2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Transcription

1 FIREWALL COMPARATIVE ANALYSIS Performance 2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles Tested Products Barracuda F800, Check Point 12600, Cyberoam CR2500iNG, Dell SonicWALL NSA 4500, Fortinet FortiGate- 800c, Juniper SRX550, NETASQ NG1000- A, NETGEAR ProSecure UTM9S, Palo Alto Networks PA- 5020, Sophos UTM 425, Stonesoft FW- 1301, WatchGuard XTM 1050

2 Overview Implementation of a firewall can be a complex process with multiple factors affecting the overall performance of the solution. Each of these factors should be considered over the course of the useful life of the solution, including: 1. Deployment use cases: a. Will the Firewall be deployed to protect servers, desktop clients, or both? 2. What does the traffic look like? a. Concurrency and connection rates. b. Connections per second and capacity with different traffic profiles. c. Latency and application response times. There is usually a trade- off between security effectiveness and performance; a product s security effectiveness should be evaluated within the context of its performance (and vice versa). This ensures that new security protections do not adversely impact performance and security shortcuts are not taken to maintain or improve performance. Sizing considerations are absolutely critical, since vendor performance claims can vary significantly from actual throughput with protection turned on. Farther to the right indicates higher rated throughput. Higher up indicates more connections per second. Products with low connections/throughput ratio run the risk of running out of connections before they reach their maximum potential throughput. 250,000 Maximum TCP Connections per Second 200, , ,000 50, ,000 4,000 6,000 8,000 12,000 NSS Rated Throughput (Mbps) Figure 1: Throughput and Connection Rates 2013 NSS Labs, Inc. All rights reserved. 2

3 Table of Contents Overview... 2 Analysis... 4 UDP Throughput & Latency... 5 Connection Dynamics Concurrency and Connection Rates... 7 HTTP Connections per Second and Capacity... 9 HTTP Connections per Second and Capacity (Throughput)... 9 Application Average Response Time - HTTP (at 90% Max Capacity) Real- World Traffic Mixes Test Methodology Contact Information Table of Figures Figure 1: Throughput and Connection Rates... 2 Figure 2: Vendor Claimed vs NSS Rated Throughput in Mbps... 4 Figure 3: UDP Throughput by Packet Size (I)... 5 Figure 4: UDP Throughput by Packet Size (II)... 6 Figure 5: UDP Latency by Packet Size (Microseconds)... 6 Figure 6: Concurrency and Connection Rates (I)... 7 Figure 7: Concurrency and Connection Rates (II)... 8 Figure 8: Maximum Throughput Per Device With 44Kbyte Response... 9 Figure 9: Maximum Throughput Per Device With 21Kbyte Response Figure 10: Maximum Throughput Per Device With 10Kbyte Response Figure 11: Maximum Throughput Per Device With 4.5Kbyte Response Figure 12: Maximum Throughput Per Device With 1.7Kbyte Response Figure 13: Maximum Connection Rates Per Device With Various Response Sizes Figure 14: Application Latency (Microseconds) Per Device With Various Response Sizes Figure 15: Real- World Performance by Device NSS Labs, Inc. All rights reserved. 3

4 Analysis NSS Labs research indicates that the majority of enterprises will deploy traditional firewalls in front of their datacenters and at the core of the network to separate unrelated traffic. Because of this, NSS rates product performance based upon the average of three traffic types: 21KB HTTP response traffic, a mix of perimeter traffic common in enterprises, and a mix of internal core traffic common in enterprises. Details of these traffic mixes are available in the Firewall Test Methodology ( Every effort is made to deploy policies that ensure the optimal combination of security effectiveness and performance, as would be the aim of a typical customer deploying the device in a live network environment. This provides readers with the most useful information on key firewall security effectiveness and performance capabilities based upon their expected usage. NSS Throughput Rating Vendor Stated Throughput - 5,000 15,000 20,000 25,000 30,000 7,827 9,200 8,400 8,733 28, ,667 20,000 2,127 5,500 2,540 7, ,120 5,000 3,000 5,147 5,000 6,000 2,200 Figure 2: Vendor Claimed vs. NSS Rated Throughput in Mbps The results presented in the chart above show the difference between the NSS performance rating and vendor performance claims, which are often under ideal/unrealistic conditions. Where multiple figures are quoted by vendors, NSS selects those that relate to TCP, or with protection enabled, performance expectations, rather than the more optimistic UDP- only or large packet size performance figures often quoted. Even so, NSS rated throughput is typically lower than that claimed by the vendor, often significantly so, since it is more representative of how devices will perform in real- world deployments NSS Labs, Inc. All rights reserved. 4

