Firewall Testing Update
description
Transcript of Firewall Testing Update
Firewall Testing Update
Paul [email protected]
Overview
• Problem Statement• Participants• Problem Classification• Scope of Current Testing• Preliminary Results
Participants
• Terri Beamer – Denison (Check Point)• Joe Simpson – Miami ( PIX )• Tom Ridgeway – UC (PIX)• Greg Trefz – Stratacache (Packeteer)• Gene Bassin/Jason MacDonald –
OARnet IOS Firewall
Reported Problems
• H.323 won’t work at all.• Connection gets made but performance
is not good.• H.323 seems to be in a state of flux e.g.
it changes over time (can get better or worse).
So what are the problems?
• Protocol Specific – Firewall assumes it is an attack– NAT is generally bad for H.323
• Packet Handling– Does firewall exceed necessary parameters for
good performance to meet security need?• Network in Conjunction with other two
– Traffic Bursts
Scope of Current Testing
• We know what is necessary for good H.323 sessions– http://www.adec.edu/nsf/Traffic%20draftv3.
0.pdf
– http://www.adec.edu/nsf/Summary%20Test%20H.323.v7.pdf
• Is it simply a case of poor performance at the packet layer?
Basic Testing Procedure
• Use Smartbits 600 with SmartFlow and SmartWindow
• Added VoIP PSQM for further insight• Find effective throughput without
filtering e.g. baseline• Test by systematically varying
allowed/denied traffic ratio to find performance bounds.
Preliminary Results
• Cisco 2651• Running IOS Firewall Suite• Version 12.2(7c)
– 2600-dos3s-mz.122-7c.bin• Tested on two Fastethernet ports
Raw Throughput
• Max @ 1518 Byte Frames (Including ethernet header and FCS fields) 27.578 Mbps
• Min @ 64 Byte Frames 12.109 Mbps
Raw Latency
• Jitter = Max - Min• Max Jitter @ 128 Byte packet 10 Mbps
Load 118ms• Min Jitter @ 256 Byte Packet 20 Mbps
Load 1ms• Packet Sizes 128-1518 bulk of 10-50ms
Latency • 1152 at 10-20 Mbps down ward shift
Throughput Filtered
• Max @ 1518 Byte Packet 20Mbps– ~26% hit
• Min @ 64 Byte Packet 4.375 Mbps– ~67% hit
Latency Filtered
• Max @ 64 Byte Packet 20 % load 57ms Jitter
• Min @ 64 Byte Packet 10% Load less than 1ms
• Latency Distribution – 100-50ms below 128 Bytes– 50-10ms around 256– 100-50ms at 1024 bytes
Throughput Mix
• 20/5– Max @ 1518 Byte Packets is 20 Mbps– Min @ 64 Byte Packets is 2.687 Mbps
• 15/10– Max @ 1518 Byte Packets 11.875 Mbps– Min @ 64 Byte Packets is 1.562 Mbps
• 10/15– Router dies
Jitter Mix• 20/5
– Max @ 64 Byte Packets is 135ms STD 6.234 ms
– Min @ 512 Byte Packets is 6ms STD 2.295 ms
• 15/10– Max @ 64 Bytes is 112ms STD 5.6 ms– Min @ 1280 Bytes is 12 ms STD 6.206 ms
• 10/15– Death
Latency Distribution Mix
• 20/5– Lt 512 is 50-100ms range
• 15/10– Ditto
PSQM
• 0 is best • 6.5 is worst• Not real measure for H.323 but might
help give insight• G.711 ulaw = 218 byte frames e.g. four
codec frames per packet• It is less than 1% of traffic
64 byte background
128 Byte Background
256 Byte Background
512 Byte Background
1024 & 1518 Byte Background