In the past few years, the global norm of remote work has popularized SD-WAN (Software-Defined Wide Area Network) and SASE (Secure Access Service Edge) as new approaches to network security. Both SD-WAN and SASE address the needs of modern networking and security in distributed environments. SD-WAN focuses on optimizing wide-area network connectivity and management, while SASE goes a step further by integrating security services into the network edge, enabling secure and direct access to cloud resources.
Demand for secure, encrypted connections to corporate networks, within existing cybersecurity architectures, has consistently grown. Encrypted connections ensure the safe transmission of sensitive data and prevent unauthorized people from eavesdropping while allowing authorized users to work remotely regardless of their physical location. Both SD-WAN and SASE offer this functionality in different ways, but at the end of the day, it’s up to corporate IT personnel to decide which cybersecurity approach to deploy.
The increasing amount of information needed in today's network applications has consequently amplified the demand for higher bandwidths. Critical issues include expanding storage capacity and improving network performance. In the past, users saw 10GbE port throughput as a mid-level product spec – but not anymore. This feature has now become a common requirement for entry-level appliances, and ODM/OEMs face the challenge of keeping the same cost structure while maintaining server-grade performance. They want to offer this new niche of cost-effective networking appliances not only to enterprises but also to SMBs. Small businesses and local branch offices simultaneously want to experience the convenience of connecting to a 10GbE switch, NAS, or server.
While cybersecurity and Ethernet throughput requirements have multiplied, the budgets of SMB (small clinics, law firms, local branch offices, etc.) have gradually decreased, also as a consequence of recent global upheavals. The development of wireless technologies and cybersecurity measures has encouraged small businesses to migrate to more advanced network equipment. Therefore, it could become mission impossible to find affordable yet high-performing network appliances for these small businesses.
The DNA 1170 Series is a new cybersecurity desktop line, featuring server-grade performance, to meet SMBs’ needs. It’s powered by Intel Atom® C5315 or C5325 processor (4 or 8 cores, respectively) with embedded Intel® QAT. The DNA 1170 Series features eight 1GbE copper and four 10GbE fiber ports to meet the various requirements for fixed wired connectivity, including the above-mentioned high throughput requirements for 10GbE. DNA 1170W even reserves space for installing 5G/LTE and Wi-Fi 6E modules, thus offering additional wireless routing for IoT and FWA use cases. Redundant power adapters additionally ensure high availability and uninterrupted operations in case of unexpected shutdowns.
In addition, the DNA 1170 Series’ design features dynamic, low-noise fans. When network equipment has no dedicated space and must be placed in close vicinity to workspaces, its noise will not disturb employees. If it needs to be incorporated into the server rack, a bracket accessory option is also available.
DNA 1170A was tested side to side with a RISC-platform 1U rackmount and an advanced desktop with a lower-performance x86 processor to prove its server-grade performance.
The pre-condition of the performance tests was that the three models had equal hardware and software capabilities. TABLE I indicates the final configuration alignment.
TABLE I
DUT TESTING CONFIGURATION
Item |
DUT1 |
DUT2 |
DUT3 |
NSA 6310 |
DNA 1170A |
DFA 1163M |
|
CPU |
NXP Layerscape® LX2160A |
Intel Atom® C5325 |
Intel Atom® C3758R |
8 cores, 2.2GHz base |
|||
Memory |
DDR4-3200 ECC-UDIMM, 32GB |
DDR4 3200 ECC-SO-DIMM, 32GB |
DDR4-3200 ECC-UDIMM, 32GB |
DDR4, 32GB |
|||
PCIe |
Gen3 |
||
Network Interfaces |
4 x 1GbE RJ45 ports
2 x 10 GbE NIC module slots |
8 x 1GbE RJ45 ports 4 x 10GbE SFP+ ports |
2 x 2.5GbE RJ45 ports
10 x 1GbE RJ45 ports 1 x 1GbE SFP port 1 x 10GbE SFP+ port |
1 x 1GbE and 1 x 10GbE ports |
|||
Cryptographic Accelerator |
NXP CAAM® |
Intel QAT® |
Intel QAT® |
Algorithm: aes-256-cbc, rsa2048, rsa4096, ecdhp256, ecdsap256, aes-256-gcm |
|||
OS |
NXP LSDK 2004 main (5.4.3-00017- gdd571324a6be) |
Ubuntu 20.04.4 LTS (5.4.0-148-generic) |
Ubuntu 20.04.6 LTS (5.4.0-148-generic) |
Ubuntu 20.04 base |
After mapping out all key parameters of the three DUTs, we performed three kinds of benchmarking tests for different cybersecurity applications:
In the following benchmarking test results tables (TABLE II-V), DNA 1170A’s readings are in the DUT2 column.
1. SSL and VPN benchmarking:
TABLE II summarizes the achieved results and shows the output values and factors tested across these three platforms.
