TEST METHODOLOGY. Data Center Firewall. v2.0

Similar documents
TEST METHODOLOGY. Network Firewall Data Center. v1.0

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

NETWORK FIREWALL TEST METHODOLOGY 3.0. To receive a licensed copy or report misuse, Please contact NSS Labs at: or advisor@nsslabs.

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

How To Test A Ddos Prevention Solution

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

TEST METHODOLOGY. Secure Web Gateway (SWG) v1.5.1

TEST METHODOLOGY. Web Application Firewall. v6.2

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

ENTERPRISE EPP COMPARATIVE REPORT

DATA CENTER IPS COMPARATIVE ANALYSIS

NEXT GENERATION FIREWALL TEST REPORT

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

NEXT GENERATION FIREWALL PRODUCT ANALYSIS

DATA CENTER IPS COMPARATIVE ANALYSIS

SSL Performance Problems

NEXT GENERATION FIREWALL PRODUCT ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

ACHILLES CERTIFICATION. SIS Module SLS 1508

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How To Sell Security Products To A Network Security Company

Why Is DDoS Prevention a Challenge?

Breach Found. Did It Hurt?

NETWORK INTRUSION PREVENTION SYSTEM PRODUCT ANALYSIS

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

NEXT GENERATION INTRUSION PREVENTION SYSTEM (NGIPS) TEST REPORT

By the Citrix Publications Department. Citrix Systems, Inc.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Availability Digest. Redundant Load Balancing for High Availability July 2013

4 Delivers over 20,000 SSL connections per second (cps), which

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Proxy Server, Network Address Translator, Firewall. Proxy Server

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

TEST METHODOLOGY. Next Generation Firewall (NGFW) v5.4

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Stingray Traffic Manager Sizing Guide

- Introduction to Firewalls -

Managing Latency in IPS Networks

Intro to Firewalls. Summary

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

The CISO s Guide to the Importance of Testing Security Devices

FIREWALLS & CBAC. philip.heimer@hh.se

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

INSTANT MESSAGING SECURITY

Performance of Cisco IPS 4500 and 4300 Series Sensors

Implementing Network Address Translation and Port Redirection in epipe

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

BROWSER SECURITY COMPARATIVE ANALYSIS

Network Simulation Traffic, Paths and Impairment

DMZ Network Visibility with Wireshark June 15, 2010

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

CMPT 471 Networking II

A Layperson s Guide To DoS Attacks

VPN. Date: 4/15/2004 By: Heena Patel

INTRODUCTION TO FIREWALL SECURITY

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

ETM System SIP Trunk Support Technical Discussion

FortiGate-3950B Scores 95/100 on BreakingPoint Resiliency Score (Security, Performance, & Stability)

axsguard Gatekeeper Internet Redundancy How To v1.2

DDoS Protection Technology White Paper

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Overview. Firewall Security. Perimeter Security Devices. Routers

Architecture Overview

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

High Availability Configuration Guide Version 9

Network Agent Quick Start

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

About Firewall Protection

NEXT-GENERATION FIREWALL

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Flexible Routing and Load Control on Back-End Servers. Controlling the Request Load and Quality of Service

Mobile App Containers: Product Or Feature?

Firewall Architecture

Security Technology White Paper

Achieve Deeper Network Security and Application Control

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Proactive Performance Management for Enterprise Databases

On-Premises DDoS Mitigation for the Enterprise

Chapter 7. Firewalls

10 Configuring Packet Filtering and Routing Rules

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

HP Load Balancing Module

Lab VI Capturing and monitoring the network traffic

Networking for Caribbean Development

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG5 How-To Guide. Network Address Translation. July 2011 Revision 1.0

Dell One Identity Cloud Access Manager How to Configure for High Availability

Transcription:

