Cisco Cisco ASA 5585-X Adaptive Security Appliance Libro blanco
Higher throughput could have been achieved with
UDP traffic, but UDP does not exercise connection
setup and teardown, and other TCP-related logic,
which is central to Firewall operation and
performance. Also, the overwhelming percentage
of network traffic these days is TCP/IP.
For both firewall and VPN testing, test cases were
run with both 4-Kbyte and 16-Kbyte HTTP Object
sizes. These simulated two different types of
users: 16-Kbyte objects simulate users
downloading large files, while 4k-byte objects are
more representative of transactional-type traffic.
For firewall throughput, IPS performance tests and
connections-per-second tests, all of the vendor’s
threat signatures were enabled. For site-to-site
VPN tests, we ran with just the vendors’ “default”
firewall settings – these are those settings that ship
with the product “out of the box.” The IPS tests
specifically evaluated the devices’ ability to detect
each threat. No background traffic was running as
the threat-detection tests were being run.
UDP traffic, but UDP does not exercise connection
setup and teardown, and other TCP-related logic,
which is central to Firewall operation and
performance. Also, the overwhelming percentage
of network traffic these days is TCP/IP.
For both firewall and VPN testing, test cases were
run with both 4-Kbyte and 16-Kbyte HTTP Object
sizes. These simulated two different types of
users: 16-Kbyte objects simulate users
downloading large files, while 4k-byte objects are
more representative of transactional-type traffic.
For firewall throughput, IPS performance tests and
connections-per-second tests, all of the vendor’s
threat signatures were enabled. For site-to-site
VPN tests, we ran with just the vendors’ “default”
firewall settings – these are those settings that ship
with the product “out of the box.” The IPS tests
specifically evaluated the devices’ ability to detect
each threat. No background traffic was running as
the threat-detection tests were being run.
Unified Threat Management
Unified Threat Management (UTM) devices have
recently become very popular because they address
multiple security-related threats, all in one unit. Many
current UTM products are offered as security
appliances (pre-packaged hardware and software).
Some, however, are offered as software products
running on standard Intel PC/server platforms.
For this comparative study, all the devices tested
provide firewall capabilities, IPS (intrusion prevention
system) capabilities, and VPN gateway capabilities.
All the vendors offer a range of devices that address
these functions. The products we selected for this
evaluation were chosen because they are in
approximately the same price range. The basic
Check Point VPN-1 Pro (with WebIntelligence and
SecureXL) – a software-only product – costs more
than the other systems, but the price is still fairly
close to the other systems tested.
The price of these products is very much tied to
performance. All the vendors offer higher-end units
with much more performance and capability, but at a
significantly higher price. The goal of this evaluation
was to compare similarly priced systems.
recently become very popular because they address
multiple security-related threats, all in one unit. Many
current UTM products are offered as security
appliances (pre-packaged hardware and software).
Some, however, are offered as software products
running on standard Intel PC/server platforms.
For this comparative study, all the devices tested
provide firewall capabilities, IPS (intrusion prevention
system) capabilities, and VPN gateway capabilities.
All the vendors offer a range of devices that address
these functions. The products we selected for this
evaluation were chosen because they are in
approximately the same price range. The basic
Check Point VPN-1 Pro (with WebIntelligence and
SecureXL) – a software-only product – costs more
than the other systems, but the price is still fairly
close to the other systems tested.
The price of these products is very much tied to
performance. All the vendors offer higher-end units
with much more performance and capability, but at a
significantly higher price. The goal of this evaluation
was to compare similarly priced systems.
Firewall and IPS Performance
To measure firewall throughput, we ran tests with
both 4-Kbyte and 16-kbyte HTTP Object sizes. The
results of the 16k-byte HTTP Object-size tests are
shown on page 1. The chart below shows the results
of the 4-Kbyte HTTP Object sizes. The results show
that the Cisco ASA 5520 continues to deliver high
throughput performance, compared to competitors,
even for this smaller, transactional-type traffic, with
all threat signatures enabled.
both 4-Kbyte and 16-kbyte HTTP Object sizes. The
results of the 16k-byte HTTP Object-size tests are
shown on page 1. The chart below shows the results
of the 4-Kbyte HTTP Object sizes. The results show
that the Cisco ASA 5520 continues to deliver high
throughput performance, compared to competitors,
even for this smaller, transactional-type traffic, with
all threat signatures enabled.
Workloads and Performance
The traffic load for our performance tests was
generated using Spirent’s Avalanche/Reflector load
generators (see details on page 2). The
Avalanche/Reflector systems were set to
automatically generate high rates of TCP/IP traffic,
which were directed to the particular UTM device
being tested (one at a time, in turn). The generated
TCP/IP traffic simulates real-world HTTP 1.1 Web
traffic between typical users and Web servers.
For the HTTP traffic, thousands of TCP/IP
connections were setup and terminated during each
test run. Each test, lasting two to three minutes,
consisted of “ramp up”, “steady state” and “ramp
down” phases. The load on each system under test
was increased until connections started dropping (as
reported by the Avalanche/Reflector system). At this
point the “maximum” throughput was recorded. To
confirm this, the traffic load was increased beyond
this point. In some cases, the overall throughput
increased minimally; while in other cases throughput
dropped. As more traffic was applied, more and
more connections were dropped.
generated using Spirent’s Avalanche/Reflector load
generators (see details on page 2). The
Avalanche/Reflector systems were set to
automatically generate high rates of TCP/IP traffic,
which were directed to the particular UTM device
being tested (one at a time, in turn). The generated
TCP/IP traffic simulates real-world HTTP 1.1 Web
traffic between typical users and Web servers.
For the HTTP traffic, thousands of TCP/IP
connections were setup and terminated during each
test run. Each test, lasting two to three minutes,
consisted of “ramp up”, “steady state” and “ramp
down” phases. The load on each system under test
was increased until connections started dropping (as
reported by the Avalanche/Reflector system). At this
point the “maximum” throughput was recorded. To
confirm this, the traffic load was increased beyond
this point. In some cases, the overall throughput
increased minimally; while in other cases throughput
dropped. As more traffic was applied, more and
more connections were dropped.
Firew
all Performance (Mbps) with All
Attack/Virus Signatures Enabled,
4-Kbyte HTTP Object Size
0
50
100
150
200
250
Cisco
ASA 5520
Juniper
NetScreen-208
Check Point
VPN-1 Pro
Fortinet
FortiGate 1000
The Cisco ASA 5520 demonstrated significantly higher
throughput with 4-Kbyte HTTP Object Sizes and all threat
signatures enabled
throughput with 4-Kbyte HTTP Object Sizes and all threat
signatures enabled
Copyright © 2005 Miercom Unified Threat Management Security Appliances Page 3