5 UDP Throughput & Latency The aim of this test is to determine the raw packet processing capability of each in- line port pair of the device only. This traffic does not attempt to simulate any form of real- world network condition. No TCP sessions are created during this test, and there is very little for the detection engine to do in the way of protocol analysis. However, this test is relevant since vendors are forced to perform inspection on UDP packets as a result of VoIP, video, and other streaming applications. 20,000 18,000 16,000 14,000 Megabits per Second 12,000 8,000 6,000 4,000 2, Byte Packets 128 Byte Packets2 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets UDP Packet Size Figure 3: UDP Throughput by Packet Size (I) Fortinet s Fortigate 800c was the only device to demonstrate anything close to line rate capacity with packet sizes from 1514 bytes all the way down to 64 bytes. In addition, it was the only device to consistently demonstrate latency of less than 10 microseconds. The Juniper SRX 550 demonstrated the second best latency at microseconds NSS Labs, Inc. All rights reserved. 5

6 Product 64 Byte Packets 128 Byte Packets 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets Barracuda F ,000 3,700 6,500 12,600 18,500 Check Point ,900 3,400 6,400 11,700 12,100 12,200 Cyberoam CR2500iNG 3,300 9,300 9,300 11,230 16,200 19,300 Dell SonicWALL NSA ,700 2,600 Fortinet FortiGate- 800c 18,900 19,500 19,600 19,700 19,800 19,900 Juniper SRX ,450 1,450 2,800 5,500 8,000 NETASQ NG1000- A ,200 2,300 4,800 7,300 NETGEAR ProSecure UTM9S Palo Alto Networks PA ,092 9,400 9,400 9,597 9,785 9,935 Sophos UTM ,450 2,450 4,600 6,000 6,000 Stonesoft FW ,600 4,400 8,300 14,900 19,100 19,900 WatchGuard XTM ,000 4,100 6,700 Figure 4: UDP Throughput by Packet Size (II) In- line security devices that introduce high levels of latency are unacceptable, especially where multiple security devices are placed in the data path. The chart below reflects the latency (in microseconds) as recorded during the UDP throughput tests at 90% of maximum load. Lower values are preferred. Product 64 Byte Packets - Latency (μs) 128 Byte Packets - Latency (μs) 256 Byte Packets - Latency (μs) 512 Byte Packets - Latency (μs) 1024 Byte Packets - Latency (μs) 1514 Byte Packets - Latency (μs) Barracuda F Check Point Cyberoam CR2500iNG 1, Dell SonicWALL NSA Fortinet FortiGate- 800c Juniper SRX NETASQ NG1000- A NETGEAR ProSecure UTM9S Palo Alto Networks PA Sophos UTM Stonesoft FW WatchGuard XTM Figure 5: UDP Latency by Packet Size (Microseconds) 2013 NSS Labs, Inc. All rights reserved. 6

7 Connection Dynamics Concurrency and Connection Rates These tests stress the detection engine to determine how the sensor copes with increasing rates of TCP connections per second, application layer transactions per second, and concurrent open connections. All packets contain valid payload and address data and these tests provide an excellent representation of a live network at various connection/transaction rates. Note that in all tests, the following critical breaking points where the final measurements are taken are used: Excessive concurrent TCP connections - latency within the firewall is causing unacceptable increase in open connections on the server- side. Excessive response time for HTTP transactions/smtp sessions - latency within the firewall is causing excessive delays and increased response time to the client. Unsuccessful HTTP transactions/smtp sessions normally, there should be zero unsuccessful transactions. Once these appear, it is an indication that excessive latency within the firewall is causing connections to time out. The following are the key connection dynamics results from the performance tests. Product Max. Concurrent TCP Connections Max. Concurrent TCP Connections w/data TCP Connections Per Second HTTP Connections Per Second HTTP Transactions Per Second Barracuda F800 1,000,000 1,000, , , ,000 Check Point ,500,000 1,500,000 52, , ,700 Cyberoam CR2500iNG 3,100,000 2,999, , , ,000 Dell SonicWALL NSA , ,000 15,600 10,300 25,000 Fortinet FortiGate- 800c 6,000,000 4,400, , , ,000 Juniper SRX , ,000 18,500 18,000 80,000 NETASQ ng1000- A 1,280,000 1,200,000 57,000 43, ,300 NETGEAR ProSecure UTM9S 16,700 15, ,400 Palo Alto Networks PA ,000,000 1,000,000 36,000 36, ,000 Sophos UTM ,000 2,000,000 12,000 31, ,000 Stonesoft FW ,000,000 2,900,000 57,000 51, ,600 WatchGuard XTM ,600,000 2,600,000 19,000 18, ,000 Figure 6: Concurrency and Connection Rates (I) 2013 NSS Labs, Inc. All rights reserved. 7

