The “hardware” firewall vendors are beginning to feel the heat! I’ve heard from an increasing number of ISA firewall admins who are being approached by “hardware” firewall sales guys and being subjected to absurd fictional accounts of the ISA firewall’s capabilities and feature sets. The latest salvo of FUD shots has centered around the VPN space.
This got me thinking about what the ISA firewall offers in terms of VPN performance. I’ve been aware for some time that “hardware” firewall vendors have claimed to support almost 100Mbps VPN throughput on their ultra-costly VPN boxes. I’ve heard quotes that the ISA firewall supported “around” 20Mbps. This major disconnect between “hardware” VPN servers and the ISA firewall’s VPN service and gateway didn’t make a whole lot of sense. But I’ve always had other things to do and no one was pressing me for real numbers, so I didn’t try to reconcile the inconsistencies between the ISA firewall’s VPN and “hardware” VPN servers.
Now that the “hardware” VPN and packet filtering guys feel the ISA firewall heat and have started to launch their sales campaigns against the ISA firewall , I decided to check out what the real performance numbers are for the ISA firewall compared to the old school “hardware” guys.
OK, get this. If we mirror an ISA firewall VPN configuration so that its similar to what you see in a typical “hardware” stateful packet inspection firewall doing double duty as a VPN server, here’s what you see:
ISA Firewall Remote Access VPN throughput = 76Mbps
ISA Firewall Site to Site VPN throughput = 162Mbps
(Source Best Practices for Performance in ISA Server 2004 at http://www.microsoft.com/technet/prodtechnol/isa/2…s.mspx)
Hey “hardware” firewall guy, put those numbers in your pipe and smoke it!
Thomas W Shinder, M.D.
MVP — ISA Firewalls