PIOLINK, Inc. PIOLINK, Inc. commissioned The

Transcription

1 PIOLINK, Inc. Layer 4/7 Load Balancer, Firewall Performance and Worm Attack Protection Evaluation Premise: Deploying intelligent Layer 4-7 application switch with firewall functionality is not uncommon because the application switches by their nature provide Layer 4-7 packet recognition. Network managers already know that this approach saves money and avoids complexity. Even more critical value for enterprise network managers is high performance and strict security standards, however, they need to know that the high-end application switches not only provide excellent traffic processing capability along with firewall functionality, but also deliver always-on, highly secure and mission critical applications to their users. PIOLINK, Inc. commissioned The Tolly Group and TTA to evaluate the (PAS 45) for Layer 4-7 firewall and load balancing performance, and the impact of the PIOLINK Security Manager (PSM) on the performance. The PAS 45 is an intelligent and secure application switch that provides Layer 4-7 load balancing and application/network security with PSM. The PSM is PIOLINK's unique security system and enhances security by offloading deep packet inspection from the PAS 45 without imposing noticeable delays on the other traffic in the same data path. First, engineers measured the throughput of the PAS 45 as a firewall after configuring Layer 4 filters (based on service port number) and Layer 7 filters (based on application payload signature) respectively for various number of filters and frame sizes. Second, engineers measured the TCP connection rate of the PAS 45 when con- T H E TOLLY G R O U P No. 6 March 6 Test Highlights Delivers 3 Gbps of bi-directional, zero-loss (.%) firewall throughput when tested with over 5-byte frames in a scenario with up to, Layer 4 filters in bridge mode Achieves a steady-state TCP connection rate of,3 connections per second with no TCP connection failures in Layer 4 load balancing Achieves a steady-state HTTP transaction rate of 5,68 transaction per second with no transaction failures in Layer 7 load balancing Forwards.44 Gbps HTTP traffic and 6 Mbps UDP traffic without performance degradation and transaction failures while blocking SQL-slammer worm attacks at, packet per second Throughput (Gbps) Zero-loss (<=.%) Aggregate Firewall Throughput Across PIOLINK PAS 45 with Layer 4 Filters in Two Pairs of Ports, Bbridge Mode as reported by IXIA Scriptmate ,4 Frame Sizes (Bytes) Test Summary Source: TTA/The Tolly Group, December 5 Figure 6 The Tolly Group Page ,58 filter filters 5 filters, filters

2 figured as a Layer 4 load balancer. Here, the TCP connection refers to the typical TCP three-way open/close handshaking procedure. Third, engineers measured the HTTP transaction rate of the PAS 45 when configured as a Layer 7 load balancer. Each HTTP transaction consisted of the typical TCP threeway open/close handshaking procedure with a HTTP Get/Reply for data transfer. Fourth, engineers measured the capability of the PAS 45 that processes legitimate HTTP and UDP traffic while blocking the attack traffic. Before running the actual test, the engineers uploaded the signatures to protect the PAS 45 from the attacks like viruses and worms using PSM and then checked whether PSM was active by sending attack traffic listed in the signatures uploaded. R e s u l t s Firewall Throughput with Layer 4 Filters Engineers measured the bi-directional zero-loss (.%) throughput across the PAS 45, when the PAS 45 was configured as a Layer 4 firewall with,, 5 and, Layer 4 filters, four interfaces and processing frame sizes of 64, 8, 56, 5,,4 and,58 bytes. When handling frames over 5 byte sizes, the PAS 45 delivered bidirectional 3 Gbps throughput for all four different filter configurations. For smaller frame sizes, it forwarded the.9 Gbps,.6 Gbps and.4 Gbps for 64-, 8- and 56-byte frames respectively. The number of Layer 4 filters, up to, filters tested, does not affect the Layer 4 firewall throughput performance. Throughput (Gbps) Connections Per Second Zero-loss (<=.%) Aggregate Firewall Throughput Across PIOLINK PAS 45 with Layer 7 Filters in Two Pairs of Gigabits Ethernet Ports, Bridge Mode as reported by IXIA Scriptmate 4 3 Source: TTA/The Tolly Group, December 5 Figure Steady-state TCP Connection Rate and HTTP Transaction Rate As reported by IxLoad. and Avalanche Command 6.5 5,, 75, 5, 5, ,4,3.5.6 TCP Connection Rate in Layer 4 Load Balancing As reported by IxLoad.5 Frame Sizes (Bytes) 5,68 HTTP Transaction Rate in Layer 7 Load Balancing As reported by Avalanche 5,, 75, 5, 5, * Each TCP connection consisted of a TCP open and a TCP close. * Each HTTP transaction consisted of a TCP open, HTTP Get/Reply and a TCP close..5 filter filters 5 filters, filters ,58.5 Transactions Per Second Source: TTA/The Tolly Group, December 5 Figure 3 6 The Tolly Group Page