8 Beyond overall throughput of the device, connection dynamics can play an important role in sizing a security device that will not unduly impede the performance of a system or an application. Maximum connection and transaction rates help size a device more accurately than simply focusing on throughput. By knowing the maximum connections per second, it is possible to predict maximum throughput based upon the traffic mix in a given enterprise environment. For example If the device maximum HTTP CPS is 2,000, and average traffic size is 44KB such that 2,500 CPS = 1Gbps, then the tested device will achieve a maximum of 800 Mbps ((2,000/2,500) x 1,000 Mbps)) = 800 Mbps. Maximum concurrent TCP connections and maximum TCP connections per second rates are also useful metrics when attempting to size a device accurately. Products with low connection/throughput ratio run the risk of exhausting connections before they reach their maximum potential throughput. By knowing the maximum connections per second, it is possible to predict when a device will fail in a given enterprise environment. 250, ,000 Maximum TCP Connections per Second 150, ,000 50, ,000,000 2,000,000 3,000,000 4,000,000 5,000,000 6,000,000 7,000,000 Maximum Concurrent / Simultaneous TCP Connections Figure 7: Concurrency and Connection Rates (II) Higher up indicates increased connections per second capacity. Farther to the right indicates increased concurrent / simultaneous connections. Products with low concurrent connection / connection per second ratio run the risk of exhausting connections (sessions) before they reach their maximum potential connection rate NSS Labs, Inc. All rights reserved. 8

9 HTTP Connections per Second and Capacity In- line firewall devices exhibit an inverse correlation between security effectiveness and performance. The more deep- packet inspection is performed, the fewer packets can be forwarded. Furthermore, it is important to consider a real- world mix of traffic that a device will encounter. NSS tests aim to stress the HTTP detection engine in order to determine how the sensor copes with detecting and blocking under network loads of varying average packet size and varying connections per second. By creating genuine session- based traffic with varying session lengths, the sensor is forced to track valid TCP sessions, thus ensuring a higher workload than for simple packet- based background traffic. Each transaction consists of a single HTTP GET request and there are no transaction delays (i.e. the web server responds immediately to all requests). All packets contain valid payload (a mix of binary and ASCII objects) and address data. This test provides an excellent representation of a live network (albeit one biased towards HTTP traffic) at various network loads. HTTP Connections per Second and Capacity (Throughput) As previously stated, NSS research has found that there is usually a trade- off between security effectiveness and performance. Because of this, it is important to judge a product s security effectiveness within the context of its performance (and vice versa). This ensures that new security protections do not adversely impact performance and security shortcuts are not taken to maintain or improve performance. The following charts compare maximum connection rate (HTTP CPS), maximum rated throughput (Mbps) and average application latency (average HTTP response time in milliseconds) across a range of HTTP response sizes. Megabits per Second - 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9, ,400 3, ,120 3,000 3,320 2,520 WatchGuar d XTM 1050 Stonesoft FW-1301 Sophos UTM 425 Palo Alto Networks PA-5020 NETGEAR ProSecure UTM9S NETASQ NG1000-A Juniper SRX550 Fortinet FortiGate-8 00c Dell SonicWALL NSA 4500 Cyberoam CR2500iN G Check Point Barracuda F800 44Kbyte Response 2,520 3,320 3,000 4, ,080 2, Figure 8: Maximum Throughput Per Device With 44Kbyte Response 2013 NSS Labs, Inc. All rights reserved. 9

10 Megabits per Second - 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 8, ,880 2, ,160 3,000 2,940 2,200 WatchGuar d XTM 1050 Stonesoft FW-1301 Sophos UTM 425 Palo Alto Networks PA-5020 NETGEAR ProSecure UTM9S NETASQ NG1000-A Juniper SRX550 Fortinet FortiGate-8 00c Dell SonicWAL L NSA 4500 Cyberoam CR2500iN G 21Kbyte Response (Mbps) 2,200 2,940 3,000 4, ,720 1, ,780 Check Point Barracuda F800 Figure 9: Maximum Throughput Per Device With 21Kbyte Response Megabits per Second - 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 6,490 7,460 8, ,700 1,260 2, ,280 3,000 2,910 1,610 WatchGuard XTM 1050 Stonesoft FW-1301 Sophos UTM 425 Palo Alto Networks PA-5020 NETGEAR ProSecure UTM9S NETASQ NG1000-A Juniper SRX550 Fortinet FortiGate-800 c Dell SonicWALL NSA 4500 Cyberoam CR2500iNG Check Point KB Response (Mbps) 1,610 2,910 3,000 3, ,010 1,260 7, ,491 7,460 6,490 Barracuda F800 Figure 10: Maximum Throughput Per Device With 10Kbyte Response 2013 NSS Labs, Inc. All rights reserved. 10

