Cisco Cisco ASA 5580 Adaptive Security Appliance Weißbuch
Test Bed Setup
Imperfect Networks
ThreatEx
Load Generators
Load Generators
VLAN-1
VLAN-2
Cisco
ASA 5520
Spirent
Avalanche 2500 #1
Spirent
Reflector 2500 #2
100 Mbps hub
(Management LAN)
Management
Workstation
(Windows 2000)
Attack
packets
Response
packets
Spirent
Avalanche 2500 #2
Cisco 6509 Switch
Juniper
NetScreen-208
Fortinet
FortiGate 1000
Check Point
VPN-1 Pro
Spirent
Reflector 2500 #1
Attack System
About the Testing: Identical test-bed conditions were applied to the Cisco ASA 5520 and to all the other competitive
systems evaluated in this study.
systems evaluated in this study.
The Cisco ASA 5520 (Adaptive Security Appliance) was configured with the Cisco AIP SSM-20 (Advanced Inspection and
Prevention Security Services Module). The ASA software was running version 7.0.2; the AIP SSM-20 was at 5.0.4. The
Signature Definition file was version S187.
Prevention Security Services Module). The ASA software was running version 7.0.2; the AIP SSM-20 was at 5.0.4. The
Signature Definition file was version S187.
The Check Point system was configured on a HP DL380 G3, employing a single 2.4 Ghz Xeon processor, with 1 GB of
memory and an Intel Pro.1000 MT Dual Port Server Adaptor. The software was VPN-1 Pro Gateway NGX 6.0, Build 244.
The Smart Defense Update was version 591050816. The software included WebIntellegence and SecureXL.
memory and an Intel Pro.1000 MT Dual Port Server Adaptor. The software was VPN-1 Pro Gateway NGX 6.0, Build 244.
The Smart Defense Update was version 591050816. The software included WebIntellegence and SecureXL.
Fortinet’s FortiGate 1000 ran version 2.80, Build 456 operating code. The FortiGuard AV (anti-virus) Definitions were
version 6.037, and the FortiGuard Intrusion Definitions were version 2.226.
version 6.037, and the FortiGuard Intrusion Definitions were version 2.226.
Juniper Networks’ NetScreen-208 ran version 5.2.0 r2.0 operating code with Deep Inspection Signature Update 364.
NetScreen’s Deep Packet Inspection software was included in the system tested.
NetScreen’s Deep Packet Inspection software was included in the system tested.
Four sets of tests were run. The first two – Firewall performance tests – measured connections per second and firewall
throughput with all threat signatures enabled. Normally, a user selectively enables signatures to minimize the occurrence
of false positives events. In our testing, however, we were checking each IPS’ full detection capabilities, and also
exercising the systems under load. So the complete signature sets were enabled in these cases. The third test was the
VPN site-to-site termination test; in this case the vendors’ “default” firewall settings were enabled. The fourth test was the
IPS threat prevention tests, where all signatures, for all devices, were enabled.
throughput with all threat signatures enabled. Normally, a user selectively enables signatures to minimize the occurrence
of false positives events. In our testing, however, we were checking each IPS’ full detection capabilities, and also
exercising the systems under load. So the complete signature sets were enabled in these cases. The third test was the
VPN site-to-site termination test; in this case the vendors’ “default” firewall settings were enabled. The fourth test was the
IPS threat prevention tests, where all signatures, for all devices, were enabled.
The traffic for all the performance tests was generated with two pairs of Spirent Avalanche/Reflector 2500 load
generators, which ran v7.0 (build 36784). The load from the traffic generators and the outputs of the Attack System – the
Imperfect Networks ThreatEx Appliance (v1.60b) – were connected through the same VLANs on a Cisco 6509 Catalyst
switch, which was running IOS 12.2.
generators, which ran v7.0 (build 36784). The load from the traffic generators and the outputs of the Attack System – the
Imperfect Networks ThreatEx Appliance (v1.60b) – were connected through the same VLANs on a Cisco 6509 Catalyst
switch, which was running IOS 12.2.
Note: All publicly available documents and materials from the competitive vendors, along with the considerable technical
expertise and judgment of the testers, were applied to ensure these vendors’ units were appropriately and optimally
configured for each test scenario. Check Point, Fortinet and Juniper all declined requests to provide Miercom with direct
technical support for this testing.
expertise and judgment of the testers, were applied to ensure these vendors’ units were appropriately and optimally
configured for each test scenario. Check Point, Fortinet and Juniper all declined requests to provide Miercom with direct
technical support for this testing.
Copyright © 2005 Miercom Unified Threat Management Security Appliances Page 2