Home > News > White Papers > The Solution Every SMB Needs: Decoding Cybersecurity Appliance Benchmarks
September 19, 2023

The Solution Every SMB Needs: Decoding Cybersecurity Appliance Benchmarks

Download Solution Brief: NEXCOM’s Private 5G uCPE Leverages Intel Atom® P5300 Processors

The Trend

In the past few years, the global norm of remote work has popularized SD-WAN (Software-Defined Wide Area Network) and SASE (Secure Access Service Edge) as new approaches to network security. Both SD-WAN and SASE address the needs of modern networking and security in distributed environments. SD-WAN focuses on optimizing wide-area network connectivity and management, while SASE goes a step further by integrating security services into the network edge, enabling secure and direct access to cloud resources.

 

Demand for secure, encrypted connections to corporate networks, within existing cybersecurity architectures, has consistently grown. Encrypted connections ensure the safe transmission of sensitive data and prevent unauthorized people from eavesdropping while allowing authorized users to work remotely regardless of their physical location. Both SD-WAN and SASE offer this functionality in different ways, but at the end of the day, it’s up to corporate IT personnel to decide which cybersecurity approach to deploy.

 

The Solution Every SMB Needs: Decoding Cybersecurity Appliance Benchmarks

The Challenge

The increasing amount of information needed in today's network applications has consequently amplified the demand for higher bandwidths. Critical issues include expanding storage capacity and improving network performance. In the past, users saw 10GbE port throughput as a mid-level product spec – but not anymore. This feature has now become a common requirement for entry-level appliances, and ODM/OEMs face the challenge of keeping the same cost structure while maintaining server-grade performance. They want to offer this new niche of cost-effective networking appliances not only to enterprises but also to SMBs. Small businesses and local branch offices simultaneously want to experience the convenience of connecting to a 10GbE switch, NAS, or server.

 

While cybersecurity and Ethernet throughput requirements have multiplied, the budgets of SMB (small clinics, law firms, local branch offices, etc.) have gradually decreased, also as a consequence of recent global upheavals. The development of wireless technologies and cybersecurity measures has encouraged small businesses to migrate to more advanced network equipment. Therefore, it could become mission impossible to find affordable yet high-performing network appliances for these small businesses.

NEXCOM Solution

The DNA 1170 Series is a new cybersecurity desktop line, featuring server-grade performance, to meet SMBs’ needs. It’s powered by Intel Atom® C5315 or C5325 processor (4 or 8 cores, respectively) with embedded Intel® QAT. The DNA 1170 Series features eight 1GbE copper and four 10GbE fiber ports to meet the various requirements for fixed wired connectivity, including the above-mentioned high throughput requirements for 10GbE. DNA 1170W even reserves space for installing 5G/LTE and Wi-Fi 6E modules, thus offering additional wireless routing for IoT and FWA use cases. Redundant power adapters additionally ensure high availability and uninterrupted operations in case of unexpected shutdowns.

 

In addition, the DNA 1170 Series’ design features dynamic, low-noise fans. When network equipment has no dedicated space and must be placed in close vicinity to workspaces, its noise will not disturb employees. If it needs to be incorporated into the server rack, a bracket accessory option is also available.

 

DNA 1170A was tested side to side with a RISC-platform 1U rackmount and an advanced desktop with a lower-performance x86 processor to prove its server-grade performance.

 

The pre-condition of the performance tests was that the three models had equal hardware and software capabilities. TABLE I indicates the final configuration alignment.

 

 

TABLE I
DUT TESTING CONFIGURATION

Item
DUT1
DUT2
DUT3
NSA 6310
DNA 1170A
DFA 1163M
CPU
NXP Layerscape®
LX2160A
Intel Atom® C5325
Intel Atom® C3758R
8 cores, 2.2GHz base
Memory
DDR4-3200
ECC-UDIMM, 32GB
DDR4 3200
ECC-SO-DIMM, 32GB
DDR4-3200
ECC-UDIMM, 32GB
DDR4, 32GB
PCIe
Gen3
Network Interfaces
4 x 1GbE RJ45 ports
2 x 10 GbE NIC module slots
8 x 1GbE RJ45 ports
4 x 10GbE SFP+ ports
2 x 2.5GbE RJ45 ports
10 x 1GbE RJ45 ports
1 x 1GbE SFP port
1 x 10GbE SFP+ port
1 x 1GbE and 1 x 10GbE ports
Cryptographic Accelerator
NXP CAAM®
Intel QAT®
Intel QAT®
Algorithm: aes-256-cbc, rsa2048, rsa4096, ecdhp256, ecdsap256, aes-256-gcm
OS
NXP LSDK 2004 main
(5.4.3-00017-
gdd571324a6be)
Ubuntu 20.04.4 LTS
(5.4.0-148-generic)
Ubuntu 20.04.6 LTS
(5.4.0-148-generic)
Ubuntu 20.04 base

 

After mapping out all key parameters of the three DUTs, we performed three kinds of benchmarking tests for different cybersecurity applications:

  • Comparing SSL and VPN application-related performance through SSL, HTTPS, and iPerf benchmarking tools.
  • Advanced encryption benchmarking tests, based on CPU.
  • Cipher performance with enabled accelerators.

In the following benchmarking test results tables (TABLE II-V), DNA 1170A’s readings are in the DUT2 column.

 

1. SSL and VPN benchmarking:
TABLE II summarizes the achieved results and shows the output values and factors tested across these three platforms.

