FirePOWER Services for ASA Sizing Guidance and Performance Discussion

Slides:



Advertisements
Similar presentations
Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.
Advertisements

Web Server Benchmarking Using the Internet Protocol Traffic and Network Emulator Carey Williamson, Rob Simmonds, Martin Arlitt et al. University of Calgary.
Capacity Planning and Predicting Growth for Vista Amy Edwards, Ezra Freeloe and George Hernandez University System of Georgia 2007.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
MSIT 458: Information Security & Assurance By Curtis Pethley.
© 2011 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 Cisco Connected Energy Vision Utility Operations Connected Buildings.
Preview of Cisco New Low-End ASA 5500-X Appliances - Cisco ASA 5506-X & 5508-X Your name Your team Date.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Enterprise Network Security Accessing the WAN Lecture week 4.
Host Intrusion Prevention Systems & Beyond
Networking Components
Ch. 28 Q and A IS 333 Spring Q1 Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer data across.
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
CS332 Ch. 28 Spring 2014 Victor Norman. Access delay vs. Queuing Delay Q: What is the difference between access delay and queuing delay? A: I think the.
Meet the Next Generation Firewall (NGFW)
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
Traffic Modeling.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
AQM Recommendation Fred Baker. History At IETF 86, TSVAREA decided to update the recommendation of RFC 2309 to not recommend the use of RED Argument:
Design Windows Media Services Infrastructure. Module 7: Design Windows Media Services Infrastructure Design Windows Media Services for live streaming.
Network Address Translation
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Lecturer: Ghadah Aldehim
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Introduction to Network Address Translation
Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Web Application Firewall (WAF) RSA ® Conference 2013.
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.
How Does the Internet Work? Protocols Protocols are rules that describe how computers communicate and exchange data. The Internet has a series of these.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
The Inter-network is a big network of networks.. The five-layer networking model for the internet.
Performance of HTTP Application in Mobile Ad Hoc Networks Asifuddin Mohammad.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Network security Product Group 2 McAfee Network Security Platform.
Module 10: How Middleboxes Impact Performance
1 UNIT 13 The World Wide Web Lecturer: Kholood Baselm.
Module 7: Advanced Application and Web Filtering.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
System Scalability. 1. General Observations The choice of platform for an application should consider the ability to grow the application with more users.
IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.
Measuring the Capacity of a Web Server USENIX Sympo. on Internet Tech. and Sys. ‘ Koo-Min Ahn.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Security Management Update.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
STORAGE ARCHITECTURE/ MASTER): Where IP and FC Storage Fit in Your Enterprise Randy Kerns Senior Partner The Evaluator Group.
1 Three ways to (ab)use Multipath Congestion Control Costin Raiciu University Politehnica of Bucharest.
Ch. 28 Q and A CS 332 Spring A little quiz Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer.
1 UNIT 13 The World Wide Web. Introduction 2 Agenda The World Wide Web Search Engines Video Streaming 3.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
NSA 240 Overview For End Users. 2 New Challenges To Solve  Threats Are Increasing  Web 2.0 & SaaS  Impacts to servers, users & networks  Threats go.
Voice Performance Measurement and related technologies
Lab A: Planning an Installation
Cisco ASA Express Security
Internet and Intranet.
Securing the Network Perimeter with ISA 2004
Web Caching? Web Caching:.
Introduction:. Vendor : Cisco Certifications : Next-Generation Firewall Express Security Engineer Exam Name : Cisco ASA Express Security Exam Code :
Internet and Intranet.
2018 Real Cisco Dumps IT-Dumps
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Sizing …today. T: Here’s how. .
Cabrillo College Building Cisco Remote Access Network
Internet and Intranet.
Internet and Intranet.
Presentation transcript:

FirePOWER Services for ASA Sizing Guidance and Performance Discussion

FirePOWER Services Sizing Numbers Note: These are sizing numbers using the “Transactional” performance profile. They are comparable to Sourcefire IPS or Cisco ASA IPS Transactional data sheet numbers. Use these numbers – not headline datasheet numbers – for sizing purposes. . Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60 FirePOWER IPS or AVC 100 150 375 575 725 1200 2000 3500 6000 IPS + AVC 75 255 360 450 800 2100 IPS + AVC + AMP 60 85 205 310 340 550 850 1500 2300

Performance: How to measure and Why it matters? Sizing: Which device do I need to buy? Upgrade of existing or new device? Features: What features am I going to need or want to run? Firewall, IPS, Application Control, URL, Malware? Location: Where is the device in the network? In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages? Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet? As with all performance discussions, YOUR MILEAGE MAY VARY!!

