Juniper Networks has achieved a “Recommended” rating from NSS Labs in this year's Data Center Security Gateway (DCSG) report. NSS Labs tested a Juniper SRX5400 firewall with one SPC3 service card, running Application Security and Intrusion Detection Prevention (IDP), using firmware JNPR-11.0-20190316.df99236.
The independent testing focuses on security effectiveness, using simulations of real-world traffic combined with tests designed to determine the exact limits of vendor-submitted security gateways. Results on identical hardware may vary if a different firmware version is in use than the one used during testing.
“Juniper is back. The company is reasserting itself in the data centre with a strong showing and should be on everyone's shortlist.” - NSS Labs DCSG 2019 Security Value Map Comparative Report
The NSS Labs DCSG group tests included server-side evasions. Juniper scored 100% on evasion block rate, 99.62% on exploit block rate and demonstrated an average secured throughput of 13.962 gigabits per second.
Performance of SRX5400
The NSS Labs DCSG includes an entire suite of performance tests. These tests measure throughput, latency and connection saturation under various circumstances. The raw packet performance of the tested SRX5400 was 14,930 Mbps for 64-byte packets, rising to 80,000 Mbps at 512-byte packets and remaining at 80,000 Mbps through to 1514 byte packets.
UDP latency was tested for packets of various sizes, ranging from 64 bytes to 1514 bytes, with average latencies for different packet sizes varying between 36.00 microseconds to 41.55 microseconds. The differences in latencies did not increase or decrease predictably with packet size, meaning that the detected variations are likely due to the latencies being so low as to have hit the statistical noise floor of our ability to measure them.
In this configuration, the tested SRX5400 was determined to have a theoretical maximum of 5,638,689 concurrent TCP Connections. It was assessed by NSS Labs as being able to establish 127,900 new TCP connections per second. NSS Labs also measured the tested SRX5400 as being able to handle the creation of 152,200 new HTTP connections per second and 329,400 HTTP transactions per second.
HTTP capacity tests were run in order to stress the HTTP detection engine. The tested SRX5400 was determined to be able to provide 41,190 Connections Per Second (CPS) and 16,467 Mbps of throughput for the 44KB response tests. The other end of that test series saw 115,300 CPS and 2,883 Mbps.
NSS Labs also examined how much latency is added to HTTP application response time by the firewalls protecting those applications. In the tested configuration, at 95% load, the SRX5400 added an average of 4.86 milliseconds to HTTP requests with a 44-kilobyte response and 1.33 milliseconds to HTTP requests with a 1.7-kilobyte response.
The tested SRX5400 was demonstrated to be able to sustain 4,242 connections per second at a connection density of 250 connections per Gb of traffic. It was able to sustain 7,077 connections at a connection density of 500 connections per Gb of traffic and 12,170 connections at a connection density of 1,000 connections per Gb of traffic.
Simulations of "real-world traffic" were performed using various common applications and traffic types. In the tested configuration, file share (FTP) traffic offered the highest throughput at 28,870 Mbps, followed closely by video (Netflix, YouTube and HTTP live streaming) traffic at 23,890 Mbps. Database (DB2, MSSQL and MySQL) traffic represented a midpoint with the SRX offering 15,031 Mbps of throughput, while Financial Information eXchange (FIX) traffic proved the most demanding with the SRX delivering 3,760 Mbps of throughput.