3 Firewall Throughput with Layer 7 Filters Engineers measured the bi-directional zero-loss (.%) throughput across the PAS 45, when the PAS 45 was configured as a Layer 7 firewall with,, 5 and, Layer 7 filters, four interfaces and processing frame sizes of 64, 8, 56, 5,,4 and,58 bytes. For the,58-byte frame test, the PAS 45 delivered up to.9 Gbps of throughput for single- and -filter configurations and.5 Gbps for 5- and,-filter configurations. For other frame sizes, it forwarded the bi-directional throughput of,.,.5,.,.4 Gbps for 64-byte, 8-byte, 56-byte, 5-byte and,4-byte frames respectively. TCP Connection Rate with Layer 4 Load Balancing Engineers used Ixia IxLoad to measure the maximum TCP connection rate of the PAS 45 for Layer 4 load balancing. The PAS 45 yielded a connection rate of,3 connections per second in sustaining phase without any failures. Each connection involved a typical three-way TCP open and three-way TCP close. HTTP Transaction Rate with Layer 7 Load Balancing Engineers used the Spirent Avalanche test system to conduct a Layer 7 URL switching test to determine the maximum steady-state Layer 7 switching transaction rate that the PAS 45 can sustain without any failed transactions. A URL string match was used to decide the server to which a given HTTP GET request must be switched. The PAS 45 supported an average of 5,68 transactions per second without any failures when it was configured as a Layer 7 load balancer. Each HTTP transaction consisted of a TCP open, HTTP Get/Reply and a TCP close procedure. PSM Performance Tests were performed to assess the capability of the PAS 45 to sustain legitimate UDP and HTTP traffic while being subjected to a SQL Slammer worm attack. For this test, engineers enabled the PSM and uploaded the signatures on the PAS 45 to protect worm and virus attack. While Avalanche/Reflector generated the HTTP transactions across the PAS 45, IXIA injected UDP and worm traffic into the PAS 45. Tests show that PAS 45 continued servicing.4 Gbps of HTTP application traffic and 6 Mbps of UDP traffic without any transaction failure or packet loss during the SQL- Slammer attack, generated at the rate of, packets per second. The aggregate throughput for the legitimate traffic was.37 Gbps and the PAS equipped with the PSM blocked the illegal worm traffic completely. A n a l y s i s As real-world traffic is getting much more complex and various malicious attacks such as SQL-Slammer worm keep making their debuts, corporate network users need more intelligent and innovative solutions to secure themselves without sacrificing the performance. In order to grasp two factors - performance and security - in a cost-effective way, the need for highly secure and powerful application switch appliances becomes PIOLINK, Inc. PIOLINK Application Switch 45 Layer 4/7 Load Balancer, Firewall Performance and Worm Attack Proteciton Evaluation PIOLINK, Inc. Product Specifications* PAS 45 Specifications O Ports : 9*//Base-TX or 5*Base-SX, 4*Base-X SFP Slot O Management Ports : *RS-3(RJ45), */Base-TX O Memory :.5 GB O Concurrent Sessions :,, O Backplane : 44 Gbps O Max. Virtual / Actual Servers : 4 O Max. MAC Address : 89 O Max. VLAN(8.q) : 56 O Size ( WxDxH) : 438 x 545 x 88 mm [ Rack Units] O Load Balancing & Redirection HTTP, HTTPS (SSL), FTP, SMTP, POP3, IMAP, DNS, LDAP, VPN, Firewall, IPS and others HTTP/HTTPS Cache Redirection O Layer 4-7 Switching Failure Monitoring (Health Check): L3/L4/L7 and Script Load Balancing Algorithms: Hashing, Round Robin, Weighted Round Robin, Least Connection, Weighted Least Connection and Max Connection One-Arm Configuration (Direct Server Return) URL/Cookie/SSL ID-based Load Balancing Radius Authentication O High Availability evrrp (Enhanced VRRP) Stateful Active-Standby/Active-Active Failover Dual Power Supply / Dual Flash Memory O Security (Option PSM) Network Worm Block (Blaster, Welchia, etc) Worm Block (Mydoom, Bagle, Sober, etc) Spam Filter (Sender, Receiver, Title, etc) DoS/DDoS Attack (Ping of Death, Smurf, etc) Flood Control (In/Outbound Session Control) Scan Block (Port Scan, Fingerprint, etc) Intrusion Prevention (Application Vulnerability) Support Signature Auto Update Service O Certificate MIC, VCCI and CE For more information contact: PIOLINK Inc. IT Castle -4, 55- Gasan-Dong, Geumcheon-Gu, Seoul 53-83, Korea Phone: Fax: URL: * Vendor-supplied information not verified by TTA and The Tolly Group 6 The Tolly Group Page 3

