Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff
Cisco is proud to announce the availability of the Miercom performance report that compares the performance, scalability, and “greenness” of the Cisco ASA 5580 versus key datacenter security competitors. Cisco ASA 5580-40 crushed the competition - delivering significantly stronger results including 5-7X the scalability of competitors and proved to be the only viable product for securing 10 Gbps applications. With the latest Miercom Enterprise Firewall Lab Test you can fully understand the performance and scalability that hundreds of satisfied Cisco ASA 5580 customers already rely on to protect mission critical networks and applications without having to procure hundreds of thousands of dollars in testing gear.
You can view the performance report here: ASA5580Miecom Report
Glad I just found your wordpress blog through Google.
Found just what I was looking for, thanks =)
Btw, wat plugins ...
This is a very good post. Thanks 
Addition: I made a research on that topic and the workaround is to decrease the TKIP rekeying timer to 120 ...
Very useful tips in this post. Thanks. I think I will implemented on my Firefox browser :) 
Hi Joe,
Regarding ASA redundancy & failover i understand that there are two levels:
1.Unit Level
2.Monitored interface level.
regarding monitored interface level, assuming ...
Thank you Rookie4life, I apologize for not posting that frequently lately but I've been busy with both personal and professional ...
Thanks for the video! Audio sounds fine to me. 
Comment by Alan on 30 July 2008:
I wonder how’s the performance for ASA5520 comparing to ASA5580?
Comment by Frank on 30 July 2008:
Not so well?
Use the “model comparisation” @ cisco.com to see how they compare in performance.
Comment by George Murage on 31 July 2008:
i always wonder about the objectivity of Miercom tests. i am pretty sure that Juniper, Checkpoint and Nokia have their own ‘independent tests’ that show that the converse is also true…. which ends up being very confusing..
Comment by Frank on 31 July 2008:
Actually, this time they dont have anything that compares. A couple of my larger customers considering the 5580 as a replacement for existing installations has been told by CheckPoint/Nokia to wait until “Christmas/Spring” timeframe before deciding as they will have new products out by then. As Cisco says though, the 5580 is here now, not in a year or so.
Comment by Plasma on 1 August 2008:
Any time I see a test report that says, management tools for anything cisco are better than the competitors I am suspect. I will admit and agree the admin interfaces are good for a certain range of customers, but for others a lot of improvement is needed.
Comment by Joe Harris on 1 August 2008:
“but for others a lot of improvement is needed.” and what types of improvements would you suggest?
Comment by JVH on 1 August 2008:
I agree with Plasma. I haven’t used ASDM in a version or two, but I know at that time the Checkpoint interface was much more intuitive to use. IDS/IPS was clearly an afterthought requiring a completely separate interface. Similarly, the log search and filtering functionality in Checkpoint was straightforward whereas ASDM was somewhat more limited. I hope it’s gotten better. Obviously Miercom thinks it has.
Comment by Frank on 1 August 2008:
Well, you cant really compare the Checkpoint management center with ASDM. Checkpoint management needs its own server (ASDM is a small java applet
and is more comparable to a CSM+MARS combo thats in my opinion a better solution overall. Its roughly the same price in some installations and the benefit of MARS included for “free”.
Comment by Ian on 1 August 2008:
I think Cisco products are excellent and the ASA has really taken their firewall product to the next level but I’m a bit sceptical at how much it’s hammered Checkpoint/Nokia by. Also, Checkpoints management GUI is far better than ASDM in my opinion and I have plenty experience with both. For starters you can’t drag and drop objects in ASDM, aquire an exclusive lock while configuring which causes problems when you have multiple administrators not to mention the fact that the Java front end eats your machines resources.
The test also doesn’t compare the vendors at a suitable level from what I can see. The IBM hardware that checkpioint has been run in comes in at around $3k whereas the ASA comes in at approx $40k.
I must say I was suprised to see such low performance from the Nokia/Checkpoint combo however.
Cisco will dominate the security market in ten years I think but they need to continue to evolve their products. ASDM would be a good place to start. I’m not anti-Cisco, quite the opposite actually, but I do think the test conclusion is very biased.
Thanks for the info, it was a good read!
Comment by John D on 5 August 2008:
http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5200_slash_netscreen_5400/
Here are Juniper’s two competing offerings… The 5200 is supposed to do 10gbps, and the 5400 is supposed to do 30gbps. I would base any throughput findings on a YMMV test, performed with your specific traffic flows.
Cisco *has* impressed me in every way, especially with advertised performance. I used Netscreens for years, since the PIX was getting a little long in the tooth. I would never go back now, especially since there’s finally a standalone ASA that can do more than the meh ~ 1gbps mark. If you use Catalysts, the ACE module also offers amazing in-chassis firewall performance. A large content provider I used to work for is deploying standalone ASA 5580 firewalls (20gbps sites), but I would definitely put the ACE module on my shortlist for any similar deployment.
The ACE modules are 16gbps throughput ea., with up to 4 modules per chassis, and also do load balancing. I knew plenty of people that killed the FWSMs, but I haven’t spoken with anyone that has tapped out an ACE-based chassis.
Comment by JackB on 6 August 2008:
One comment regards to Juniper NS 5200 and 5400 performance. Claiming something on the datasheets and being able to achieve those numbers are two different things. Also look at the connection per second (CPS) numbers. Good Lord! Even at the datasheet numbers ASA 5580 still has 5 times higher connection setup rate
30K CPS (NS 5200/5400) vs. 150K CPS. Not to mention that the Miercom test showed a significantly higher CPS #s (182K cps vs. 14K). In an environment where connections are short-lived (web?), 14K cps just won’t cut it.