/RPC)

Yes (PPTP, L2TP/IPSec, IPSec NAT-T)

1000

IDS/IPS Yes (Built-in IDS licensed from ISS) Web proxy/caching Yes – forward and reverse proxy. RAM and disk caching VPN accelerator Yes (SSL accelerator card for SSL VPN) Stateful packet inspection Yes Application layer inspection (deep packet inspection) Yes Enhanced Microsoft Exchange Server protection Yes – SSL VPN for OWA/OMA/EAS/RPC Application Inspection
(deep packet inspection) enhancements Any Microsoft tested third party application added by customer or partner (purchased separately) Networking enhancements HP Virus Throttle
(mitigates worm activity on firewall performance) SSL offload Yes (AXL300 330 SSL connections/s) Web management interface No GUI management interface Yes (MMC console via secure encrypted RDP) Real-time failover

Load balancing

No (supports RainWall, purchased separately)

No (supports RainWall, purchased separately)

Logging MSDE, SQL, text Hardware redundancy Fans Performance
(vendor provided numbers)

• Firewall:
  938Mbps clear text
• VPN:
  VPN connections 700
  VPN performance: No Information
• Web Proxy:
  277Mbps

Update Management Windows Update/WSUS/Microsoft Update Extras

• Integrated Lights-out Advanced Pack management using (iLO Remote Management)
• Automated Server Recovery
• HP System Insight Manager

Licensing

• Unlimited Users
• Per processor licensing

Price $3450.00 Support/Warranty

• 90 day software/hardware installation, configuration, and setup warranty support
• HP 2-Hour 24×7 Software Technical Support (3 incidents, part # U9267E)
• HP 4-Hour 24×7 Same Day Hardware Support (Americas and Asia Pacific part # U4484E 1 year; Europe part # U4481E 3 year).

HP DL320 Hardware Specs

The DL320 is built on a top of the line Intel architecture, sport a 3 GHz Pentium 4 processor with a 800Mz FSB, which explains why this box screams. The box is also fully upgradeable, so if you want to add to the built-in 1 GB of memory, no problem. There are two free PCI-X slots for you to add on cards, and the system fans are redundant, do you don’t have to worry about overheating.

Table 2: HP ProLiant DL320 G3 Hardware Specs

Hardware Component	HP ProLiant DL320 G3
Chassis	1U RackMount
CPU	Intel Pentium 4 3GHz/800MHz FSB 1MB Level 2 Cache processor
Memory	1GB RAM
CD/DVD	CD-ROM
Hard Drives	80GB SATA hard drive
NICs	HP NC1020 PCI Single Port 1000T Gigabit Server Adapter HP NC7170 PCI-X Dual Port 1000T Gigabit Server Adapter HP NC7170 PCI-X Dual Port Low Profile 1000T Gigabit Server Adapter NOTE: Other HP NICs may be added after software install is completed
PCI slots	2 PCI-X
Operating System	Windows Server 2003 (pre-hardened for ISA firewalls)
Power Supply	1 x 350W
USB interfaces	1 Internal header 1 front header 2 back headers
System fans	4 dual rotor fans ship standard. N+1 Redundancy.
Front Bezel features	Hard disk LED Network Activity LED

 

Conclusion

The HP DL320 firewall/VPN/cache ISA hardware firewall is the ideal offering for those who seek a crisp and clean ISA hardware firewall experience. HP has done the heavy lifting for you by installing and hardening the software environment and spec’ing out top-flight, high performance hardware that is optimized to squeeze every bit of performance possible from the ISA firewall software. The HP approach allows you to fully customize both the hardware and software to your requirements. For all these reasons and more, I give the HP DL320 ISA hardware firewall 4.5 stars. The only thing that kept the HP DL320 ISA hardware firewall from getting a perfect 5 out of 5 is that they didn’t provide any SKUs that included built-in and pre-tested application layer inspection add-ons.

Have questions or comments about this review? Ask them at http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=45;t=000002

ISAserver.org Rating: 4.5 / 5

Get more information about the HP ProLiant DL320 Firewall/VPN/Cache Server