• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 performance v Cisco ASA 5500

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> ISA 2006 performance v Cisco ASA 5500 Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
ISA 2006 performance v Cisco ASA 5500 - 22.Feb.2007 10:14:58 AM   
jcanfer

 

Posts: 20
Joined: 31.Oct.2006
Status: offline
After trawling the web I'm unable to find any performance figures for ISA 2006. 

I'm writing a doucment for the Board trying to justify ISA over trading in our PIX for an ASA.  As such it would help the case if I had some basic comparative stats for Cleartext throughput, Max simultaneous users and IPSec throughput.

Obviously hardware has a bearing on this, but does anyone know if there are stats for this anywhere?

Many thanks
Post #: 1
RE: ISA 2006 performance v Cisco ASA 5500 - 25.Feb.2007 6:31:05 PM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
What are you going to use it for? Site-to-site, remote access, server publishing, etc.? How much Internet bandwidth do you have? How many users?

Ray

(in reply to jcanfer)
Post #: 2
RE: ISA 2006 performance v Cisco ASA 5500 - 26.Feb.2007 4:12:25 AM   
jcanfer

 

Posts: 20
Joined: 31.Oct.2006
Status: offline
It'll have a fairly light load; 4x site to site IPSec VPN's, up to 20 remote access L2TP/IPSec VPN's, up to 100 internal users browsing the web/FTP/Messenger, OWA publishing.

Our current bandwidth is 10Mbit.

Thanks

(in reply to RAJP)
Post #: 3
RE: ISA 2006 performance v Cisco ASA 5500 - 28.Feb.2007 10:43:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

The ISA Firewall performance white paper can give you some good information in these areas.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jcanfer)
Post #: 4
RE: ISA 2006 performance v Cisco ASA 5500 - 20.Apr.2007 2:44:12 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hi  , this is a good question, as my manager is convinced that ASA is better than ISA , maybe because it has the Anti phising, antivirus, anti spyware.

But what would really help me arguing him is the following question:

Does ASA 5500 Support Active Directory, does it control outbound rules by users from AD ??

Waiting for your replies, many thanks

(in reply to jcanfer)
Post #: 5
RE: ISA 2006 performance v Cisco ASA 5500 - 22.Apr.2007 1:25:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ITE,

ASA does not have strong outbound access controls based on AD.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 6
RE: ISA 2006 performance v Cisco ASA 5500 - 29.Apr.2007 5:03:52 AM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hi tshin,

so it (ASA) actually does have User authentication from AD ?

(in reply to tshinder)
Post #: 7
RE: ISA 2006 performance v Cisco ASA 5500 - 29.Apr.2007 10:08:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ITE,

Not for outbound.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 8
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 9:00:53 AM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
From someone who has a CCIE in Security (Cisco Certified Internetworking Engineer) certificate, I can honestly say that I could not recommend a PIX or ASA firewall to anyone. They are extremely overpriced and underpowered; do not believe the specs they publish. Feature-wise they are behind the curve by about 2-3 years. You are better off with an ISR router (2800 or 3800 Series) as your gateway, with an ISA Server behind it doing the heavy lifting for VPNs and/or content filtering. You have the flexibility of making your ISA as powerful as it needs to be.

If you are stuck using that PoS (PIX or ASA), my apologies.

Edward Ray
CCIE Security, CISSP, GCIA, GCIH, MCSE+Security

(in reply to tshinder)
Post #: 9
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 11:13:11 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edward,

Thanks for the insight! Nice to know I share the same opinion regarding the ASA and PIX as a CCIE

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 10
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 11:26:29 AM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
Now Juniper Netscreens on the other hand, ROCK!  I am somewhat biased, having consulted on the the custom ASIC design for Netscreen in the 1990s.

:)

(in reply to tshinder)
Post #: 11
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 11:56:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
We all have our favorites

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 12
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 1:47:08 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
quote:

ORIGINAL: tshinder

Hi ITE,

Not for outbound.

Tom


OUCH , i'm going to hit my manager with this info   

Are you sure tshin ? hunglikethor can you confirm this peice of info ?