TEST METHODOLOGY Data Center Firewall v2.0

Table of Contents 1 Introduction... 4 1.1 The Need for Firewalls in the Data Center... 4 1.2 About This Test Methodology and Report... 4 1.3 Inclusion Criteria... 5 2 Product Guidance... 6 2.1 Recommended... 6 2.2 Neutral... 6 2.3 Caution... 6 3 Security Effectiveness... 7 3.1 Firewall Policy Enforcement... 7 3.1.1 Baseline Policy... 7 3.1.2 Simple Policies... 7 3.1.3 Complex Policies... 8 3.1.4 Static NAT (Network Address Translation)... 8 3.1.5 Dynamic/Hide NAT (Network Address Translation)... 8 3.1.6 SYN Flood Protection... 8 3.1.7 IP Address Spoofing... 8 3.1.8 TCP Split Handshake Spoof... 8 4 Performance... 9 4.1 Raw Packet Processing Performance (UDP Traffic)... 9 4.1.1 64 Byte Packets... 9 4.1.2 128 Byte Packets... 9 4.1.3 256 Byte Packets... 9 4.1.4 512 Byte Packets... 9 4.1.5 1024 Byte Packets... 9 4.1.6 1514 Byte Packets... 9 4.2 Latency... 10 4.2.1 64 Byte Frames... 10 4.2.2 128 Byte Frames... 10 4.2.3 256 Byte Packets... 10 4.2.4 512 Byte Packets... 10 4.2.5 1024 Byte Packets... 10 4.2.6 1514 Byte Packets... 10 4.3 Maximum Capacity... 10 4.3.1 Theoretical Maximum Concurrent TCP Connections... 11 4.3.2 Theoretical Maximum Concurrent TCP Connections with Data... 11 4.3.3 Maximum TCP Connections per Second... 11 2

4.3.4 Maximum HTTP Connections per Second... 11 4.3.5 Maximum HTTP Transactions per Second... 11 4.4 HTTP Capacity with No Transaction Delays... 12 4.4.1 44 KB HTTP Response Size 2,500 Connections per Second... 12 4.4.2 21 KB HTTP Response Size 5,000 Connections per Second... 12 4.4.3 10 KB HTTP Response Size 10,000 Connections per Second... 12 4.4.4 4.5 KB HTTP Response Size 20,000 Connections per Second... 12 4.4.5 1.7 KB HTTP Response Size 40,000 Connections per Second... 13 4.5 Application Average Response Time: HTTP... 13 4.6 HTTP Connections per Second and Capacity (with Delays)... 13 4.7 Real-World Traffic... 13 4.7.1 Real-World Protocol Mix (Data Center Financial)... 13 4.7.2 Real-World Protocol Mix (Data Center Virtualization Hub)... 13 4.7.3 Real-World Protocol Mix (Data Center Mobile Users and Applications)... 13 4.7.4 Real-World Protocol Mix (Data Center Web-Based Applications and Services)... 13 4.7.5 Real-World Protocol Mix (Data Center Internet Service Provider (ISP) Mix)... 14 5 Stability and Reliability... 15 5.1 Blocking under Extended Attack... 15 5.2 Passing Legitimate Traffic under Extended Attack... 15 5.3 Protocol Fuzzing and Mutation... 15 5.4 Power Fail... 16 5.5 Persistence of Data... 16 5.6 High Availability (HA)... 16 5.6.1 Failover Legitimate Traffic... 16 5.6.2 Time to Failover... 16 5.6.3 Stateful Operation... 16 6 Total Cost of Ownership and Value... 17 Contact Information... 18 3

1 Introduction 1.1 The Need for Firewalls in the Data Center Firewall technology is one of the largest and most mature security markets. Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to application layer (proxy-based) and dynamic packet filtering firewalls. Throughout their history, however, the goal has been to enforce an access control policy between two networks, and thus firewalls should be viewed as an implementation of policy. A firewall is a mechanism used to protect a trusted network from an untrusted network, while allowing authorized communications to pass from one side to the other. When considering firewalls for the data center rather than for the network perimeter, there are several key metrics that must be adjusted. Performance metrics, while important in any firewall, become more critical in a device intended for data center deployment. The volume of traffic will be significantly higher than for a firewall that is intended to enforce policy for end users accessing the Internet through the corporate network perimeter. Data center firewalls must support much higher data rates as they handle traffic for potentially hundreds of thousands of users who are accessing large applications in a server farm inside the network perimeter. Connection rate and concurrent connection capacity are also metrics that become even more critical in data center firewalls. Traffic mix will alter significantly between a corporate network perimeter and a data center, and this can place additional load on the firewall inspection process. Stateless UDP traffic (such as would be seen in a network file system [NFS]) and long-lived TCP connections (such as would be seen in an iscsi storage area network [SAN], or a backup application) are common in many data center networks. These types of applications present a continued and heavy load to the network. Within the data center, application traffic puts a very different load on the network than does file system traffic. Client-server communications between users and servers, and server-server communications between applications, database, and directory servers have markedly different profiles. Application traffic is connectionintensive, with connections constantly being set up and torn down. Firewalls that include any form of application awareness capabilities will find particular challenges in data center deployments. Latency is also a critical concern since applications will be adversely affected if the firewall introduces delays. 1.2 About This Test Methodology and Report NSS Labs test reports are designed to address the challenges faced by IT professionals in selecting and managing security products. The scope of this particular methodology includes: Security effectiveness Performance Stability and reliability Total cost of ownership (TCO) In order to establish a secure perimeter, a basic network firewall must provide granular control based upon the source and destination IP addresses and ports. As firewalls will be deployed at critical points in the network, the stability and reliability of a firewall is imperative. 4

