Firewall Wizards mailing list archives
Re: Firewall rules order and performance
From: <lordchariot () embarqmail com>
Date: Sat, 18 Jul 2009 13:04:25 -0400
I've done this in the past with professional test equipment like SmartBits or Web Avalanche that was able to measure performance, latency, connection rates, etc. The challenge was establishing unique connections from multiple MAC & IP addresses to emulate real endpoints, and not just alias multiple IPs on the same NIC. Mostly because of the ARP process prior to making a connection. It's a lot faster making 65,000 connections from 1 MAC/IP to another than 10 connections to 6,500 unique MAC/IP/Src/Dest combinations. The test gear could simulate real hosts with unique MAC & IP addrs. We tested 1, 10, 100, 1000 & 10000 rules, all with different IP/port combinations. UDP & TCP with different packets sizes, etc. I was representing a now defunct product at the time, but the product faired pretty well because the rule matches where a tree lookup to select the rule. The overall difference between number of rules on our product was pretty negligible, but it did a lot better than checkpoint at the time. AIR, the rule selection wasn't the bottleneck, the number of already established connections in the kernel was the primary factor. You'd plateau after a certain point as new connections were trying to allocate the memory. -erik
-----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall- wizards-bounces () listserv icsalabs com] On Behalf Of Pierre Blanchet Sent: Friday, July 17, 2009 10:52 AM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Firewall rules order and performance This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays: 1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is tied to the ratio new/existing sessions. 2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again, the number of rules has less effect on the performance. I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the rules order but what about the others ? Google didn't give any information one way or the other. -- Pierre Blanchet _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall rules order and performance Pierre Blanchet (Jul 17)
- Re: Firewall rules order and performance Carson Gaspar (Jul 21)
- Re: Firewall rules order and performance david (Jul 21)
- Re: Firewall rules order and performance lordchariot (Jul 21)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Jean-Denis Gorin (Jul 28)
- Re: Firewall rules order and performance Eric Gearhart (Jul 28)
- Message not available
- Re: Firewall rules order and performance Eric Gearhart (Jul 29)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 30)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Behm, Jeff (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)