(in reply to tshinder)
Post #: 13
RE: ISA 2006 performance v Cisco ASA 5500 - 1.May2007 5:28:40 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
Cisco has a habit of overselling the features on their PIX firewalls.  I can remember a few years back I had recommended that a large backbone privder choose upstart Netscreen over the Cisco PIX because their 535s did not have the promised performance.  The testing was done both by me and the Labs of the ISP.  But the management had been sold on Cisco, so in the PIXes went.  About a month later they regretted that decision, as the PIXes bricked under the load of VPN traffic.  They agreed to give Netscreen a try; now that is all they use because you can trust the perfromance specs on their marketting sheets

ASAs have added SSL VPN functionality to their firewalls, which may give them an advantage in features, but have done little to upgrade the hardware.  As a result, I would not expect the performance to be as advertised.  I have not done any testing on the ASA per se on this functionality, so I could be wrong.

Cisco is a Router and Switch company.  Theirsecuirty products suck to say the least.  Get a Cisco 2800 or 3800 Series and utilize the security features in IOS.  For SSL VPNs stick with Juniper Netscreen or ISA Server (when IAG 2007 becomes available).

This is a biased opinion but I have been VERY impressed with the Juniper SSG 500 Series vs. the Cisco 2800/3800.  It supports 10,000-20,000 BGP routes in ScreenOS mode; most enterprises do not need full routing tables.  And the  performance under full application layer inspection load is great.  Would like to see SSL added in addition to IPSec, but hey, that is what I will use the ISA Server for...

Good luck convincing your managment.  If you need me to give an in-person rant let me know :)

Edward Ray

(in reply to ITEngineer)
Post #: 14
RE: ISA 2006 performance v Cisco ASA 5500 - 2.May2007 2:33:59 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hi hunglikethor. Thanks for the explanation, but you did not confirm this :
quote:

ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom

based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :
quote:

Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.



(in reply to hunglikethor)
Post #: 15
RE: ISA 2006 performance v Cisco ASA 5500 - 2.May2007 10:22:54 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
I have not had experience with the ASA and AD integration.  The Netscreen SSL VPN products work well with Microsoft's Active Directory authentication.

My experience with Cisco's SSL VPN implementation was with the concentrator 3000 series, which performed horribly and did not communicate well with AD.  I should clarify that statement with the fact that I adhere to Micorosft best practices and security and even go a little beyond (NetBIOS disabled AD-wide, secure signing required, PKI infrastructure).  The Netscreen SSL VPNs played well with this increased security whereas the VPN concentrator does not.  I can confirm tschindler's statements for VPN 3000 series concentrator.  Cisco most likely ported the VPN concentator functionality to the ASA product and did not improve upon it.  Cisco rarely improves upon anything that they buy/aquire, especially security products.

I really like the Whale product, now IAG 2007.  Once available as a true add-on to ISA 2006 (not another piece of hardware I need to buy) it could emerge as a serious alternative in the SSL VPN market.  The ISA 2006 platform is an excleent product to deploy in the perimeter (not the edge) behind a solid WAN gateway product. 

Hope this answers your question.  In a nutshell, Cisco's security products are overpriced, underpowered, and lack many of the features you find in Juniper Netscreen security products or the add-on functionlity that ISA 2006 potentially brings to the table.  Cisco has its own view of the secuirty world and it does not always play well with other people's devices.  One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.

(in reply to ITEngineer)
Post #: 16
RE: ISA 2006 performance v Cisco ASA 5500 - 3.May2007 11:49:11 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Thor,

RIGHT ON!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 17
RE: ISA 2006 performance v Cisco ASA 5500 - 3.May2007 7:43:13 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: ITEngineer

Hi hunglikethor. Thanks for the explanation, but you did not confirm this :
quote:

ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom

based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :
quote:

Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.





That's for inbound access control, not outbound access control. They don't have user/group based outbound access control.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 18
RE: ISA 2006 performance v Cisco ASA 5500 - 29.Jan.2009 4:32:54 PM   
steavg

 

Posts: 175
Joined: 29.Jan.2004
From: Belgium
Status: offline
Hunasthore...if you are a CCIE Security you are probably the most incompetent of them all...that being said....

