Lab Testing Summary Report

Similar documents
Cisco engaged Miercom to conduct an independent verification of

Lab Testing Summary Report

Router Throughput Tests

Lab Testing Summary Report

WildPackets engaged Miercom to conduct comprehensive,

Check Point submitted the SWG Secure Web Gateway for

Lab Testing Summary Report

Lab Testing Summary Report

Lab Testing Summary Report

Sonus Networks engaged Miercom to evaluate the call handling

Lab Testing Summary Report

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Lab Testing Summary Report

Unified Threat Management Throughput Performance

Citrix NetScaler VPX 9.2 for Microsoft Hyper-V Detailed Lab Report

Lab Testing Summary Report

Lab Testing Summary Report

Lab Testing Summary Report

Cisco Integrated Services Routers Performance Overview

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Where IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine

The Cisco ASA 5500 as a Superior Firewall Solution

NEC s UC for Enterprise (UCE) in conjunction with the

WI-FI PERFORMANCE BENCHMARK TESTING: Aruba Networks AP-225 and Cisco Aironet 3702i

Lab Testing Summary Report

Lab Testing Summary Report

Lab Testing Summary Report

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

ADTRAN NetVanta 5660

Lab Testing Summary Report

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Lab Testing Detailed Report DR January Competitive Testing of Web Security Devices

Comparative Performance and Resilience Test Results - UTM Appliances. Miercom tests comparing Sophos SG Series appliances against the competition

4 Delivers over 20,000 SSL connections per second (cps), which

Virtual Fragmentation Reassembly

Lab Testing Summary Report

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Product Summary Report

Stateful Inspection Technology

Performance and Feature Comparison of Application Delivery Appliances. Cisco ACE 4710 F5 BIG-IP 3400 F5 BIG-IP 6400 F5 BIG-IP 8800

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

Performance of Cisco IPS 4500 and 4300 Series Sensors

IBM Security Network Protection

C(UTM) security appliances the Check Point VPN-1 Pro, the

SharePoint Performance Optimization

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

LAB TESTING SUMMARY REPORT

Juniper / Cisco Interoperability Tests. August 2014

Lab Testing Summary Report

Implementing Core Cisco ASA Security (SASAC)

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

TECHNICAL NOTE. FortiGate Traffic Shaping Version

Windows Server 2008 R2 Hyper-V Live Migration

The Truth About Router Performance

Frequently Asked Questions

Lab Testing Summary Report

Performance Optimization Guide

Performance and Scalability with the Juniper SRX5400

VIDEO SURVEILLANCE WITH SURVEILLUS VMS AND EMC ISILON STORAGE ARRAYS

PIX/ASA 7.x with Syslog Configuration Example

VPN. Date: 4/15/2004 By: Heena Patel

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Demonstrating the high performance and feature richness of the compact MX Series

- Introduction to PIX/ASA Firewalls -

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Configuring PDM. Starting PDM with Internet Explorer CHAPTER

Broadcom 10GbE High-Performance Adapters for Dell PowerEdge 12th Generation Servers

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Next Gen Data Center. KwaiSeng Consulting Systems Engineer

FWSM introduction Intro 5/1

Introduction to Security and PIX Firewall

Lab Developing ACLs to Implement Firewall Rule Sets

DDoS Protection Technology White Paper

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Ranch Networks for Hosted Data Centers

Cisco Catalyst Stackable Aggregation Switch. Independent Performance Assessment. DR150225C April Miercom

Cisco Certified Security Professional (CCSP)

Meeting the Five Key Needs of Next-Generation Cloud Computing Networks with 10 GbE

Lab Testing Summary Report

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Firewall Testing Methodology W H I T E P A P E R

Qscalability and lifecycle management. We analyzed the overall

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

Intel DPDK Boosts Server Appliance Performance White Paper

IBM Security Network Protection

T H E TOLLY. No October NetVanta 3200 Access Router versus Cisco Systems, Inc. 1720/1751V Competitive Performance Evaluation

Check Point taps the power of virtualization to simplify security for private clouds

Meeting budget constraints. Integration and cooperation between network operations and other IT domains. Providing network performance

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Integrated Services Router with the "AIM-VPN/SSL" Module

Improving Web Application Firewall Testing (WAF) for better Deployment in Production Networks January 2009 OWASP Israel

Intelligent Network Monitoring for Your LAN, WAN and ATM Network

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Transcription:

Lab Testing Summary Report April 211 Report 11419 Product Category: Enterprise Firewall Vendors and Products Tested: ASA 5585-X Key findings and conclusions: With 364, TCP connections per second, ASA 5585-X handled 12% more connections per second than throughput with EMIX frames reached 24.5 Gbps an 11% increase compared to the ASA 5585-X can sustain 1 million concurrent connections At maximum load, used 425 watts, while used 1168 watts at idle, a 64% difference in power consumption engaged Miercom to evaluate the performance of the ASA 5585-X SSP-6 Adaptive Security Appliance. The ASA 5585-X was tested in a variety of scenarios to determine the maximum TCP and UDP throughput performance. Parameters recorded included CPU utilization, allocated memory utilization, connections per second (CPS), concurrent connections, real world HTTP throughput, and TCP EMIX traffic. We performed the identical tests on a Services Gateway to compare and contrast the performance of these products. In addition, we also measured the power consumption of each appliance while under load. The ASA 5585-X SSP-6 has a multi-core, multi-processor architecture. The tested model featured twenty-four processing cores, six Gigabit Ethernet interfaces, and four 1 Gigabit Ethernet interfaces. The appliance combines a stateful firewall and VPN capabilities in one device, and includes features such as Layer 2 and Layer 3 firewall operation, advanced inspection engines, IPSec VPN, SSL VPN, and clientless SSL VPN. Figure 1: ASA 5585-X and TCP EMIX Traffic Gbps 25. 24.5 24. 23.5 23. 22.5 22. 21.5 21. 2.5 2. Source: ASA 5585-X Miercom, April 211 Gbps 24.5 22. ASA 5585-X achieved 24.5Gbps throughput for TCP EMIX traffic, an 11% improvement attained by ASA 5585-X when compared to the.

How We Did It To fully exercise the performance of the products, the test bed utilized BreakingPoint and Spirent TestCenter products. Bidirectional test traffic was generated using BreakingPoint version: 2.1.. build number: 71254 strikebuild: 78528, and the Spirent Test Center v3.5.5. Real-world HTTP tests were performed using HTTP v1.1 with persistence while transferring objects of varying sizes. TCP performance tests were conducted using BreakingPoint to generate 64-byte HTTP traffic, as well as EMIX traffic containing a mix of packet sizes and protocols. UDP performance tests utilized Spirent TestCenter to send fixed frame sizes ranging from 64-byte up to 9,216-byte jumbo frames (9,192 bytes on ). The ASA 5585 SSP-6 was equipped with four 1GE interfaces. Adaptive Security Appliance (ASA) Software v8.4.1 and Security Manager (CSM) 4.1 were used during testing. The product architecture features a multi-processor/multi-core platform with 24 processing cores. Default MTU size for TCP traffic was 1,38 bytes to allow for overhead. Default MTU size for UDP traffic was 9,216 bytes. was configured with four 1GE interfaces and JunOS 1.4r2.6. Most recent publicly available documentationfor the product states it as providing up to 3 Gbps of firewall performance and 175, connections per second. Default MTU size for TCP traffic was 1,46 bytes. Default MTU size for UDP traffic was 9,192 bytes. The has a NPU-based architecture with XLR variants featuring 2-8 cores per SPC. The tests in this report are intended to be reproducible for customers who wish to recreate them with the appropriate test and measurement equipment. Current or prospective customers interested in repeating these results may contact reviews@miercom.com for details on the configurations applied to the Device Under Test and test tools used in this evaluation. Miercom recommends customers conduct their own needs analysis study and test specifically for the expected environment for product deployment before making a product selection. Tested Configurations Platform ASA 5585-X SSP-6 Operating System ASA v8.4.1 and CSM 4.1 JunOS 1.4r2.6 Product Architecture Multi-processor, multi-core NPU based with XLR variants Processing Cores 24 2-8 cores per SPC Gigabit Ethernet Interfaces 1 Gigabit Ethernet Interfaces 4 4 Test Bed Diagrams ASA 5585 SSP-6 ASA 5585 SSP-6 UDP Topology (All interfaces and connections are 1 GbE SR) ASA 5585 SSP-6 BreakingPoint ASA 5585 SSP-6 TCP Topology (All traffic generation is 1 GbE SR) Spirent TestCenter Copyright 211 Miercom ASA 5585 and Page 2

