ISA 2006 performance v Cisco ASA 5500 (Full Version)

All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop



Message


jcanfer -> ISA 2006 performance v Cisco ASA 5500 (22.Feb.2007 10:14:58 AM)

After trawling the web I'm unable to find any performance figures for ISA 2006. 

I'm writing a doucment for the Board trying to justify ISA over trading in our PIX for an ASA.  As such it would help the case if I had some basic comparative stats for Cleartext throughput, Max simultaneous users and IPSec throughput.

Obviously hardware has a bearing on this, but does anyone know if there are stats for this anywhere?

Many thanks




RAJP -> RE: ISA 2006 performance v Cisco ASA 5500 (25.Feb.2007 6:31:05 PM)

What are you going to use it for? Site-to-site, remote access, server publishing, etc.? How much Internet bandwidth do you have? How many users?

Ray




jcanfer -> RE: ISA 2006 performance v Cisco ASA 5500 (26.Feb.2007 4:12:25 AM)

It'll have a fairly light load; 4x site to site IPSec VPN's, up to 20 remote access L2TP/IPSec VPN's, up to 100 internal users browsing the web/FTP/Messenger, OWA publishing.

Our current bandwidth is 10Mbit.

Thanks




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (28.Feb.2007 10:43:07 AM)

Hi J,

The ISA Firewall performance white paper can give you some good information in these areas.

HTH,
Tom




ITEngineer -> RE: ISA 2006 performance v Cisco ASA 5500 (20.Apr.2007 2:44:12 PM)

Hi  , this is a good question, as my manager is convinced that ASA is better than ISA , maybe because it has the Anti phising, antivirus, anti spyware.

But what would really help me arguing him is the following question:

Does ASA 5500 Support Active Directory, does it control outbound rules by users from AD ??

Waiting for your replies, many thanks




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (22.Apr.2007 1:25:09 PM)

Hi ITE,

ASA does not have strong outbound access controls based on AD.

HTH,
Tom




ITEngineer -> RE: ISA 2006 performance v Cisco ASA 5500 (29.Apr.2007 5:03:52 AM)

Hi tshin,

so it (ASA) actually does have User authentication from AD ?




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (29.Apr.2007 10:08:21 AM)

Hi ITE,

Not for outbound.

Tom




hunglikethor -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 9:00:53 AM)

From someone who has a CCIE in Security (Cisco Certified Internetworking Engineer) certificate, I can honestly say that I could not recommend a PIX or ASA firewall to anyone. They are extremely overpriced and underpowered; do not believe the specs they publish. Feature-wise they are behind the curve by about 2-3 years. You are better off with an ISR router (2800 or 3800 Series) as your gateway, with an ISA Server behind it doing the heavy lifting for VPNs and/or content filtering. You have the flexibility of making your ISA as powerful as it needs to be.

If you are stuck using that PoS (PIX or ASA), my apologies.

Edward Ray
CCIE Security, CISSP, GCIA, GCIH, MCSE+Security




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 11:13:11 AM)

Hi Edward,

Thanks for the insight! Nice to know I share the same opinion regarding the ASA and PIX as a CCIE [:D]

Thanks!
Tom




hunglikethor -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 11:26:29 AM)

Now Juniper Netscreens on the other hand, ROCK!  I am somewhat biased, having consulted on the the custom ASIC design for Netscreen in the 1990s.

:)




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 11:56:48 AM)

We all have our favorites [;)]

Tom




ITEngineer -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 1:47:08 PM)

quote:

ORIGINAL: tshinder

Hi ITE,

Not for outbound.