Stating that "One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.".....is as good as stating that Microsoft PC software development company (and a crappy one to)

Please get your facts straight:

- The ASA VPN services are not ported from the VPN3000...it's a totaly new design (sure ISA is Proxy 2.0 ..???)
- Cisco rarely improves anything...well can you tell me on which domains Juniper improved the NetScreen line..?...check out the ASA and get your facts straight

And please don't compare the ISA with a firewall...it does little justice to great firewall products...Checkpoint, Juniper, Fortinet...and yes Cisco ASA...

But hey...it might just be that you didn't pay attention during your CCIE course and are crap in configuring the ASA...or you're one of those blind addepts of  Mr Shinder..aka...the most biased independent security expert

just my 2 cents..

Cheers
Stefan

(in reply to tshinder)
Post #: 19
RE: ISA 2006 performance v Cisco ASA 5500 - 30.Jan.2009 8:31:12 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
I see, in my opinion, some ISA allusions in the above post and I "feel" the need to "correct" them.

I would suggest you to read more carefully before posting, and to think after you read before you post, as you are missing quite a few details of the entire conversation.
If you take the phrases out of context and interpret them the way you want or so, obviously they will sound the way you want(for you and some), poorly at best for others.

First, both the people you mention in your post, already made clear statements within this thread(and not only) of their preferences, and you didn't do so within this thread, so who's biased, or at least what are you trying to say ?

Last time I've checked, Cisco was not a leader in the enterprise network firewalls arena(I'm not speaking from the market shares point of view), the leaders were Check Point and Juniper, with Secure Computing in the back offering some "special" things, although Cisco has a big market share(of course if you can understand that the two things are quite different).

If you wanted to be more accurate or whatever, you could mention that Cisco added over the time new features to their SSL VPN, and point the specific documents per ASA's versions(that's kids' stuff). Searching through time, although this is an ISA forum, just for the sake of the conversation:
http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/miFeatureDiffs.html#wp1008637
quote:

Mapping Features from the VPN 3000 Concentrators to ASA
WebVPN
     
VPN 3000
Configurable, available on all models. Offers features available on the latest Release 4.7 VPN 3000 Concentrator sustaining release, including:
•SSL VPN Client
•Cisco Secure Desktop
•Citrix
•NTLM authentication
•PDA support.
    
ASA
•Support for WebVPN is equivalent to that available on the VPN 3000 Series Concentrator Release 4.1.7.
•WebVPN is not available on PIX hardware.

Please tell me, where was the new "design" within the two bellow links, at that time, eh ?
http://www.securityfocus.com/bid/18419/discuss
http://www.securityfocus.com/archive/1/436479/30/0/threaded

Cisco firewalls are known to have the highest rates of product vulnerabilities in comparison with competitors, so is there anything great in getting p0wned when you deploy something specific for actually not getting p0wned ?

Cisco may offer the highest price per Gbps for their firewalls, quite unjustified since "this Gbps is far from being the most secure".

And yes, we can compare ISA with anything, and we are free to do so, as long as we have and bring arguments, arguments which clearly your post is lacking of. Anyway and anyhow, this is an ISA *orientated* web site, and politely said, I'm afraid I do not understand the nature of your comments....

ASA indeed offers more features over ISA, due to Microsoft's failure to add new features to ISA, new features that were actually very needed and desired. This aspect was discussed and acknowledged(directly or indirectly) all over and over around these forums.
However, almost none of the numerous ASA's features, are exactly impressive or shiny.

Now, to flame it a little bit, tell us with what "application proxy"(or so) is ASA often backed, because, as Marcus Ranum said in a reply to a Cisco fanboy:
http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2005-05/0117.html
quote:

>Most implementations of stateful firewalls are backed up by application proxies on the most popular protocols such as HTTP and FTP.
Yeah, because they suck. :)


Adrian

< Message edited by adimcev -- 30.Jan.2009 11:42:54 AM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to steavg)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> ISA 2006 performance v Cisco ASA 5500 Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts