With the increasing requirements for information security, firewalls have become an essential network element. However, the main role of the firewall device in the network is not packet forwarding, but packet detection and access control. The presence of the firewall will inevitably affect the normal use of the network by security users. Therefore, on the premise of satisfying the safety function, it is very important to choose a product with high performance, network requirements, and budget.
Firewall performance description indicators
The performance indicators for measuring firewalls mainly include throughput, packet forwarding rate, maximum concurrent connections, new connections per second, forwarding delay, and jitter.
Figure 1 Main performance indicators of the firewall
l Firewall throughput refers to the maximum rate that the device can accept without frame loss. The test method is: during the test, a certain number of frames are sent at a certain rate, and the frames transmitted by the device under test are calculated. If the number of frames sent is equal to the number of received frames, then the sending rate is increased and the test is re-tested; if the frame is received If it is less than the transmitted frame, reduce the transmission rate and retest until the maximum transmission rate without frame loss is satisfied, and the final result is obtained. Throughput test results are expressed in bits / second or bytes / second.
l The number of concurrent TCP connections on the firewall refers to the maximum total number of TCP connections that can be simultaneously maintained between hosts passing through the device under test or between the host and the device under test. The firewall TCP concurrent connections are tested using an iterative search mechanism. During each iteration, different numbers of concurrent connections are sent at a rate lower than the connection rate that the device under test can withstand until the maximum TCP of the device under test is obtained The number of concurrent connections.
l The maximum TCP connection establishment rate of the firewall refers to the maximum TCP connection establishment speed that the device under test can successfully establish all requested connections. The test uses an iterative search process. In each iterative process, a TCP connection request with a different rate is initiated at a rate lower than the maximum number of concurrent connections that the device under test can bear until the maximum rate at which all connections are successfully established. The maximum TCP connection establishment rate is expressed in number of connections per second.
Firewall performance test method
The performance evaluation of a firewall product is divided into two steps. First, the baseline performance test of the firewall should be performed, followed by the performance test under the simulated actual application environment.
Baseline performance is the performance index of the firewall in an ideal state. It has the advantages of relatively stable test results and controllable traffic models. However, in actual applications, the actual nominal baseline performance of firewall products is often not achieved. The reason is that the traffic passing through the firewall in actual applications is much more complicated than the traffic when testing the baseline performance. Therefore, when evaluating firewall performance, it is not only necessary to evaluate the baseline performance, but more importantly, simulate the actual application environment.
1. Baseline performance test
1) Throughput evaluation
The throughput of the firewall is actually a static indicator, reflecting the forwarding capabilities of the device under ideal circumstances. In actual applications, the throughput index is generally not reached, and for the user, what he actually feels is his application processing capacity, so a pure throughput index cannot explain the firewall's forwarding performance.
In general, firewall forwarding performance can be measured by throughput and goodput. For firewall devices, goodput is more meaningful than throughput. Therefore, when testing firewall throughput, more goodput indicators are used.
Goodput is sometimes called the throughput of the application layer. In the case of new connections and concurrency of certain connections, the application layer data load of a single message largely determines the application layer packet forwarding capability. Therefore, when testing the forwarding performance of the firewall, you need to specify the size of the test load. In order to obtain more comprehensive throughput performance data, it is necessary to test the forwarding performance under different load sizes.
In the throughput baseline test, HTTP is generally used as the application layer protocol. In order to obtain the most ideal test results, HTTP1.1 will be selected, each TCP connection handles as many HTTP transactions (transacTIon) as possible, and the HTTP payload is set Larger. Figure 2 is an example of setting using IxLoad.
Figure 2 IxLoad settings
2) Connection number evaluation
Connections are a very important concept in stateful firewalls, and performance indicators related to connections are very important for evaluating firewalls. These indicators include the number of concurrent connections and the rate of new connections.
l Test of concurrent connections
Concurrent connection is a very important indicator, which mainly reflects the ability of the device under test to maintain multiple sessions. There is also much debate about this indicator. Generally speaking, it is closely related to the test conditions, but this consideration is sometimes ignored by people. For example, the size of the transfer file used during the test will have an impact on the test results. For example, if the application layer traffic is heavy during transmission, the device under test will take up a lot of system resources to process the packet inspection, resulting in the inability to process the newly requested connection, resulting in smaller test results; otherwise, the test results will be larger. Therefore, it is difficult to determine the number of concurrent connections without test conditions. From a macro perspective, the ultimate goal of this test is to compare the "resources" of different devices, that is to say the comprehensive performance of processor resources and storage resources.
At present, there is a situation where everyone blindly compares the number of concurrent connections. In fact, hundreds of thousands of concurrent connections should be able to fully meet the network service needs of a carrier-grade data center. For the average enterprise, even thousands of concurrent connections are more than enough. The total number of concurrent connections can be obtained by the automatic test of the instrument, which reduces the time and manpower used for the test. There are many such instruments at present. The common ones are Spirent's Avalanche, IXIA's IxLoad and BPS.
l New connection rate
This indicator mainly reflects the real-time response capability of the device under test to the connection request. For small and medium users, this indicator is even more important. It can be imagined that when the device under test can process connection requests faster and can transmit data faster, the number of concurrent connections in the network tends to be smaller, so that the pressure on the device will also be reduced, and the firewall that users feel The better the performance. Test tools such as Avalanche, IXLOAD, and BPS can test the new connection rate and help users search for the peak value that the device under test can handle. The test principles are basically the same.
