Abstract
Due to the lack of a standardized methodology for reporting firewall performance, current datasheets are designed for marketing and provide inflated throughput measurements obtained under unrealistic scenarios. As a result, customers lack usable metrics to select a device that best meets their needs.
In this paper, we develop a systematic approach to estimate the performance offered by stateful firewalls. To do so, we first conduct extensive experiments with two enterprise firewalls in a wide range of configurations and traffic profiles to identify the characteristics of a network’s traffic that affect firewall performance. Based on the observations from our measurements, we develop a model that can estimate the expected performance of a particular stateful firewall when deployed in a customer’s network. Our model ties together a succinct set of network traffic characteristics and firewall benchmarks. We validate our model with a third enterprise-grade firewall, and find that it predicts firewall throughput with less than 6-10% error across a range of traffic profiles.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Comparison shopping for scalable firewall products, http://tinyurl.com/7smaqet
Data sheets lie: How to measure the performance, security and stability of network devices, http://resources.breakingpoint.com/acton/form/567/0024:d-0004/0/
Fortinet FortiGate-ONE, http://www.fortinet.com/products/fortigate/one.html
HP Threat Management Services zl module, http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-6512ENN.pdf/
Next Generation Firewalls not ready to replace all legacy firewalls, http://searchnetworking.techtarget.com/news/1520651/Next-generation-firewalls-not-ready-to-replace-all-legacy-firewalls/
SonicWALL E-class network security appliance E5500, http://www.firewalls.com/sonicwall/sonicwall-firewall/sonicwall-e-class-series/
Acharya, S., Wang, J., Ge, Z., Zane, T.F., Greenberg, A.: Traffic-aware firewall optimization strategies. In: ICC (2006)
Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. In: IEEE JSAC (2005)
Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: IEEE ICNP (2002)
BreakingPoint firewall performance testing, http://www.breakingpointsystems.com/solutions/firewall-testing/
Bradner, S., McQuaid, J.: Benchmarking methodology for network interconnect devices. RFC 2544 (1999)
Cohen, E., Lund, C.: Packet classification in large ISPs: Design and evaluation of decision tree classifiers. In: ACM SIGMETRICS (2005)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the Resource Consumption of Network Intrusion Detection Systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008)
El-Atawy, A., Al-Shaer, E., Tran, T., Boutaba, R.: Adaptive early packet filtering for protecting firewalls against DoS attacks. In: IEEE INFOCOM (2009)
Gouda, M.G., Liu, A., Jafry, M.: Verification of distributed firewalls. In: IEEE GLOBECOM (2008)
Gouda, M.G., Liu, A.X.: Structured firewall design. Computer Networks (2007)
Hamed, H., Al-Shaer, E.: Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS (2006)
Hari, A., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: IEEE INFOCOM (2000)
Liu, A.X.: Change-impact analysis of firewall policies. In: European Symp. Research Computer Security (2007)
Liu, A.X.: Firewall policy verification and troubleshooting. In: ICC (2008)
Liu, A.X., Gouda, M.G.: Firewall policy queries. IEEE Trans. on Parallel and Distributed Systems (2009)
Newman, D.: Benchmarking terminology for firewall devices. RFC 2647 (1999)
NSS Labs. IPS, UTM, Web application firewall testing lab, http://nsslabs.com
Shaer, E.A., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM (2004)
Caceres, R.: Measurements of Wide-Area Internet Traffic, UCB/CSD.89/550, Univ. CA, Berkeley (1989)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beyene, Y., Faloutsos, M., Madhyastha, H.V. (2012). SyFi: A Systematic Approach for Estimating Stateful Firewall Performance. In: Taft, N., Ricciato, F. (eds) Passive and Active Measurement. PAM 2012. Lecture Notes in Computer Science, vol 7192. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28537-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-28537-0_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28536-3
Online ISBN: 978-3-642-28537-0
eBook Packages: Computer ScienceComputer Science (R0)