11 Megabits per Second - 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 4,390 4,660 5, , , ,680 2,600 2, WatchGuard XTM 1050 Stonesoft FW-1301 Sophos UTM 425 Palo Alto Networks PA-5020 NETGEAR ProSecure UTM9S NETASQ NG1000-A Juniper SRX550 Fortinet FortiGate-800c Dell SonicWALL NSA 4500 Cyberoam CR2500iNG Check Point KB Response (Mbps) 965 2,200 2,600 1, , , ,650 4,660 4,390 Barracuda F800 Figure 11: Maximum Throughput Per Device With 4.5Kbyte Response Megabits per Second - 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 2,603 2,710 3, , ,150 1,400 1, WatchGuard XTM 1050 Stonesoft FW-1301 Sophos UTM 425 Palo Alto Networks PA-5020 NETGEAR ProSecure UTM9S NETASQ NG1000-A Juniper SRX550 Fortinet FortiGate-800c Dell SonicWALL NSA 4500 Cyberoam CR2500iNG Check Point KB Response (Mbps) 525 1,050 1,400 1, , ,675 2,710 2,603 Barracuda F800 Figure 12: Maximum Throughput Per Device With 1.7Kbyte Response 2013 NSS Labs, Inc. All rights reserved. 11

12 The following table shows the number of HTTP connections per second required to achieve the rated throughput. Product 44Kbyte Response 21Kbyte Response 10Kbyte Response 4.5Kbyte Response 1.7Kbyte Response Barracuda F800 25,000 43,900 64,900 87, ,100 Check Point ,000 50,000 74,600 93, ,400 Cyberoam CR2500iNG 25,000 50,000 84, , ,000 Dell SonicWALL NSA ,400 4,100 5,200 5,600 9,600 Fortinet FortiGate- 800c 25,000 50,000 77, , ,000 Juniper SRX550 6,000 9,400 12,600 15,400 17,600 NETASQ ng1000- A 7,700 13,600 20,100 27,200 36,800 NETGEAR ProSecure UTM9S Palo Alto Networks PA ,300 20,800 32,800 33,600 46,000 Sophos UTM 425 7,500 15,000 30,000 52,000 56,000 Stonesoft FW ,300 14,700 29,100 44,000 42,000 WatchGuard XTM ,300 11,000 16,100 19,300 21,000 Figure 13: Maximum Connection Rates Per Device With Various Response Sizes Application Average Response Time - HTTP (at 90% Max Capacity) The following table details the average application response time (application latency) with various traffic sizes at 90% Max Capacity (Throughput). The lower the number the better (improved application response time). Juniper SRX 3600 demonstrated the lowest (best) application response times, while the NETGEAR ProSecure UTM9S introduced the most application latency. Product 44Kbyte Latency (ms) 21Kbyte Latency (ms) 10Kbyte Latency (ms) 4.5Kbyte Latency (ms) 1.7Kbyte Latency (ms) Barracuda F Check Point Cyberoam CR2500iNG Dell SonicWALL NSA Fortinet FortiGate- 800c Juniper SRX NETASQ ng1000- A NETGEAR ProSecure UTM9S Palo Alto Networks PA Sophos UTM Stonesoft FW WatchGuard XTM Figure 14: Application Latency (Microseconds) Per Device With Various Response Sizes 2013 NSS Labs, Inc. All rights reserved. 12

13 Real- World Traffic Mixes The aim of these tests is to measure the performance of the device under test (DUT) in a real world environment by introducing additional protocols and real content, while still maintaining a precisely repeatable and consistent background traffic load. In order to simulate real use cases, different protocol mixes are utilized to model placement of the DUT within various locations on a corporate network. For details about real world traffic protocol types and percentages, see the NSS Labs Firewall Test Methodology, available at Real World Protocol Mix (Perimeter) Real World Protocol Mix (Core) - 2,000 4,000 6,000 8,000 4,700 5,200 6, ,000 1,500 1,200 3,000 3, ,500 3,700 3,000 3,000 3,800 2,600 1,800 8,700 Figure 15: Real- World Performance by Device Most vendors perform better in the real- world protocol mix (perimeter,) a protocol mix typically seen at an enterprise perimeter. However Fortinet Fortigate- 800c is the only vendor to scale equally well in the real- world protocol mix (core), a protocol mix typical of that seen in a large datacenter or the core of an enterprise network NSS Labs, Inc. All rights reserved. 13

14 Test Methodology Methodology Version: Firewall v4 A copy of the test methodology is available on the NSS Labs website at Contact Information NSS Labs, Inc. 206 Wild Basin Rd, Suite 200A Austin, TX USA +1 (512) info@nsslabs.com v This and other related documents available at: To receive a licensed copy or report misuse, please contact NSS Labs at +1 (512) or sales@nsslabs.com NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners NSS Labs, Inc. All rights reserved. 14