2. Simulate real application environment for performance index testing
If you can test the firewall performance by 100% simulating the actual application environment of the user, activities such as firewall selection will become very simple, and the firewall performance indicators will become more meaningful. But simulating a real application environment is not a simple matter. Mainly because of the complexity and variability of the user environment, it is almost impossible to simulate the real environment. The testing of the simulated real application environment discussed here only abstracts the user environment so that the simulated environment is as close to the real application environment as possible when the test conditions are met.
1) Multi-application protocol throughput test
As mentioned earlier, goodput is an important indicator to measure firewall throughput. In the baseline test, the HTTP protocol is generally used as the application layer protocol for testing. In the actual application environment, the application layer traffic is not pure HTTP, and there are other protocols. If the HTTP protocol is used instead of other application layer protocols to test the application layer throughput, it is obviously inappropriate. Therefore, it is necessary to design a typical application layer traffic distribution model for different application scenarios and allocate bandwidth according to different proportions. As shown in Figure 3, it is a typical application bandwidth distribution in a certain scenario.
Figure 3 Typical application bandwidth distribution
Simulated multi-protocol testing requires a test tool that supports the simulation of multi-protocol traffic mixing and can analyze protocol-based test results. Including throughput of different protocols, forwarding delay, etc. In the multi-protocol simulation test, BPS supports rich application layer protocols and has a good traffic mixing function.
2) Forwarding performance test under DDoS attack conditions
At present, most firewalls are often attacked by hackers who try to break into the user's network. DDoS attacks are a common attack method used by hackers. This attack uses fake IP addresses and continues to change forms. Therefore, in tests that simulate real environments, it is necessary to use DDoS attacks as test input conditions.
The purpose of this test is to pass the DDoS attack as part of the traffic through the firewall, simulating the degradation of the forwarding performance of the device under test under the DDoS attack conditions of the actual network. The effect of DDoS traffic on normal traffic can be achieved by changing the proportion of mixed traffic. The test steps are as follows:
l Keep DDoS traffic unchanged (for example, DDoS traffic occupies 5% of the interface bandwidth), and change the ratio of normal multi-protocol traffic. For example, SMTP: FTP: HTTP: HTTPS is mixed at a ratio of 45: 15: 30: 10, and DDoS attacks After the traffic is forwarded through the firewall, check the test results to see if the forwarding performance meets the actual demand compared to the case without DDoS attack traffic. You can also test whether the transmission delay through the firewall is also maintained at an acceptable level;
l Change the ratio of DDoS traffic to the interface bandwidth (for example, from 3%, 5% to 8%), keep normal traffic unchanged, test the change of forwarding performance under different DDoS attack intensities, and the transmission delay under different attack intensities Whether the changes meet the actual application needs;
l When both of them change, that is, when modifying DDoS traffic, the proportion of normal traffic is also modified, and the forwarding performance and delay status under different combinations are recorded.
3) New connection test under certain load conditions
The new connection reflects whether new users can quickly access the network. Under normal circumstances, when testing the rate of a new connection, it is closed immediately after opening a connection. In this case, the test results are generally better. But in actual application scenarios, this is not the case. Generally, when a new connection is created, there will already be a certain connection, that is, the test of the new connection rate under the condition of a certain load (concurrent connection). The test steps are:
l First test the baseline new build rate, which is the ideal new build rate under no load conditions;
l Gradually increase the load, you can set the load value according to the percentage of the baseline concurrent, such as 20%, 30%, 50%, 70%, 90%, etc. However, it is necessary to pay attention to when testing, under certain load conditions, the test should not exceed the maximum number of concurrent connections, otherwise the test results are inaccurate;
l The test time in the test needs to be determined according to the situation. If you open / close the TCP connection, ideally the number of concurrent connections seen on the device should be the size of the test load, but under certain load conditions, the rate at which the device handles connection closure will be affected to some extent, leading to concurrency As the new rate increases, it will continue to increase. If the test time is long enough and the processing speed is slow, it may cause the number of concurrent connections to exceed the baseline connection limit. Therefore, under certain load conditions, the test needs to be long enough. If the new connection is always successful, then the performance of the device is relatively good.
Conclusion
While protecting the network security, the firewall will inevitably introduce a certain loss of network performance. Choosing a firewall with appropriate performance according to the actual network environment is crucial for users. This article introduces the general method of firewall baseline performance test and simulation actual environment performance test from the perspective of firewall evaluation. In the actual firewall evaluation, the key traffic characteristics of the application should be extracted to the maximum according to the actual application scenario, and the traffic characteristics should be abstractly modeled, and the test instrument should be used to simulate the traffic to obtain performance indicators that are more in line with the actual application. .
This Automation curtain is specially designed for automation industry. SDKELI LSC2 light curtain is designed for automation field, with small size, compact structure and strong anti-interference ability, and the product meets IEC 61496-2 standards. The Automatic Light Curtain is with reliable quality and very competitive price. It has been used in many factories and has replaced curtains from Sick, Omron, Banner, Keyence, etc.
Automatic Light Curtain,Laser Light Curtain,Automation Light Beam Sensor,Automatic Infrared Beam Sensor,Infrared Beam Curttain Sensor,Infrared Beam Sensor
Jining KeLi Photoelectronic Industrial Co.,Ltd , https://www.sdkelien.com