EMIX - Real World Protocol Mix To further evaluate the performance of each appliance, a mix of packet sizes and protocols were used. We constructed a mixed traffic profile that reflects a more realistic representation of a typical network. Each protocol was assigned a specific weighting, with a preponderance of traffic being HTTP, as this is most representative of an enterprise environment. Protocol % Bandwidth Allocated HTTP 43.956 BitTorrent Peer 21.978 IMAP v4 Advanced 16.484 FTP 8.791 SMTP 8.791 We observed a 24.6 Gbps throughput for this mix of traffic on the ASA 5585, 11% higher than the throughput for the. obtained a maximum throughput of 22 Gbps. These results can be seen graphically in Figure 1 on page 1. Concurrent Connections The objective of this test is to determine the maximum number of concurrent or simultaneous TCP connections that the firewall can handle. The sessions are simulated using 64-byte HTTP packets, and all sessions are kept open once established and increased until the maximum upper limit is reached, as reported by the firewall itself. CPU and memory utilization is not relevant for this test and was not recorded. The ASA5585-X SSP-6 achieved 1% of its expected value, establishing a maximum of 1 million concurrent connections. The data sheet states an upper limit of 2.25 million concurrent connections for the. In our testing, the exceeded that target, establishing a maximum of 2.39 million connections. Figure 2: Maximum Concurrent TCP Connections using 64-byte Frames Millions of Connections 1 8 6 4 2 319% higher! Concurrent ASA 5585 Connections 1. 2.39 In Millions The maximum number of concurrent connections is shown. HTTP Maximum Throughput To understand how well each firewall processed HTTP traffic, we created a scenario using web traffic of varying packet sizes. We configured our test equipment to deliver an average packet size of 471 bytes by selecting an object size of 11,11 bytes and changing the TCP Maximum Segment Size (TCPMSS) to 1,14. This created a varying packet size which is more process intensive. We recorded the maximum throughput achieved for each appliance without incurring packet loss. Figure 3: Maximum Throughput Gbps 17.4 17.3 17.2 17.1 17. 16.9 16.8 16.7 16.6 16.5 16.4 ASA 5585 Gbps 17.3 16.7 The ASA 5585-X SSP-6 delivered 3.5% more throughput than the, achieving 17.3 Gbps with no packet loss. Resource utilization reporting showed that the CPU was nearly maxed out at 99%, while memory utilization was 21%. achieved 16.7 Gbps with no packet loss. Resource reporting indicated that the CPU was only 11% utilized and memory only 4% utilized. As noted in the previous test, we feel that this number is too low considering the stress the appliance was under, and suspect the resource allocation is being reported incorrectly. Copyright 211 Miercom ASA 5585 and Page 3

Connections per Second In this test, our objective was to determine the maximum number of new TCP connections each firewall could handle without dropping any packets. The TCP sessions were simulated using 64-byte HTTP packets. The connection rate was ramped up until a maximum number of connections was achieved. CPU and memory utilization was recorded at this point. The ASA 5585-X SSP-6 achieved a 49% increase in performance over the, handling a maximum new connection rate of 364, connections per second. Resource utilization of 1% CPU and 22% memory was recorded for the ASA 5585. The was able to handle 18, new TCP connections per second. We noted that the appeared to incorrectly report its resource utilization, as the CPU usage was reported to be only 11% and memory was reported at 4%. As the unit could not handle more than 18K connections without incurring Figure 4: Connections per Second 4, 35, 3, 25, 2, 15, 1, 5, packet loss, it seemed unlikely that the CPU was being so lightly stressed. This anomaly has been observed in other testing. See Figure 4. Max CPS ASA 5585-X 364, 18, UDP Mixed Packet Sizes with Jumbo Frames To determine the maximum data rate each appliance could sustain with no packet loss for a range of fixed packet sizes, including jumbo frames, the standard RFC 2544 Benchmarking Throughput test was used. 8, hosts were used to provide enough traffic to maximize the throughput potential for each packet size. The maximum jumbo frame size for the ASA 5585-X is 9,216 bytes. The maximum jumbo frame size for the is 9,192 bytes. We also evaluated the throughput of an IMIX traffic stream consisting of a mix of various packet sizes. As seen in Figure 5, the ASA 5585 outperformed the at every frame size. We noted that the throughput for the appeared to trail off at higher frame sizes. In Figure 6 on the next page, it can be seen that the ASA 5585 was able to handle a higher packets per second rate than the for all packet sizes. CPS Figure 5: UDP Mixed Packet Sizes Maximum Data Rate Sustained with No Packet Loss 45 Throughput (Gbps) 4 35 3 25 2 15 1 5 39.8 39.8 37.7 35.3 25.5 23.4 23.6 23.6 23.6 23.6 22.2 21. 18.2 15.2 12.1 8.2 6.7 4.6 64 128 256 512 124 128 1518 Jumbo Frames IMIX ASA 5585 ASA 5585 outperformed the at every frame size. Throughput decreased slightly for the as frame sizes increased. Copyright 211 Miercom ASA 5585 and Page 4