4 Legitimate HTTP and UDP Throughput Performance During the SQL Slammer Worm Attack in Bridge Mode As reported by Avalanche Commander 6.5 and IxExplorer 3.7 HTTP + UDP Traffic Total.37 Gbps Attack Duration Throughput (Gbps) Time elapsed (minutes) HTTP Traffic (.4 Gbps) UDP Traffic (6 Mbps) * Each HTTP transaction consists of a TCP open, HTTP Get/Reply and a TCP close * 6 Mbps UDP traffic,, attacks/sec SQL Slammer Worm Attack Source: TTA/The Tolly Group, December 5 Figure 4 obvious. Server farms must stay safe from the outside malicious attacks; often application switches are deployed right in front of the server farms. Using application switches to distribute traffic to the servers as well as protect them would be both financially and logistically advantageous, and will be a good selection for the multi-tiered Web infrastructure. Many application switches can push hundreds of Mbps of traffic while providing firewall functionality to a site, without any performance hit, but a few high-end application switches can handle a couple of Gbps of traffic while protecting server farms. Firewall throughput test results showed that, when handling frames over 5 bytes, PAS 45 processed 3 Gbps and over Gbps of the traffic for up to, Layer 4 filters and Layer 7 filters, respectively. This resulted from a high-performance NPU (Network Processing Unit) loaded on the PAS 45, capable of processing the frames at high speed. By showing consistently good performance even with, Layer 4 or Layer 7 filters active, the PAS 45 proved its capability in the large-scale network access points where high-speed packet processing and packet filtering are mandatory. PAS 45 demonstrated that it sustains,3 TCP connections per second without failures for Layer 4 load balancing. This connection rate does not include the data transfer. When PAS 45 was running as a Layer 7 load balancer, it recorded an average of 5,68 transactions per second during the steady state while emulated clients were fetching 8- byte objects from emulated servers across PAS 45. The connection rate of an application switch has a direct impact on the overall application performance and scalability. TCP connection rate and HTTP transaction rate showed how fast the PAS 45 can set up connections and transfer the realworld traffic. Especially, the HTTP transaction rate proved that the PAS 45 is capable of supporting very aggressive real-world Web environments which require fast and secure processing of the various types of dynamic application traffic. This result is due to the innovative and unique internal architecture of the PAS 45. With optimization of the architecture, the PAS 45 could support a large number of sessions while accepting a lot of new application requests from clients. Application and server farm security is a critical challenge. It is real benefit if the application switch could provide a line of defense for the application infrastructure, and protect against attacks targeting applications and servers. Test results show that the PAS 45 equipped with the 6 The Tolly Group Page 4

