isco’s Branch Office Router, models 881GW, 1861, 2851 and 3845 were evaluated by Miercom for system throughput with integrated

• Cisco Branch routers offer sophisticated security  services and resiliency for small and medium branch office deployment with feature integration 

• Cisco IOS Zone based firewall, IOS IPS, Content Filtering and DMVPN Integrated Security Services provide granular and flexible policy control 

• Attacks and exploits had minimal impact on baseline security performance  

• Cisco Branch Routers offer secure mobility and a UC solution which includes wireless LAN security and trusted firewall for UC ‐ voice and video media traffic 

• Cisco Branch Routers offers 3G WAN failover feature allowing fault tolerance, while maintaining security and productivity policies on the backup link 

Router Model 881GW 1861 2851 3845

Throughput with integrated

services enabled 12Mbps-14Mbps

15Mbps-16Mbps

41Mbps-44Mbps

45Mbps-50Mbps

Throughput with integrated services

enabled and exploits

5Mbps-13Mbps

7.5Mbps-8Mbps

30Mbps-32Mbps

36Mbps-40Mbps

Figure 1: Throughput for Cisco Branch Routers

Lab Testing Summary

Report

July 2009 Report 090710

Key findings and conclusions:

security features enabled. The objective was to validate the security service integration, while performance levels were maintained. The need to apply a comprehensive set of granular security policy control across the network and at branch offices is critical for today’s enterprises. Branch routers that can provide security and network availability while maintaining performance metrics, without the need of additional equipment, are a better solution. Providing this type of service and performance controls equipment costs, data center footprint and IT management requirements.

Miercom tested the integrated security features of the Cisco Branch Office Routers, and observed the effectiveness of the security measures and impact on performance. Our results validate that Cisco Branch Router solutions offer additional security features, while maintaining high throughput performance levels, relative to the target environment, across the range. The Cisco Integrated Services Routers, applying a basic firewall and an un-tuned IPS signature set, blocked a substantial portion of the malicious traffic launched by a network penetration test tool. See Figure 1 for throughput with integrated security services enabled by various models which were tested.

Product Category:

Branch Office

Routers

Vendor Tested:

Products Tested:

Cisco ISR 881GW Cisco ISR 1861 Cisco ISR 2851 Cisco ISR 3845

Cisco Branch Office Routers are powered with comprehensive security services integrated in the IOS. Throughput values were achieved while running a blend of clean & malicious traffic, and IOS security services enabled.

C

Copyright © 2009 Miercom Branch Router Review Page 2

How We Did It The deployment topology consisted of the Cisco ISR Branch routers connected to a simulated Ethernet WAN environment generated from Spirent Avalanche and Reflector. The test bed consisted of real world branch office deployment scenarios configured with voice, wireless, data, and VPN, contained in separate security zones.

The Cisco ISR Branch routers were configured to participate in a Dynamic Multipoint VPN and employed ‘split tunneling’: only private-network traffic was sent over the VPN, with firewall and IPS applied on private-network traffic. Internet-Based web content Reputation service was used to provide content filtering on a subscription basis. Voice call control was accommodated using Cisco Unified Call Manager on the Headquarter network. During the testing of Cisco ISR Branch routers, integrated security services were enabled and subjected to full load HTTP traffic, while directing attacks. We observed and documented the affect on performance and throughput values in this Cisco Branch Office Router review.

We used a combination of penetration test tools including customized, proprietary test scripts and open-source security assessment products. Conventional port-scanning tools were used to identify weak points in the network perimeter. Security scans including open port scans, protocol interaction with mutated traffic, common vulnerability exploit tests and DoS were conducted using a Miercom testing suite combined with Mu Dynamics (www.mudynamics.com) Mu Test Suite, performing security effectiveness assessments. The Mu Test Suite was also used to generate Denial of Service traffic with thousands of Transport and Network header variations on valid service-level traffic for protocols, software version 3.5.4.

We also used Ixia’s (www.ixiacom.com) IxDefend to generate exploits and attacks. Ixia’s IxDefend is an advanced security assessment tool that can quickly find quality, resiliency, and security exposures across the broadest array of applications. It provides identification of known and zero-day threats in even the most hardened and complex protocol implementations. IxDefend tests over 40 protocols from link layer communications all the way up to application protocols. Each protocol in each bundle includes thousands of tests, each with its own detailed online documentation. IxDefend’s tests provide the deepest possible protocol coverage. The Spirent’s Avalanche/Reflector tool was used to generate real-world “clean” traffic to prove the performance targets.

Miercom recommends customers conduct their own needs analysis study and test specifically for the expected environment for product deployment before making a selection. Contact reviews@miercom.com for additional details on the configurations applied to the system under test and test tools used in this evaluation.

Test Bed Diagram

• Cisco Integrated Services Routers running traffic throughput (based on CPU) with Firewall, IPS, Content Filtering and DMVPN

• Attacking and measuring the throughput impact using penetration test tool and Denial of Service attack on the router with security features enabled

• Securing Wireless LAN: Cisco IOS Firewall with Application Inspection and IOS IPS applied between the different SSIDs, effectively controls traffic and blocks malicious activity between SSIDs on the branch router

• WAN Failover with all security features enabled on the 3G backup link • Demonstrate Content Filtering blocking malware/phishing by

browsing the sites and IOS IPS fires signatures

Copyright © 2009 Miercom Branch Router Review Page 3

Security Assessment The Cisco Branch Office Routers, models 881GW, 1861, 2851 and 3845 offer integrated security services including IOS IPS and IOS zone-based firewall. The Mu Test Suite, IxDefend, and open source tools were used to perform offensive security testing, and evaluate the effectiveness of these features to thwart attacks. We performed mutated packets attacks, buffer overflow exploits, DoS, fragmented packet and published vulnerability attacks.

