Cisco Cisco ASA 5580 Adaptive Security Appliance 백서
IPS Testing
VPN Gateway Throughput Performance
The results of the IPS tests are shown below and
on the next page. From a broad assortment of
test cases, each involving a different category of
threat, the Cisco ASA 5520 detected 100 percent
of the threats in the test cases we performed.
When testing the same test cases, with the
competitive security appliances, many threats
were undetected to varying degrees. None of the
other systems detected more than 45 percent of
the collective threats in all categories. For
instance, while the FortiGate 1000 detected 83
percent of the Virus/Worm test cases, overall only
29 percent of the total threats presented were
detected. The Cisco ASA 5520 detected all of the
Backdoor threats, while surprisingly none of the
competitive systems detected any of the Backdoor
test cases presented.
The IPS functionality tested included basic attacks
that are typically included in most IPS tests, as
well as additional test cases involving attack and
threat mitigation, policy violation, and adware and
spyware detection.
A total of 126 threats (test cases) were presented
to all four systems tested. Each test case was
executed separately for each system. All the
signatures (or any other IPS-type settings) were
enabled for each system. The results were
examined using each system’s main management
screen – these were web-based applications
which were configured to display the attacks as
soon as they were detected.
on the next page. From a broad assortment of
test cases, each involving a different category of
threat, the Cisco ASA 5520 detected 100 percent
of the threats in the test cases we performed.
When testing the same test cases, with the
competitive security appliances, many threats
were undetected to varying degrees. None of the
other systems detected more than 45 percent of
the collective threats in all categories. For
instance, while the FortiGate 1000 detected 83
percent of the Virus/Worm test cases, overall only
29 percent of the total threats presented were
detected. The Cisco ASA 5520 detected all of the
Backdoor threats, while surprisingly none of the
competitive systems detected any of the Backdoor
test cases presented.
The IPS functionality tested included basic attacks
that are typically included in most IPS tests, as
well as additional test cases involving attack and
threat mitigation, policy violation, and adware and
spyware detection.
A total of 126 threats (test cases) were presented
to all four systems tested. Each test case was
executed separately for each system. All the
signatures (or any other IPS-type settings) were
enabled for each system. The results were
examined using each system’s main management
screen – these were web-based applications
which were configured to display the attacks as
soon as they were detected.
Similar to the firewall performance, we evaluated
VPN performance using 4-Kbyte and 16-Kbyte HTTP
Object sizes. Again, the traffic was generated by the
Spirent Avalanche/Reflector systems, simulating
HTTP-TCP/IP “real-world” traffic. The VPN tests
were run with four VPN tunnels, simulating four
secure, site-to-site VPN connections, using 3DES
encryption. The VPN tests were run with only the
vendor’s default firewall settings enabled (no
additional settings were enabled).
VPN performance using 4-Kbyte and 16-Kbyte HTTP
Object sizes. Again, the traffic was generated by the
Spirent Avalanche/Reflector systems, simulating
HTTP-TCP/IP “real-world” traffic. The VPN tests
were run with four VPN tunnels, simulating four
secure, site-to-site VPN connections, using 3DES
encryption. The VPN tests were run with only the
vendor’s default firewall settings enabled (no
additional settings were enabled).
VPN 4-Tunnel Site-to-Site Performance (Mbps)
0
50
100
150
200
250
300
350
Cisco
ASA 5520
Juniper
NetScreen-208
Check Point
VPN-1 Pro
Fortinet
FortiGate 1000
4k-byte Object size
16k-byte Object size
The Cisco ASA 5520 demonstrated higher throughput
than competitors in the 4-tunnel Site-to-Site VPN tests,
with both 4-Kbyte and 16-Kbyte object sizes.
with both 4-Kbyte and 16-Kbyte object sizes.
Threat Prevention by Category
0%
20%
40%
60%
80%
100%
Viruses/
Worms
Backdoors
General
P2P
IM
SpyWare
Overall
Cisco ASA 5520
NetScreen-208
Check Point VPN-1
FortiGate 1000
The Cisco ASA 5520 detected 100 percent of the complete set of the threats presented, while comparable,
competitive systems from Juniper, Check Point and Fortinet only detected 30 to 40 percent of the cumulative threats.
Copyright © 2005 Miercom Unified Threat Management Security Appliances Page 4