Tom


OUCH , i'm going to hit my manager with this info [:)] [:)] [:)]

Are you sure tshin ? hunglikethor can you confirm this peice of info ?







hunglikethor -> RE: ISA 2006 performance v Cisco ASA 5500 (1.May2007 5:28:40 PM)

Cisco has a habit of overselling the features on their PIX firewalls.  I can remember a few years back I had recommended that a large backbone privder choose upstart Netscreen over the Cisco PIX because their 535s did not have the promised performance.  The testing was done both by me and the Labs of the ISP.  But the management had been sold on Cisco, so in the PIXes went.  About a month later they regretted that decision, as the PIXes bricked under the load of VPN traffic.  They agreed to give Netscreen a try; now that is all they use because you can trust the perfromance specs on their marketting sheets

ASAs have added SSL VPN functionality to their firewalls, which may give them an advantage in features, but have done little to upgrade the hardware.  As a result, I would not expect the performance to be as advertised.  I have not done any testing on the ASA per se on this functionality, so I could be wrong.

Cisco is a Router and Switch company.  Theirsecuirty products suck to say the least.  Get a Cisco 2800 or 3800 Series and utilize the security features in IOS.  For SSL VPNs stick with Juniper Netscreen or ISA Server (when IAG 2007 becomes available).

This is a biased opinion but I have been VERY impressed with the Juniper SSG 500 Series vs. the Cisco 2800/3800.  It supports 10,000-20,000 BGP routes in ScreenOS mode; most enterprises do not need full routing tables.  And the  performance under full application layer inspection load is great.  Would like to see SSL added in addition to IPSec, but hey, that is what I will use the ISA Server for...

Good luck convincing your managment.  If you need me to give an in-person rant let me know :)

Edward Ray




ITEngineer -> RE: ISA 2006 performance v Cisco ASA 5500 (2.May2007 2:33:59 PM)

Hi hunglikethor. Thanks for the explanation, but you did not confirm this :
quote:

ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom

based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :
quote:

Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.






hunglikethor -> RE: ISA 2006 performance v Cisco ASA 5500 (2.May2007 10:22:54 PM)

I have not had experience with the ASA and AD integration.  The Netscreen SSL VPN products work well with Microsoft's Active Directory authentication.

My experience with Cisco's SSL VPN implementation was with the concentrator 3000 series, which performed horribly and did not communicate well with AD.  I should clarify that statement with the fact that I adhere to Micorosft best practices and security and even go a little beyond (NetBIOS disabled AD-wide, secure signing required, PKI infrastructure).  The Netscreen SSL VPNs played well with this increased security whereas the VPN concentrator does not.  I can confirm tschindler's statements for VPN 3000 series concentrator.  Cisco most likely ported the VPN concentator functionality to the ASA product and did not improve upon it.  Cisco rarely improves upon anything that they buy/aquire, especially security products.

I really like the Whale product, now IAG 2007.  Once available as a true add-on to ISA 2006 (not another piece of hardware I need to buy) it could emerge as a serious alternative in the SSL VPN market.  The ISA 2006 platform is an excleent product to deploy in the perimeter (not the edge) behind a solid WAN gateway product. 

Hope this answers your question.  In a nutshell, Cisco's security products are overpriced, underpowered, and lack many of the features you find in Juniper Netscreen security products or the add-on functionlity that ISA 2006 potentially brings to the table.  Cisco has its own view of the secuirty world and it does not always play well with other people's devices.  One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (3.May2007 11:49:11 AM)

Hi Thor,

RIGHT ON!

Thanks!
Tom




tshinder -> RE: ISA 2006 performance v Cisco ASA 5500 (3.May2007 7:43:13 PM)

quote:

ORIGINAL: ITEngineer

Hi hunglikethor. Thanks for the explanation, but you did not confirm this :
quote:

ORIGINAL: tshinder
Hi ITE,
Not for outbound.
Tom

based on cisco site http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html , it says :
quote:

Control access to business resources-Prevent unauthorized access to applications or information assets by providing identity-based access control services that can tie into services like Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP), or RSA SecurID.





That's for inbound access control, not outbound access control. They don't have user/group based outbound access control.

HTH,
Tom




steavg -> RE: ISA 2006 performance v Cisco ASA 5500 (29.Jan.2009 4:32:54 PM)

Hunasthore...if you are a CCIE Security you are probably the most incompetent of them all...that being said....

