Firewall Wizards mailing list archives
Re: firewall stress testing tool
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 19 May 2006 10:23:54 -0400
pavan shah wrote:
I have configured windows 2003 server to allow only traffic to port 80.I want to check for the stability of the firewall under heavy load. Could any one suggest any firewall stress testing tool?
There aren't any decent firewall stress testing tools out there. Obviously, real network traffic would be the ideal test-bed. Second to that would be replays of packets captured at a real firewall installation. Using something like a smartbits is pointless because they're generating synthetic traffic, which would make the firewalls that do any layer 7 processing look worse (from a performance standpoint) than the firewalls that are doing only "stateful inspection" or "deep inspection" We saw a lot of cooked benchmarks early in the IDS days where unscrupulous vendors posted unrealistically high performance numbers for IDS packet capture by using synthetic traffic that the IDS "knew" to discard. There was the famous intrusion.com benchmark done by Meir Communications in which intrusion.com demonstrated gigabit speed IDS with no packet loss - as long as you threw 1 gb/s of 100K packets at TCP port 0. If you have a firewall that (for example) is trying to do protocol state parsing for SMTP, it'll look much worse under a synthetic test than one that simply goes "wow, that's port 25! let it through if you see a HELO!" Under synthetic testing a "stateful" firewall will fare extremely well, from a performance standpoint, if all the packets are directed at an un-established flow. One of the ironies of "stress testing" security products is that the ones that do LESS security processing almost always do better under a load test. Furthermore, the ones that do LESS processing appear to do better in terms of (let's loosely call it)"reliability" since they will favor letting things through. I saw this back in 1995 when one of my customers chose a "stateful" firewall over a proxy because in synthetic testing the proxy kept terminating a non-standards-compliant FTP command stream, whereas the "stateful" firewall was just looking for "PORT" commands and letting everything else through. The customer felt that the "stateful" firewall was "better" because it was "more reliable" - meaning "easier to get through." So, if you're stress testing for "reliability" you need to ask yourself, first, what exactly you mean by "reliable." It keeps coming back to the eternal trade-off between performance and accessibility on one hand versus conservative design and security on the other. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- firewall stress testing tool pavan shah (May 19)
- Message not available
- Re: firewall stress testing tool Marcus J. Ranum (May 19)
- Re: firewall stress testing tool Dave Diehl (May 20)
- Re: firewall stress testing tool lordchariot (May 22)
- Re: firewall stress testing tool Phil Trainor (May 22)
- Re: firewall stress testing tool Marcus J. Ranum (May 19)
- Message not available