robustness and performance evaluation of firewall and vpn

European Advanced Networking Test Center

Robustness and Performance Evaluation of Firewall and VPN Services

Bernd KlusmannProject ManagerEANTC AG


Presentation Topics

§ Introduction EANTC§ Need for Testing?§ How to Test?§ Test Equipment§ Test Experience / Results§ Oncoming Public Test Events§ Conclusion

CeBIT 2002Robustness and Performance Evaluation of

Firewall and VPN ServicesSlide 2


About EANTCEANTC is a highly specialised provider of services in the field of network technologies.EANTC offers vendor independent network quality assurance.EANTC business areas are:§ Test and certification of network

components for manufacturers.§ Test of high-speed enterprise / service

provider networks and network design consultancy.

§ Research and development of test methods and analysis tools.

§ Vendor-neutral technology seminars(both ATM & MPLS).EANTC, Berlin-Charlottenburg




Need for Testing?

Why Test Firewalls and VPN Gateways?§ Rapid rise in firewall and VPN deployment§ Users are unsure about the

performance of available products§ Implementations vary widely, direct

comparisons is difficult§ Edge transport speed increases§ Firewalls between internal networks

request high performance§ Learn about effects on flow parameters like throughput

and latency




How to Test?

Internet Engineering Task ForceBenchmarking Work Group§ RFC 2647: Benchmarking

Terminology for Firewall Performance§ Draft: Benchmarking Methodology for

Firewall Performance

Further topics:§ IP(Sec)-VPN technology testing

§ Control plane and data plane tests




How to Test: RFC 2647



Benchmarking Terminology for Firewall Performance§ Based on specs of router and switch benchmarking

terminology RFC1242 and RFC2285§ Forwarding rate and connection oriented measurements§ Definition of Terms§ Allowed traffic§ Connection§ Bit forwarding rate§ Goodput§ .....


How to Test: IETF Methodology Draft



Independent of implementation§ From simple packet filtering ....§ ...to complex combination of packet filtering, application

level proxy and network translation services

Test Setup MethodologyDetailed Test Specifications





Test Setup Methodology§ Dual- and tri-homed, Test Traffic Requirements, NAT,

Rule Sets, Caching

un-protected protectedprotected un-

protected

DMZDMZ = DeMilitarized Zone





§ Concurrent TCP Connection Capacity§ Maximum TCP Connection Setup Rate§ Connection Establ. and TeardownTime§ DoS (Denial of Service) Handling effect on

connection establishment and/or forwarding rate

§ HTTP bit forwarding rate (RFC2647)§ IP Fragmentation§ Illegal Traffic Handling§ Latency of network-layer or application-

layer data

TCP connection establishment via firewall


How to Test: Further Topics



First solutions appear for IP(Sec)-VPN Tests:§ tunnel creation capacity testing using IPSec protocols§ measuring data performance (UDP or HTTP traffic)

characteristics over the created tunnels§ helping in troubleshooting interop issues

protected

Internet

protected VPN Tunnel


Test Experience / ResultsPublic test series Firewall Appliances for NetworkWorld Germany

Appliances with stateful inspection and VPN featureTarget customers: enterprises with up to 500 clients




Test Experience / Results

Test Scenario IP Performance (throughput and latency)§ Two appliances built SUT/DUT§ Real world scenario: different packet sizes and different

numbers of IP clients simulating a LAN – LAN VPN



Protected Enterprise Network

Protected Enterprise Network

Headquarter Munich

OfficeHamburg

3DES Encrypted

No Encryption



Test Scenario TCP Session Rate Test§ One appliance built DUT/SUT§ Varying number of virtual clients and rule sets



un-protected protected

Performance Analyser



Individual test notes from 1 to 5 for each testRating of test notes§ 20% for featurelist questionnaire§ 40% for performance values§ 40% for handling and ease of administration

Lessons learned§ Comparison is difficult because of varying price/design

factors among vendors




Test Equipment



EANTC conformance test suites (MPLS / IP / ATM)EANTC protocol emulator / performance test software (MPLS / ATM)Spirent: Smartbits IP performance analyzerSpirent: AX4000 ATM / PoS / IP protocol emulator and analyzerIXIA: 1600 IP performance analyzerNetTest: Interwatch 95000 ATM analyzer / protocol emulatorRadcom: PrismLite ATM / Ethernet protocol analyzerAgilent:: HP75000 ATM test systemSpirent:: Abacus bulk call generator / speech quality analyzerShunra Storm: WAN Analyzer


Oncoming Public Test Events



In cooperation with the magazine network world Germany, EANTC regularlypublishes test reports about network components:

New test series on firewalls is planned

Q3 this year

http://www.networkworld.de/testcenter


Conclusion§ Tests reveal objective benchmarks

about the performance of available products§ Benchmarking standards allow

comparison of varying implementations§ Effects of logging, inspecting, deciding,

encrypting, caching, NAT-ing, etc. can be observed in detail when testing§ Run tests to make sure your

individual requirements are met!




Thanks! Any Questions?

Please visit our homepage to read more about quality assurance in high speed networks and related services!

URL: www.eantc.com

or

Email: [email protected]



robustness and performance evaluation of firewall and vpn

Documents