Stating that "One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.".....is as good as stating that Microsoft PC software development company (and a crappy one to)

Please get your facts straight:

- The ASA VPN services are not ported from the VPN3000...it's a totaly new design (sure ISA is Proxy 2.0 ..???)
- Cisco rarely improves anything...well can you tell me on which domains Juniper improved the NetScreen line..?...check out the ASA and get your facts straight

And please don't compare the ISA with a firewall...it does little justice to great firewall products...Checkpoint, Juniper, Fortinet...and yes Cisco ASA...

But hey...it might just be that you didn't pay attention during your CCIE course and are crap in configuring the ASA...or you're one of those blind addepts of  Mr Shinder..aka...the most biased independent security expert

just my 2 cents..

Cheers
Stefan




adimcev -> RE: ISA 2006 performance v Cisco ASA 5500 (30.Jan.2009 8:31:12 AM)

I see, in my opinion, some ISA allusions in the above post and I "feel" the need to "correct" them.

I would suggest you to read more carefully before posting, and to think after you read before you post, as you are missing quite a few details of the entire conversation.[&:]
If you take the phrases out of context and interpret them the way you want or so, obviously they will sound the way you want(for you and some), poorly at best for others.

First, both the people you mention in your post, already made clear statements within this thread(and not only) of their preferences, and you didn't do so within this thread, so who's biased, or at least what are you trying to say ?[8|]

Last time I've checked, Cisco was not a leader in the enterprise network firewalls arena(I'm not speaking from the market shares point of view), the leaders were Check Point and Juniper, with Secure Computing in the back offering some "special" things, although Cisco has a big market share(of course if you can understand that the two things are quite different).

If you wanted to be more accurate or whatever, you could mention that Cisco added over the time new features to their SSL VPN, and point the specific documents per ASA's versions(that's kids' stuff). Searching through time, although this is an ISA forum, just for the sake of the conversation:
http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/miFeatureDiffs.html#wp1008637
quote:

Mapping Features from the VPN 3000 Concentrators to ASA
WebVPN
     
VPN 3000
Configurable, available on all models. Offers features available on the latest Release 4.7 VPN 3000 Concentrator sustaining release, including:
•SSL VPN Client
•Cisco Secure Desktop
•Citrix
•NTLM authentication
•PDA support.
    
ASA
•Support for WebVPN is equivalent to that available on the VPN 3000 Series Concentrator Release 4.1.7.
•WebVPN is not available on PIX hardware.

Please tell me, where was the new "design" within the two bellow links, at that time, eh ?
http://www.securityfocus.com/bid/18419/discuss
http://www.securityfocus.com/archive/1/436479/30/0/threaded

Cisco firewalls are known to have the highest rates of product vulnerabilities in comparison with competitors, so is there anything great in getting p0wned when you deploy something specific for actually not getting p0wned ?[8D]

Cisco may offer the highest price per Gbps for their firewalls, quite unjustified since "this Gbps is far from being the most secure".

And yes, we can compare ISA with anything, and we are free to do so[sm=tongue.gif], as long as we have and bring arguments, arguments which clearly your post is lacking of. Anyway and anyhow, this is an ISA *orientated* web site, and politely said, I'm afraid I do not understand the nature of your comments....

ASA indeed offers more features over ISA, due to Microsoft's failure to add new features to ISA, new features that were actually very needed and desired. This aspect was discussed and acknowledged(directly or indirectly) all over and over around these forums.
However, almost none of the numerous ASA's features, are exactly impressive or shiny.

Now, to flame it a little bit[sm=biggrin.gif], tell us with what "application proxy"(or so) is ASA often backed, because, as Marcus Ranum said in a reply to a Cisco fanboy:
http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2005-05/0117.html
quote:

>Most implementations of stateful firewalls are backed up by application proxies on the most popular protocols such as HTTP and FTP.
Yeah, because they suck. :)


Adrian




Page: [1] 2   next >   >>