Figure 6: Maximum Data Rate Sustained with No Packet Loss 12, ipackets per Second in Thousands 1, 8, 6, 4, 2, 9,92.7 1,172.2 8,223.7 6,83.6 6,96.1 6,852.2 5,98.9 5,482.5 4,223. 2,824.7 3,613.5 2,268.6 3,23. 1,917.2 538.1 323.3 7,257.5 6,859.3 64 128 256 512 124 128 1518 Jumbo Frames IMIX Frame Size ASA 5585 outperformed the in every frame size in the packets per second test. ASA5585 Management Security Manager (CSM) is the enterprise class security management solution that enables enterprises to manage and scale security operations efficiently. This powerful graphical management solution enables consistent policy enforcement, quick troubleshooting of security events, and summarized reports from across the security deployment (see Figure 7). While enterprise customers can leverage CSM for large scale management, Adaptive Security Device Manager (ASDM) can be used for managing smaller sized networks. ASDM is included with all Adaptive Security Appliances and the product can be used to quickly configure, monitor and troubleshoot ASA firewalls. Figure 7: Security Manager Management interface screen shows a large variety of firewall event views available to an administrator. Device IDs, source and destination IP addresses, and service type are clearly displayed for analysis. Filters can be created based on any field, not just by event type. Power Consumption We conducted a power consumption evaluation between the two security devices. We used the standard RFC 2544 Benchmarking Throughput test script for 1% traffic load. Each device had two power supplies, a firewall module installed and no IPS. ASA 5585-X used 382 watts at idle and 425 watts at full load. The at idle had recorded 1,168 watts and 1,249 watts for 1% load. used 194% more power at maximum load. These tests were run several times in order to be certain the figures were accurately recorded. This is a dramatic advantage for the security appliance. Figure 8: Power Consumption at Idle and Maximum Load (EMIX) 2 ASA 5585 ASA 5585 Watts 382 1168 425 1249 IDLE STATE MAXIMUM LOAD Copyright 211 Miercom ASA 5585 and Page 5 Watts 14 12 1 8 6 4 *Lower is better

Miercom Performance Verified Based on its lab testing of the ASA 5585-X SSP-6 Adaptive Security Appliance, Miercom verifies that the throughput capabilities of this security appliance are superior to that of the Services Gateway. Hands on testing results confirmed the ASA 5585 sustained 1,, simultaneous connections, 364, connections per second, and HTTP traffic at 17.3 Gbps. had better performance at all packet sizes, including jumbo frames. The ASA 5585-X SSP-6 delivers impressively on the security, scalability and performance required for enterprise networks, data centers and Web 2. applications. Performance and security features earned the ASA 5585-X the Miercom Performance Verified Certification. ASA 5585 Systems Inc. 17 West Tasman Drive San Jose, CA 95134 www.cisco.com 1-8-553-6387 About Miercom s Product Testing Services Miercom has hundreds of product-comparison analyses published over the years in leading network trade periodicals including Network World, Business Communications Review - NoJitter, Communications News, xchange, Internet Telephony and other leading publications. Miercom s reputation as the leading, independentproducttestcenter is unquestioned. Miercom s private test services include competitive product analyses, as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Certified Interoperable, Certified Reliable, Certified Secure and Certified Green. Products may also be evaluated under the NetWORKS As Advertised program, the industry s most thorough and trusted assessment for product usability and performance. Before printing, please Report 11419 reviews@miercom.comwww.miercom.com consider electronic distribution Product names or services mentioned in this report are registered trademarks of their respective owners. Miercom makes every effort to ensure that information contained within our reports is accurate and complete, but is not liable for any errors, inaccuracies or omissions. Miercom is not liable for damages arising out of or related to the information contained within this report. Consult with professional services such as Miercom Consulting for specific customer needs analysis. Copyright 211 Miercom ASA 5585 and Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information