 |
 |
|
 |
"We were very impressed by the technical expertise and rigorous testing methodology that ITS employed while conducting this test." -- Oded Comay, CTO of ForeScout Technologies
|
 |
|
|
Juniper Networks NetScreen-ISG 2000
October 2004
Test No. ITS04002
|
|
|
Product Overview
Juniper Networks Integrated Security Gateway, the NetScreen-ISG 2000, is designed to deliver scalable network and application security for large enterprise, carrier and datacenter networks. The NetScreen-ISG 2000 is built on Juniper Networks’ next-generation architecture, which includes a fourth-generation security ASIC, the GigaScreen3, highspeed microprocessors and add-on security modules, to provide the predictable multi-gigabit performance the most demanding network segments need.
|
Independant Validation Claims
From July through September 2004, Independent Testing Services powered by Network Computing Labs (ITS) was contracted by Juniper Networks to independently validate specific capabilities of the NetScreen-ISG 2000. The following claims of Juniper Networks NetScreen-ISG 2000 were subject to open and independent testing verification:
- Functions as a 2-Gbps, low-latency stateful firewall under randomized traffic patterns with varying packet sizes and session loads up to 400,000
- Minimally impacts a heavily utilized Web-centric environment
- Capable of sustaining TCP connection rates beyond 20,000 per second
- Provides 1-Gbps VPN throughput (3DES with SHA1) at varying traffic and packet sizes while establishing 80 tunnels per second
|
Test Objectives
ITS tested Juniper Networks NetScreen-ISG 2000 to validate performance claims of 2-Gbps firewall and 1-Gbps VPN performance at any packet size using traffic conditions and topologies that simulate real-world environments. Where applicable, tests were performed in both NAT mode and Routed mode. Testing was performed using an environment capable of initiating realistic traffic mixes at gigabit speeds. Testing consisted of the following scenarios:
- Raw Throughput - Low-level packet forwarding and latency performance at 64-, 512- and 1,518-byte packet sizes with single session and 400,000 session loads
- HTTP Performance - Impact on real-world Web traffic using 4-, 16- and 64-kilobytes (KB) response sizes
- TCP Session Rates - Rate for connection establishment in a real-world environment using external to internal connection methodology
- IPSec VPN Performance - Tunnel establishment rate and throughput for IPSec 3DES VPN using 64-, 512- and 1,518-byte packet sizes with one, 10 and 100 tunnels
|
Results Summary
Raw Throughput Validation of 2 Gbps: The NetScreen-ISG 2000 sustained line rate (2-Gbps) performance for all tested traffic conditions except 64-byte packets, which resulted in minor performance degradation (see specific results for more details). Uni-directional latency remained under 45 microseconds (µSec) for all tested packet sizes up to 400,000 concurrent sessions.
Minimal Impact on Heavily Utilized Web-Centric Environment: The results indicated that inserting the NetScreen-ISG 2000 into the test topology had little or no negative impact on HTTP performance.
TCP Session Performance Greater Than 20,000 Sessions Per Second: The NetScreen-ISG 2000 sustained performance between 22,000 and 30,000 TCP connections per second under all conditions tested.
IPSec 3DES Throughput at Gigabit Speeds: The NetScreen-ISG 2000 sustained 1-Gbps performance (including IPSec overhead) without exception for all packet sizes tested. Burst tunnel requests up to 200 tunnels per second were negotiated successfully on a first come, first serve basis at 80 tunnels per second.
|
|
|
|
