The ISA550W has a zone-based firewall. Note that the firewall functions in the ISA550W do not require the annual license as discussed in the security section.
Predefined zones include the LAN, WAN, DMZ, VPN, SSLVPN, GUEST, and VOICE zones. Additional zones can be created in the Networking menu. Each zone is assigned a trust level from 0 (Untrusted) to 100 (Trusted). Interfaces or VLANs are then assigned to a zone.
Firewall rules, or Access Control Lists, can be created to permit or deny traffic based on source and destination zone, traffic type, source and destination IP or MAC addresses. In the below example, I created a simple rule to deny all HTTP traffic going through the ISA550W. It worked as expected, no one was able to access web sites while this rule was in place.
Firewall ACL Rules
Multiple options exist for Network Address Translation as well. By default, the ISA550W will perform Dynamic PAT (Port Address Translation) out the WAN interfaces. PAT is what most of us think of when we think of NAT. Static NAT rules, Port Forwarding, Port Triggering, and complex NAT rules can also be created to manage traffic source and destination addresses as traffic passes through the router.
If you're not going to use the Web Reputation and URL Filtering feature, you can set up simple firewall rules to block up to 32 websites or keywords and apply them by zone. You can also enable an Application Layer Gateway feature to manipulate traffic headers on SIP, H.323, and FTP traffic.
Other protections in the ISA550W firewall include protection against TCP and UDP flooding and DoS attacks. Session limits can be set to limit the total number of traffic flows on the router, with a maximum limit of 60,000 connections.
Routing performance for the ISA550W, loaded with 18.104.22.168 firmware and using our standard test method, is summarized in Table 3. We had to create Advanced NAT and firewall rules to allow all services from WAN to LAN test clients and disable Firewall > Attack Protection > Block UDP Flood to run Max Session test.
With just the firewall enabled, Cisco rates the ISA550W at 200 Mbps. As you can see from Table 3, the ISA550W meets or exceeds that rating.
|WAN - LAN||200.2|
|LAN - WAN||255.0|
|Maximum Simultaneous Connections||34925|
Table 3: Routing throughput
The above measurements were performed with only the firewall on the ISA550W enabled. UTM security features such as IPS and anti-virus reduce throughput significantly. With IPS enabled, Cisco rates the ISA550W as capable of 60 Mbps throughput. With all UTM features enabled, Cisco rates the ISA550W at 45 Mbps.
Using the same Iperf methodology I described in the VPN section, I measured the ISA550W throughput with its security features disabled and enabled. Average throughput on the ISA550W with all UTM features disabled was 153 Mbps. Average throughput on the ISA550W with IPS enabled was 47.3 Mpbs. Average throughput on the ISA550W with all UTM features enabled was 44.5Mpbs.
In Table 4, I've compared the Cisco ISA550W throughput with the UTM features on and off to previous UTM devices I've reviewed, including the SonicWall TZ100W and the Zyxel USG100. As you can see, the Cisco ISA550 produces much higher throughput.
|Router||UTM On (Mbps)||UTM Off (Mbps)|
Table 4: UTM On / Off Throughput Comparison
All testing was performed with 22.214.171.124 firmware using our standard test process, which uses Channel 1 for 2.4 GHz tests. The test client was our standard Intel Centrino Ultimate-N 6300 with Win7 126.96.36.199 driver.
The ISA550W is Wi-Fi Certified and defaults to auto channel selection and auto 20/40Mhz mode on startup. It also defaults to no wireless security set and WPS disabled. After setting WPA2/AES security and enabling WPS, the client did not prompt for WPS session upon first association, however. So we manually set up WPA2/AES for our test client for all wireless testing.
We did not test to see if the ISA550W obeyed 40 MHz coexistence rules or Fat Channel Intolerant bit enable.
I ran a simple comparison of overall average performance by filtering the charts for single-band routers only for the 20 MHz mode wireless benchmark. (The charts have been trimmed for space reasons.)
Overall 2.4 GHz downlink performance comparison
The charts above for downlink and below for uplink show the ISA550W in second and third place, respectively. This is impressive, especially considering that the wireless integrated into many security-focused appliances usually seems like an afterthought with middling performance.
Overall 2.4 GHz uplink performance comparison
Cisco ISA500 series devices can be purchased on line with a 1 or 3 year warranty, support and UTM license. Table 5 shows pricing as listed on Pricegrabber.com as I write this.
|Model||1 year||3 year|
Table 5: Cost comparison, 1 and 3 year licenses
Specifically for the ISA550W, if you purchase it with a 1 year contract, you can extend just the support contract to 3 years for $69, which covers technical support and firmware upgrades. Extending the license for the UTM security features will run $187 for a 1 year term or $352 for a 3 year term. Similar pricing applies to the other models.
I tested a SonicWall TZ100W UTM device back in 2009, and was impressed with its throughput at the time. However, the TZ100W I tested in 2009 doesn’t have the speed of today’s ISA550W. Based on specs, SonicWall’s TZ200W is a more apples-apples competitor for the ISA550W. The TZ200W and ISA550W have very similar VPN and UTM specs, but the ISA550W has a higher firewall throughput rating (200 Mbps vs. 100 Mbps). Moreover, Pricegrabber.com shows the TZ200W at $459, over $125 more than the ISA550W.
From a performance standpoint, the ISA550W is quite impressive. VPN, routing and wireless throughput on the ISA550W are all quite respectable. It would be nice if configuration performance were a little faster. But it's better to have fast network throughput than a quick configuration menu.
From a security standpoint, the ISA550W has Cisco's SIO team and 1.6 million other devices around the world providing it with the latest protections and updates. Alltogether, the Cisco ISA550W makes a pretty solid argument to be your Unified Threat Management device.