How to measure? Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests. The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common. The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.

FirePOWER Services on ASA Feature Guidance Comparable performance to classic IPS on same platforms with 440- Byte TCP/Transactional Profile (same test as FirePOWER appliance) If you run AVC or AVC+AMP on top of IPS, reduce throughput by: 30-45% less for IPS + AVC 50-65% less for IPS + AVC + AMP Proportions generally consistent with FirePOWER Appliances

Performance Impacts by Location Location can have direct and indirect impacts on performance Direct impact would include different traffic types and different average packet sizes causing a higher workload Indirect impact could be the Internet Edge where the amount of malicious traffic is greater that might cause more events to be generated or logging load to increase vs an internal only datacenter.

Location Specific Traffic Profiles When deploying FirePOWER Services for ASA, the traffic profiles at the location can impact the performance of the device differently than standard test methods. Educational, ISP, and SMB protocol mixes have a slight impact Enterprise applications and Enterprise Datacenter have a greater impact

FirePOWER Services for ASA Data Sheet (Draft) It is planned that FirePOWER Services for ASA will include both a maximum throughput number as well as a 440 Byte HTTP number more relevant for sizing. Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60 Maximum Application Control Throughput in Mbps 300 500 1100 1500 1750 4500 7000 10000 15000 Maximum Application Control and IPS Throughput in Mbps 150 250 650 1000 1250 2000 3500 6000 Application Control or IPS Sizing Throughput in Mbps (440 Byte HTTP) 100 375 575 725 1200

How to use the numbers? Maximum Throughput numbers are generally only used to compare datasheets. Because they are tested using traffic types or configuration profiles that do not attempt to represent real deployments, they should not be used for sizing. Sizing Data should always be measured with some sort of traffic that stresses the device. It should also have a configuration that exercises the different inspection paths that normally get used. 440 Byte HTTP average packet size connections represent a reasonably difficult traffic profile for most boxes. Multi protocol tests are potentially better, but they are much harder to reproduce and sometimes hard to understand the real performance stress they provide. 440 Byte HTTP is easier to reproduce and approximates the stress on the device much as real world traffic would.

Sizing Guidance for Upgrade When replacing an existing service module like Cisco CX or the classic IPS module: Understand the traffic load the device is seeing Understand the inspection load the current device is under Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required If you run more features, the performance will be impacted (more work is harder than less work!).

FirePOWER Services for ASA vs Cisco ASA-CX Comparing FirePOWER Services to CX on ASA 5525-X using EMIX (ASA multiprotocol test) AVC URL: matched applications and HTTP URLs on both platforms ASA-CX IPS: Around 1000 threats FirePOWER Services IPS: Balanced policy with ~4000 sigs AVC URL AVC URL IPS FirePOWER Services on 5525 750 400 CX on 5525 675 260 For IPS on SFR: We used “Balanced Security and connectivity” For IPS on CX: Default CX IPS policy For AVC, 2 rules are configured, one matching SMTP traffic, one matching URL categories.

FirePOWER Services vs ASA Classic IPS IPS-only test comparing throughput of FirePOWER Services for ASA to the classic IPS only module. Tested using the same 440 byte HTTP Transactional test that was the benchmark for classic IPS.   5512 5515 5525 5545 5555 5585-10 5585-20 5585-40 5585-60 FirePOWER Services On ASA 100 150 375 575 725 1200 2000 3500 6000 Classic IPS on ASA 250 400 600 850 1150 1500 3000 5000

FirePOWER Services vs FirePOWER Appliance IPS test comparing throughput of FirePOWER Services for ASA to FirePOWER appliances Tested using the same 440 byte HTTP Transactional test used by Sourcefire High end 82xx and 83xx appliances scale from 10 Gbps up to 60 Gbps of IPS Appliances do not have a published IPS+AVC performance number   5512 5515 SFR 7030 5525 5545 5555 IPS 100 150 250 375 575 725 IPS + AVC 75 255 360 450   SFR 7120 5585-10 7125 5585-20 5585-40 8130 8140 5585-60 82xx 83xx IPS 1000 1200 1250 2000 3500 4000 6000 10000+ IPS + AVC 800 2100

Upgrading from ASA with Classic IPS to FirePOWER Services for ASA When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity. Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60 Classic IPS Module 150 250 400 600 850 1150 1500 3000 5000 FirePOWER AVC or IPS 100 375 575 725 1200 2000 3500 6000 IPS + AVC 75 255 360 450 800 2100 IPS + AVC + AMP 60 85 205 310 340 550 2300 This is a general approximation!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.