Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2006 performance v Cisco ASA 5500
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2006 performance v Cisco ASA 5500 - 22.Feb.2007 10:14:58 AM
|
|
|
jcanfer
Posts: 16
Joined: 31.Oct.2006
Status: offline
|
After trawling the web I'm unable to find any performance figures for ISA 2006.
I'm writing a doucment for the Board trying to justify ISA over trading in our PIX for an ASA. As such it would help the case if I had some basic comparative stats for Cleartext throughput, Max simultaneous users and IPSec throughput.
Obviously hardware has a bearing on this, but does anyone know if there are stats for this anywhere?
Many thanks
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 25.Feb.2007 6:31:05 PM
|
|
|
RAJP
Posts: 49
Joined: 11.Mar.2006
Status: offline
|
What are you going to use it for? Site-to-site, remote access, server publishing, etc.? How much Internet bandwidth do you have? How many users?
Ray
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 26.Feb.2007 4:12:25 AM
|
|
|
jcanfer
Posts: 16
Joined: 31.Oct.2006
Status: offline
|
It'll have a fairly light load; 4x site to site IPSec VPN's, up to 20 remote access L2TP/IPSec VPN's, up to 100 internal users browsing the web/FTP/Messenger, OWA publishing.
Our current bandwidth is 10Mbit.
Thanks
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 20.Apr.2007 2:44:12 PM
|
|
|
ITEngineer
Posts: 254
Joined: 3.Feb.2006
Status: offline
|
Hi , this is a good question, as my manager is convinced that ASA is better than ISA , maybe because it has the Anti phising, antivirus, anti spyware.
But what would really help me arguing him is the following question:
Does ASA 5500 Support Active Directory, does it control outbound rules by users from AD ??
Waiting for your replies, many thanks
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 29.Apr.2007 5:03:52 AM
|
|
|
ITEngineer
Posts: 254
Joined: 3.Feb.2006
Status: offline
|
Hi tshin,
so it (ASA) actually does have User authentication from AD ?
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 9:00:53 AM
|
|
|
hunglikethor
Posts: 64
Joined: 12.Oct.2006
Status: offline
|
From someone who has a CCIE in Security (Cisco Certified Internetworking Engineer) certificate, I can honestly say that I could not recommend a PIX or ASA firewall to anyone. They are extremely overpriced and underpowered; do not believe the specs they publish. Feature-wise they are behind the curve by about 2-3 years. You are better off with an ISR router (2800 or 3800 Series) as your gateway, with an ISA Server behind it doing the heavy lifting for VPNs and/or content filtering. You have the flexibility of making your ISA as powerful as it needs to be.
If you are stuck using that PoS (PIX or ASA), my apologies.
Edward Ray
CCIE Security, CISSP, GCIA, GCIH, MCSE+Security
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 11:26:29 AM
|
|
|
hunglikethor
Posts: 64
Joined: 12.Oct.2006
Status: offline
|
Now Juniper Netscreens on the other hand, ROCK! I am somewhat biased, having consulted on the the custom ASIC design for Netscreen in the 1990s.
:)
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 5:28:40 PM
|
|
|
hunglikethor
Posts: 64
Joined: 12.Oct.2006
Status: offline
|
Cisco has a habit of overselling the features on their PIX firewalls. I can remember a few years back I had recommended that a large backbone privder choose upstart Netscreen over the Cisco PIX because their 535s did not have the promised performance. The testing was done both by me and the Labs of the ISP. But the management had been sold on Cisco, so in the PIXes went. About a month later they regretted that decision, as the PIXes bricked under the load of VPN traffic. They agreed to give Netscreen a try; now that is all they use because you can trust the perfromance specs on their marketting sheets
ASAs have added SSL VPN functionality to their firewalls, which may give them an advantage in features, but have done little to upgrade the hardware. As a result, I would not expect the performance to be as advertised. I have not done any testing on the ASA per se on this functionality, so I could be wrong.
Cisco is a Router and Switch company. Theirsecuirty products suck to say the least. Get a Cisco 2800 or 3800 Series and utilize the security features in IOS. For SSL VPNs stick with Juniper Netscreen or ISA Server (when IAG 2007 becomes available).
This is a biased opinion but I have been VERY impressed with the Juniper SSG 500 Series vs. the Cisco 2800/3800. It supports 10,000-20,000 BGP routes in ScreenOS mode; most enterprises do not need full routing tables. And the performance under full application layer inspection load is great. Would like to see SSL added in addition to IPSec, but hey, that is what I will use the ISA Server for...
Good luck convincing your managment. If you need me to give an in-person rant let me know :)
Edward Ray
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 2.May2007 2:33:59 PM
|
|
|
ITEngineer
Posts: 254
Joined: 3.Feb.2006
Status: offline
|
Hi hunglikethor. Thanks for the explanation, but you did not confirm this : quote:
ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom
based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :quote:
Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 2.May2007 10:22:54 PM
|
|
|
hunglikethor
Posts: 64
Joined: 12.Oct.2006
Status: offline
|
I have not had experience with the ASA and AD integration. The Netscreen SSL VPN products work well with Microsoft's Active Directory authentication.
My experience with Cisco's SSL VPN implementation was with the concentrator 3000 series, which performed horribly and did not communicate well with AD. I should clarify that statement with the fact that I adhere to Micorosft best practices and security and even go a little beyond (NetBIOS disabled AD-wide, secure signing required, PKI infrastructure). The Netscreen SSL VPNs played well with this increased security whereas the VPN concentrator does not. I can confirm tschindler's statements for VPN 3000 series concentrator. Cisco most likely ported the VPN concentator functionality to the ASA product and did not improve upon it. Cisco rarely improves upon anything that they buy/aquire, especially security products.
I really like the Whale product, now IAG 2007. Once available as a true add-on to ISA 2006 (not another piece of hardware I need to buy) it could emerge as a serious alternative in the SSL VPN market. The ISA 2006 platform is an excleent product to deploy in the perimeter (not the edge) behind a solid WAN gateway product.
Hope this answers your question. In a nutshell, Cisco's security products are overpriced, underpowered, and lack many of the features you find in Juniper Netscreen security products or the add-on functionlity that ISA 2006 potentially brings to the table. Cisco has its own view of the secuirty world and it does not always play well with other people's devices. One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.
|
|
|
|
|
RE: ISA 2006 performance v Cisco ASA 5500 - 3.May2007 7:43:13 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: ITEngineer
Hi hunglikethor. Thanks for the explanation, but you did not confirm this : quote:
ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom
based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :quote:
Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.
That's for inbound access control, not outbound access control. They don't have user/group based outbound access control.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