The Cisco IOS IPS was loaded with Cisco’s advanced set of 568 signatures, which responded and fired signatures before the network security could be compromised. The zone-based firewall thwarted application layer attacks, viruses and worms, and added more flexibility and granularity to the existing IOS stateful inspection. See Figure 1 on page 1.

Throughput Tests Throughput performance values were measured on HTTP traffic with stateful inspection applied by the Cisco IOS Zone-Based Policy Firewall and Intrusion Prevention System, as we simultaneously directed the attacks at the network. The objective of this test was to observe that the Cisco’s ISR’s firewall and IPS inspection, as well as IPSec VPN services, was able to sustain network performance and throughput levels while handling “good” network traffic, as well as malicious traffic that violated stateful inspection firewall and IPS policies. Such security features usually require additional resources to perform intrusion prevention, stateful inspection, IPsec cryptography, increasing CPU utilization levels, and reducing throughput as the packets are scanned. During testing of the Cisco routers with security services enabled, we observed that throughput performance was maintained in the expected levels for the target deployments of the various router platforms.

3G WAN Failover The 3G WAN backup link was evaluated for successful failover while preserving the integrated security features of the Cisco Branch Office Router. We tested this failover feature on the Cisco 881GW branch router.

The feature is also available on other platforms that support 3G connectivity. Failover took about 3 minutes to complete VPN connectivity via the 3G link. This time can be reduced for faster convergence by WAN and VPN configuration tuning. All router integrated security services were maintained for the 3G failover link. Upon re-establishment of Ethernet WAN connectivity, the failover back to the primary WAN link was completed in less than a minute.

Content Filtering Content filtering offers policy-based web content control to limit exposure to web sites that could incur liability

issues or contribute to lost productivity. Content filtering is a subscription-based service using an Internet-based reputation server. Policy-control parameters include keyword blocking, local black- and white-listing up to 100 URLs, blocking and allowing by content categories, and reputation-based content control. URL filtering was tested by selecting a category of permitted and non-allowed websites. Content filtering was successful and blocked unwanted web content. Configuration with user-based policy firewall allowed user-specific content filtering, based on credentials provided by the user. User-specific content filtering was verified by accessing the web, using credentials for two different users in varying access-policy groups and verifying access to content on the Internet.

Control Plane Policing Control Plane Protection (CPPr), a capability of most Cisco router platforms, provides the ability to protect the Cisco IOS routers’ control plane against reconnaissance and DoS attacks. Without CPPr under attack traffic and heavy traffic load, the Cisco ISR 881GW was unable to maintain routing functionality and network availability. However, with Control Plane Protection policies in place, the Cisco 881GW maintained packet forwarding and routing adjacencies.

Unified Communications Trusted Firewall UC trusted firewall feature was evaluated to verify secure Unified Communications. The UC firewall utilizes Trusted Relay Point (TRP), a software function which authorizes and inspects STUN messages. Once all checks succeed, a bidirectional pinhole is opened through the firewall for data flow, without the need to blindly open media port ranges. This feature provides a competitive differentiator for Cisco router-based secure UC solutions.

User-based Firewall The user-based firewall facilitates user-group-based security and differentiated access for various classes of users, provided by an external authentication/authorization server. Identity-based firewall policy control leverages Cisco’s ‘Tag and Template’ access-control model, wherein the AAA server returns an identity group tag upon validation of user credentials. User-based firewall was tested in combination with Content Filtering. Two groups, ‘management’ and ‘employee’, were allowed differentiated web-content policies based on users’ identity. Only the management group was permitted to access web content such as social networking and web-based security brokerages that might lead to lost productivity if employees were not restricted from these sites.

Bottom Line

Cisco’s Branch Office Router solutions maintained high throughput performance, while supporting integrated security features. For additional details on this testing, contact Miercom at reviews@miercom.com.

Copyright © 2009 Miercom Branch Router Review Page 4

With hundreds of its product-comparison analyses published over the years in such leading network trade periodicals as Network World, Business Communications Review - NoJitter, Communications News, xchange, Internet Telephony and other leading publications, Miercom’s reputation as the leading, independent product test center is unquestioned. Miercom’s private test services include competitive product analyses, as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Certified Interoperable, Certified Reliable, Certified Secure and Certified Green. Products may also be evaluated under the NetWORKS As Advertised program, the industry’s most thorough and trusted assessment for product usability and performance.

About Miercom’s Product Testing Services

Before printing, please consider electronic distribution

Product names or services mentioned in this report are registered trademarks of their respective owners. Miercom (Mier Communications, Inc.) makes every effort to ensure that information contained within our reports is accurate and complete, but is not liable for any errors, inaccuracies or omissions. Miercom is not liable for damages arising out of or related to the information contained within this report.

Report 090710 reviews@miercom.com www.miercom.com

Miercom Performance Verified Based on Miercom’s review of the performance during testing, the Cisco Branch 881GW, 1861, 2851 and 3845 routers have earned the Performance Verified award.

The Cisco Branch routers maintain throughput while security features are deployed. The Integrated services – IOS firewall, IOS Intrusion Prevention System (IPS) and Dynamic Multipoint VPN (DMVPN) when enabled, did not affect on the throughput, while preventing network security breaches.

Cisco Systems, Inc. 170 West Tasman Drive

San Jose, CA 95134 www.cisco.com 1-800-553-6387

Cisco ISR Branch Routers