5 PSM effectively defends against the SQL-Slammer worm attack (, attacks/sec) while continually servicing Gbps of aggregate legitimate application traffic (.4 Gbps HTTP and Gbps UDP) without impact. T e s t C o n f i g u r a t i o n A n d M e t h o d o l o g y The Tolly Group/TTA tested a (PAS 45) that was outfitted with nine fiber ports and nine redundant copper Gigabit Ethernet ports. For the firewall test, engineers configured the PAS 45 with Layer 4 filters (based on service port number) and Layer 7 filters (based on application payload signature) respectively. Engineers connected four interfaces of the PAS 45 to the IXIA chassis, traffic generator and analyzer. Engineers also configured the PAS 45 to run in bridge mode with one subnet for all interfaces connected. Engineers measured the bi-directional, zero-loss (.%) firewall throughput of the PAS 45 for a various number of filters and frame sizes using bi-directional, one-to-one pattern test traffic between four interfaces. Engineers also checked whether Layer 4 and Layer 7 filters were active by sending some sample traffic blocked by the filters on the PAS 45 before running the real test. For this test, four different numbers of Layer 4 and Layer 7 filters were tested;,, 5 and, filters and six types of frame sizes were used for all test cases; 64-, 8-, 56-, 5-, 4-,,58-bytes (including CRC and VLAN tag of each four bytes). Engineers measured the TCP connection rate of the PAS 45 when served as a Layer 4 load balancer. Engineers connected four Gigabit Ethernet interfaces to the IXIA chassis. Two interfaces were used to simulate the client part and other two interfaces simulated the server part. Engineers allocated two client interfaces into one subnet and two server interfaces into the other subnet and setup the load of 55, connections per second (cps) for each interface. In this test, TCP connections were completed with three-way open/close handshaking procedure and no data packets were requested. The test continued to complete total.6 million TCP connections between client and server interfaces. Engineers averaged the results collected from steady-state period as final result. Next, engineers measured the HTTP transaction rate of the PAS 45 when served as a Layer 7 load balancer. Engineers connected eight interfaces to the Avalanche/Reflector chassis. Four interfaces connected to the Avalanche chassis emulating the real-life Web clients and other four interfaces connected to the Reflector chassis emulating Web servers. Engineers allocated all of the interfaces to different subnet segments, namely total eight segments were created. In this test, an HTTP transaction consisted of the typical TCP 3-way open/close handshaking procedure with one HTTP Get/Reply. Engineers configured the PAS 45 to evenly distribute the inbound Web requests to Web servers according to two URL switching rules. To verify the URL switching function, engineers placed the Agilent's LAN Advisor between the PAS 45 and Reflector, and monitored the flowing traffic and checked HTTP header information. Engineers controlled the load of test traffic generated by Avalanche by four phases: ramp-up, stair-step, steady-state and ramp-down. Engineers averaged the results collected only from the five-minute steady-state phase as a final result. Lastly, engineers measured the capability of the PAS 45 that processes legitimate HTTP and UDP traffic while blocking the malicious traffic. Engineers enabled the PSM on PAS 45 and operated in bridge mode with one subnet for all segments between test tools and PAS 45. Engineers connected the four interfaces to Avalanche/Reflector chassis and the other four interfaces to the IXIA chassis. In this test, the PSM was loaded with,39 signatures. Avalanche/Reflector generated the legitimate stateful HTTP traffic and IXIA generated the legitimate UDP traffic and attack traffic with SQL- Slammer worm signature. Engineers utilized 8 Kbytes of HTTP objects and,58 bytes of UDP packets. While Avalanche/Reflector generated.4 Gbps of HTTP traffic, engineers started IXIA IxExplorer to inject both Gbps of UDP traffic and SQL-Slammer attack at, packets/sec to the PAS 45 and observed the impact on legitimate traffic throughput. 6 The Tolly Group Page 5

6 Test Bed IXIA 6T IxLoad console (Device Under Test) Avalanche Avalanche console Reflector Source: TTA/The Tolly Group, December 5 Figure 5 The Tolly Group gratefully acknowledges the providers of test equipment used in this project. Vendor Product Web address Agilent Technology LAN Advisor IXIA IXIA 6T IXIA IxLoad. Spirent Communications Avalanche/Reflector Terms of Usage USE THIS DOCUMENT ONLY IF YOU AGREE TO THE TERMS LISTED HEREIN. This document is provided, free-of-charge, to help you understand whether a given product, technology or service merits additional investigation for your particular needs. Any decision to purchase must be based on your own assessment of suitability. This evaluation was focused on illustrating specific features and/or performance of the product(s) and was conducted under controlled, laboratory conditions and certain tests may have been tailored to reflect performance under ideal conditions; performance may vary under real-world conditions. Users should run tests based on their own real-world scenarios to validate performance for their own networks. Commercially reasonable efforts were made to ensure the accuracy of the data contained herein but errors and/or oversights can occur. Project Profile The test/audit documented herein may also rely on various test tools the accuracy of which is beyond our control. Furthermore, the document relies on certain representations by the sponsor that are beyond our control to verify. Among these is that the software/hardware tested is production or production track and is, or will be, available in equivalent or better form to commercial customers. The Tolly Group provides a fee-based service to assist users in understanding the applicability of a given test scenario to their specific needs. Contact us for information. When foreign translations exist, the English document is considered authoritative. To assure accuracy, only use documents downloaded directly from The Tolly Group's Web site. Sponsor: PIOLINK, Inc. Document number: 6 Product class: Layer 4-7 Application Switch Products under test: Testing window: December 5 Hardware version:pas-459-pfm-3. Software versions: 3.4. Software status: Generally available For more information on this document, or other services offered by The Tolly Group, visit our World Wide Web site at send to [email protected], call (56) Information technology is an area of rapid growth and constant change. The Tolly Group conducts engineering-caliber testing in an effort to provide the internetworking industry with valuable information on current products and technology. While great care is taken to assure utmost accuracy, mistakes can occur. In no event shall The Tolly Group be liable for damages of any kind including direct, indirect, special, incidental, and consequential damages which may result from the use of information contained in this document. All trademarks are the property of their respective owners. The Tolly Group doc. 6 rev. leechs 7 Mar 6 6 The Tolly Group Page 6