 

TABLE II
SSL AND VPN BENCHMARKING TEST RESULTS

Testing Command
Model
DUT1
DUT2*
DUT3
SSL performance (Openssl version: 1.1.1f )
Openssl speed -elapsed -multi 64 des
(1024 bytes)
142838.72k
146874.74k
124948.68k
Openssl speed -elapsed -multi 64 md5
(1024 bytes)
2637518.99k
3405596.48k
3088612.37k
Openssl speed -elapsed -multi 64 rsa
(2048 bits sign/s)
1953.1
4456.6
2974.8
HTTPS performance (Wrk version: 4.2.0)
wrk 1k requests/sec
130,265.05
220,908.37
133,152.84
wrk 1k transfer/sec
158.01MB
267.97MB
161.52MB
iperf server performance with VPN (wireGuard version: v1.0.20200513)
DUT acts as a server with
VPN using 1GbE NIC connection
900 Mbits/sec
901 Mbits/sec
901 Mbits/sec
DUT acts as a server with
VPN using 10GbE NIC connection
2.31 Gbits/sec
3.25 Gbits/sec
2.79 Gbits/sec

 

In analyzing SSL performance with the “openssl” command, DNA 1170A shows the best performance with des, rsa, and md5 encryption algorithms. When CPUs feature specialized instruction sets, such as Intel AES-NI, and hardware extensions for security applications, the DUT will perform better than non-optimized ones.

 

In analyzing HTTPS performance with the “wrk” command, we stress-tested a 1k file size in the client with CPU loads of HTTPS packet transformation in the server to simulate heavy Internet traffic. DNA 1170A spares 10% of CPU resources for other computing tasks and clearly outperforms DUT1 and DUT3 when both are running at 100% CPU capacity.

 

We selected WireGuard VPN to test iperf throughput performance. The DUTs act as servers with both 1GbE and 10GbE network interfaces. The VPN tunnel test shows that DNA 1170A achieves an additional 40% throughput compared to other DUTs for processing 10GbE traffic. This proves that DNA 1170 completely meets SMBs’ or branch offices' requests for safe and speedy data transmission.

 

In conclusion, DNA 1170A with Intel Atom® C5325 processor outperforms in overloaded, complex computing conditions and simulated Internet application environments.

 

2. CPU encryption benchmarking:
The following table shows performance with one CPU core when processing secure cipher operations. Across four different cipher algorithms, DNA 1170A comes out on top, substantially outperforming both competitors.

 

TABLE III
CPU ENCRYPTION BENCHMARK TEST RESULTS

Testing Command
Model
DUT1
DUT2*
DUT3
SSL performance with openSSL version: 1.1.1f
taskset 0x1 openssl speed -elapsed
rsa2048 (sign/s)
219.1
509.5
371.9
taskset 0x1 openssl speed -elapsed
rsa4096 (sign/s)
31.4
73.2
52.2
taskset 0x1 openssl speed -elapsed
ecdhp256 (op/s)
4977.4
6692.8
5461.1
taskset 0x1 openssl speed -elapsed
ecdsap256 (sign/s)
11900.4
17075.7
12947.8

 

3. Cipher performance with enabled accelerators:
All three platforms activated their built-in accelerators (x86) or loaded accelerators (RISC-based). We used the EVP (Envelope Cryptography) test as a benchmark to measure the performance of symmetric encryption algorithms within the OpenSSL library. The test evaluates the speed and efficiency of cryptographic operations through the EVP interface, which provides a higher-level API for performing cryptographic operations in OpenSSL. It allows developers to work with symmetric encryption algorithms without directly accessing the low-level details of each specific algorithm.

 

In the following AES-256-GCM cipher, the testing factor “taskset 0x1” indicates that only one core was executed. In comparing data from the three models, DNA 1170A again achieved the best results, twice outperforming the other two DUTs.

 

TABLE IV
AES-256-GCM ENCRYPTION BENCHMARKING TEST RESULTS

Testing Command
Model
DUT1
DUT2*
DUT3
SSL performance with openssl version: 1.1.1f
taskset 0x1 openssl speed -elapsed
-evp aes-256-gcm (16384 bytes)
993837.06k
2024532.65k
762522.28k

 

To compare the results using accelerators and analyzing baseline differences in ciphers, we tested with and without -evp in OpenSSL. For the AES-256-CBC cipher case, DNA 1170A achieved six times better performance with its accelerator and also tops competitors’ performance without.

 

The above results show that DNA 1170A outperforms other products in most complex scenarios like repetitive encoding/decoding computations.

 

TABLE V
AES-256-GCM ENCRYPTION BENCHMARKING TEST RESULTS

Testing Command
Model
DUT1
DUT2*
DUT3
SSL performance with openssl version: 1.1.1f
taskset 0x1 openssl speed -elapsed
aes-256-cbc (16384 bits)
70904.49k
109019.14k
66945.02k
taskset 0x1openssl speed -elapsed
-evp aes-256-cbc (16384 bits)
275868.33k
615639.72k
412909.57k

 

Conclusion

At NEXCOM, we’re convinced that there is no best product, only the most suitable one. With limited budgets in the SMB network appliance market, the key to success is finding the most suitable product. The DNA 1170 Series gives you a great cost-performance ratio, flexibility in configuration by choosing from different SKUs, and additional 5G and Wi-Fi expansion capabilities to reserve for future needs in FWA applications.

 

We designed NEXCOM’s DNA 1170 Series with server-grade performance inside a desktop form factor. Besides its networking capabilities (both wired and wireless), it shows unsurpassed results in performing security-related tests and is a perfect choice for cybersecurity applications which every SMB needs.

 

Intel Partner Alliance

Take a minute and tell us what you think!