TABLE II
SSL AND VPN BENCHMARKING TEST RESULTS
Testing Command |
Model |
||
DUT1 |
DUT2* |
DUT3 |
|
SSL performance (Openssl version: 1.1.1f ) |
|||
Openssl speed -elapsed -multi 64 des
(1024 bytes) |
142838.72k |
146874.74k |
124948.68k |
Openssl speed -elapsed -multi 64 md5 (1024 bytes) |
2637518.99k |
3405596.48k |
3088612.37k |
Openssl speed -elapsed -multi 64 rsa (2048 bits sign/s) |
1953.1
|
4456.6
|
2974.8
|
HTTPS performance (Wrk version: 4.2.0) |
|||
wrk 1k requests/sec |
130,265.05 |
220,908.37 |
133,152.84 |
wrk 1k transfer/sec |
158.01MB |
267.97MB
|
161.52MB |
iperf server performance with VPN (wireGuard version: v1.0.20200513) |
|||
DUT acts as a server with VPN using 1GbE NIC connection |
900 Mbits/sec |
901 Mbits/sec |
901 Mbits/sec |
DUT acts as a server with VPN using 10GbE NIC connection |
2.31 Gbits/sec |
3.25 Gbits/sec
|
2.79 Gbits/sec |
In analyzing SSL performance with the “openssl” command, DNA 1170A shows the best performance with des, rsa, and md5 encryption algorithms. When CPUs feature specialized instruction sets, such as Intel AES-NI, and hardware extensions for security applications, the DUT will perform better than non-optimized ones.
In analyzing HTTPS performance with the “wrk” command, we stress-tested a 1k file size in the client with CPU loads of HTTPS packet transformation in the server to simulate heavy Internet traffic. DNA 1170A spares 10% of CPU resources for other computing tasks and clearly outperforms DUT1 and DUT3 when both are running at 100% CPU capacity.
We selected WireGuard VPN to test iperf throughput performance. The DUTs act as servers with both 1GbE and 10GbE network interfaces. The VPN tunnel test shows that DNA 1170A achieves an additional 40% throughput compared to other DUTs for processing 10GbE traffic. This proves that DNA 1170 completely meets SMBs’ or branch offices' requests for safe and speedy data transmission.
In conclusion, DNA 1170A with Intel Atom® C5325 processor outperforms in overloaded, complex computing conditions and simulated Internet application environments.
2. CPU encryption benchmarking:
The following table shows performance with one CPU core when processing secure cipher operations. Across four different cipher algorithms,
DNA 1170A comes out on top, substantially outperforming both competitors.
TABLE III
CPU ENCRYPTION BENCHMARK TEST RESULTS
Testing Command |
Model |
||
DUT1 |
DUT2* |
DUT3 |
|
SSL performance with openSSL version: 1.1.1f |
|||
taskset 0x1 openssl speed -elapsed rsa2048 (sign/s) |
219.1 |
509.5 |
371.9 |
taskset 0x1 openssl speed -elapsed rsa4096 (sign/s) |
31.4 |
73.2 |
52.2 |
taskset 0x1 openssl speed -elapsed ecdhp256 (op/s) |
4977.4
|
6692.8
|
5461.1
|
taskset 0x1 openssl speed -elapsed ecdsap256 (sign/s) |
11900.4 |
17075.7 |
12947.8 |
3. Cipher performance with enabled accelerators:
All three platforms activated their built-in accelerators (x86) or loaded accelerators (RISC-based). We used the EVP (Envelope Cryptography) test as a benchmark to measure the performance of symmetric encryption algorithms within the OpenSSL library. The test evaluates the speed and efficiency of cryptographic operations through the EVP interface, which provides a higher-level API for performing cryptographic operations in OpenSSL. It allows developers to work with symmetric encryption algorithms without directly accessing the low-level details of each specific algorithm.
In the following AES-256-GCM cipher, the testing factor “taskset 0x1” indicates that only one core was executed. In comparing data from the three models, DNA 1170A again achieved the best results, twice outperforming the other two DUTs.
TABLE IV
AES-256-GCM ENCRYPTION BENCHMARKING TEST RESULTS
Testing Command |
Model |
||
DUT1 |
DUT2* |
DUT3 |
|
SSL performance with openssl version: 1.1.1f |
|||
taskset 0x1 openssl speed -elapsed -evp aes-256-gcm (16384 bytes) |
993837.06k |
2024532.65k |
762522.28k |
To compare the results using accelerators and analyzing baseline differences in ciphers, we tested with and without -evp in OpenSSL. For the AES-256-CBC cipher case, DNA 1170A achieved six times better performance with its accelerator and also tops competitors’ performance without.
The above results show that DNA 1170A outperforms other products in most complex scenarios like repetitive encoding/decoding computations.
TABLE V
AES-256-GCM ENCRYPTION BENCHMARKING TEST RESULTS
Testing Command |
Model |
||
DUT1 |
DUT2* |
DUT3 |
|
SSL performance with openssl version: 1.1.1f |
|||
taskset 0x1 openssl speed -elapsed aes-256-cbc (16384 bits) |
70904.49k |
109019.14k |
66945.02k |
taskset 0x1openssl speed -elapsed -evp aes-256-cbc (16384 bits) |
275868.33k |
615639.72k |
412909.57k |
At NEXCOM, we’re convinced that there is no best product, only the most suitable one. With limited budgets in the SMB network appliance market, the key to success is finding the most suitable product. The DNA 1170 Series gives you a great cost-performance ratio, flexibility in configuration by choosing from different SKUs, and additional 5G and Wi-Fi expansion capabilities to reserve for future needs in FWA applications.
We designed NEXCOM’s DNA 1170 Series with server-grade performance inside a desktop form factor. Besides its networking capabilities (both wired and wireless), it shows unsurpassed results in performing security-related tests and is a perfect choice for cybersecurity applications which every SMB needs.