robustness and performance evaluation of firewall and vpn
TRANSCRIPT
European Advanced Networking Test Center
Robustness and Performance Evaluation of Firewall and VPN Services
Bernd KlusmannProject ManagerEANTC AG
European Advanced Networking Test Center
Presentation Topics
§ Introduction EANTC§ Need for Testing?§ How to Test?§ Test Equipment§ Test Experience / Results§ Oncoming Public Test Events§ Conclusion
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 2
European Advanced Networking Test Center
About EANTCEANTC is a highly specialised provider of services in the field of network technologies.EANTC offers vendor independent network quality assurance.EANTC business areas are:§ Test and certification of network
components for manufacturers.§ Test of high-speed enterprise / service
provider networks and network design consultancy.
§ Research and development of test methods and analysis tools.
§ Vendor-neutral technology seminars(both ATM & MPLS).EANTC, Berlin-Charlottenburg
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 3
European Advanced Networking Test Center
Need for Testing?
Why Test Firewalls and VPN Gateways?§ Rapid rise in firewall and VPN deployment§ Users are unsure about the
performance of available products§ Implementations vary widely, direct
comparisons is difficult§ Edge transport speed increases§ Firewalls between internal networks
request high performance§ Learn about effects on flow parameters like throughput
and latency
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 4
European Advanced Networking Test Center
How to Test?
Internet Engineering Task ForceBenchmarking Work Group§ RFC 2647: Benchmarking
Terminology for Firewall Performance§ Draft: Benchmarking Methodology for
Firewall Performance
Further topics:§ IP(Sec)-VPN technology testing
§ Control plane and data plane tests
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 5
European Advanced Networking Test Center
How to Test: RFC 2647
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 6
Benchmarking Terminology for Firewall Performance§ Based on specs of router and switch benchmarking
terminology RFC1242 and RFC2285§ Forwarding rate and connection oriented measurements§ Definition of Terms§ Allowed traffic§ Connection§ Bit forwarding rate§ Goodput§ .....
European Advanced Networking Test Center
How to Test: IETF Methodology Draft
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 7
Independent of implementation§ From simple packet filtering ....§ ...to complex combination of packet filtering, application
level proxy and network translation services
Test Setup MethodologyDetailed Test Specifications
European Advanced Networking Test Center
How to Test: IETF Methodology Draft
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 8
Test Setup Methodology§ Dual- and tri-homed, Test Traffic Requirements, NAT,
Rule Sets, Caching
un-protected protectedprotected un-
protected
DMZDMZ = DeMilitarized Zone
European Advanced Networking Test Center
How to Test: IETF Methodology Draft
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 9
§ Concurrent TCP Connection Capacity§ Maximum TCP Connection Setup Rate§ Connection Establ. and TeardownTime§ DoS (Denial of Service) Handling effect on
connection establishment and/or forwarding rate
§ HTTP bit forwarding rate (RFC2647)§ IP Fragmentation§ Illegal Traffic Handling§ Latency of network-layer or application-
layer data
TCP connection establishment via firewall
European Advanced Networking Test Center
How to Test: Further Topics
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 10
First solutions appear for IP(Sec)-VPN Tests:§ tunnel creation capacity testing using IPSec protocols§ measuring data performance (UDP or HTTP traffic)
characteristics over the created tunnels§ helping in troubleshooting interop issues
protected
Internet
protected VPN Tunnel
European Advanced Networking Test Center
Test Experience / ResultsPublic test series Firewall Appliances for NetworkWorld Germany
Appliances with stateful inspection and VPN featureTarget customers: enterprises with up to 500 clients
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 11
European Advanced Networking Test Center
Test Experience / Results
Test Scenario IP Performance (throughput and latency)§ Two appliances built SUT/DUT§ Real world scenario: different packet sizes and different
numbers of IP clients simulating a LAN – LAN VPN
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 12
Protected Enterprise Network
Protected Enterprise Network
Headquarter Munich
OfficeHamburg
3DES Encrypted
No Encryption
European Advanced Networking Test Center
Test Experience / Results
Test Scenario TCP Session Rate Test§ One appliance built DUT/SUT§ Varying number of virtual clients and rule sets
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 13
un-protected protected
Performance Analyser
European Advanced Networking Test Center
Test Experience / Results
Individual test notes from 1 to 5 for each testRating of test notes§ 20% for featurelist questionnaire§ 40% for performance values§ 40% for handling and ease of administration
Lessons learned§ Comparison is difficult because of varying price/design
factors among vendors
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 14
European Advanced Networking Test Center
Test Equipment
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 15
EANTC conformance test suites (MPLS / IP / ATM)EANTC protocol emulator / performance test software (MPLS / ATM)Spirent: Smartbits IP performance analyzerSpirent: AX4000 ATM / PoS / IP protocol emulator and analyzerIXIA: 1600 IP performance analyzerNetTest: Interwatch 95000 ATM analyzer / protocol emulatorRadcom: PrismLite ATM / Ethernet protocol analyzerAgilent:: HP75000 ATM test systemSpirent:: Abacus bulk call generator / speech quality analyzerShunra Storm: WAN Analyzer
European Advanced Networking Test Center
Oncoming Public Test Events
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 16
In cooperation with the magazine network world Germany, EANTC regularlypublishes test reports about network components:
New test series on firewalls is planned
Q3 this year
http://www.networkworld.de/testcenter
European Advanced Networking Test Center
Conclusion§ Tests reveal objective benchmarks
about the performance of available products§ Benchmarking standards allow
comparison of varying implementations§ Effects of logging, inspecting, deciding,
encrypting, caching, NAT-ing, etc. can be observed in detail when testing§ Run tests to make sure your
individual requirements are met!
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 17
European Advanced Networking Test Center
Thanks! Any Questions?
Please visit our homepage to read more about quality assurance in high speed networks and related services!
URL: www.eantc.com
or
Email: [email protected]
CeBIT 2002Robustness and Performance Evaluation of
Firewall and VPN ServicesSlide 18