In addition, the firewall must not degrade network performance, or it will never be installed. Any new firewall must be as stable, as reliable, as fast, and as flexible as the firewall it is replacing. The following capabilities are considered essential in a data center firewall: Basic packet filtering Stateful inspection Network Address Translation (NAT) Highly stable Ability to operate at Layer 3 (IPv4) 1.3 Inclusion Criteria In order to encourage the greatest participation and to allay any potential concerns of bias, NSS invites all security vendors claiming firewall capabilities to submit their products at no cost. Vendors with major market share, as well as challengers with new technology, will be included. The firewall should be supplied as a single appliance, where possible (clustered devices with a master controller solutions are acceptable), with the appropriate number of physical interfaces capable of achieving the required level of connectivity and performance (minimum of one in-line segment per physical medium unit of throughput). Firewall products should be implemented as inline Layer 3 (routing) devices. Multiple separate connections will be made from the external to internal switches via the device under test (DUT), subject to a minimum of one in-line port pair per gigabit of throughput. Thus, an 80 Gbps device with only four 10 Gbps port pairs will be limited to 40 Gbps. The minimum number of port pairs will be connected to support the claimed maximum bandwidth of the DUT. Once installed in the test lab, the DUT will be configured for the use case appropriate to the target deployment (corporate data center). The DUT should also be configured to block all traffic when resources are exhausted or when traffic cannot be analyzed for any reason. 5

2 Product Guidance NSS Labs issues summary product guidance based on evaluation criteria that is important to information security professionals. The evaluation criteria are weighted as follows: Security effectiveness The primary reason for buying a firewall is to separate internal trusted networks from external untrusted networks, while allowing select controlled traffic to flow between trusted and untrusted networks. Resistance to evasion Failure in any evasion class permits attackers to circumvent protection. Stability Long-term stability is particularly important for an in-line device, where failure can produce network outages. Performance Correct sizing of a firewall is essential. Value Customers should seek low TCO and high effectiveness and performance rankings. Products are listed in rank order according to their guidance rating. 2.1 Recommended A Recommended rating from NSS indicates that a product has performed well and deserves strong consideration. Only the top technical products earn a Recommended rating from NSS, regardless of market share, company size, or brand recognition. 2.2 Neutral A Neutral rating from NSS indicates that a product has performed reasonably well and should continue to be used if it is the incumbent within an organization. Products that earn a Neutral rating from NSS deserve consideration during the purchasing process. 2.3 Caution A Caution rating from NSS indicates that a product has performed poorly. Organizations using one of these products should review their security posture and other threat mitigation factors, including possible alternative configurations and replacement. Products that earn a Caution rating from NSS should not be short-listed or renewed. 6

3 Security Effectiveness This section verifies that the DUT is capable of enforcing a specified security policy effectively. NSS firewall analysis is conducted by incrementally building upon a baseline configuration (simple routing with no policy restrictions) to a complex, real-world, multiple-zone configuration supporting many addressing modes, policies, applications and inspection engines. At each level of complexity, test traffic is passed across the firewall to ensure that only specified traffic is allowed and all other traffic is denied, and that appropriate log entries are recorded. The firewall must support stateful firewalling either by managing state tables to prevent traffic leakage, or as a stateful proxy. The ability to manage firewall policy across multiple interfaces/zones is a required function. At a minimum, the firewall must provide a trusted internal interface, an untrusted external/internet interface, and (optionally) one or more DMZ interfaces. In addition, a dedicated management interface (virtual or otherwise) is preferred. 3.1 Firewall Policy Enforcement Policies are rules that are configured on a firewall to permit or deny access from one network resource to another, based on identifying criteria such as source, destination, and service. A term typically used to define the demarcation point of a network where policy is applied is demilitarized zone (DMZ). Policies are typically written to permit or deny network traffic from one or more of the following zones: Untrusted This is typically an external network and is considered to be unknown and not secure. An example of an untrusted network would be the Internet. DMZ This is a network that is being isolated by the firewall restricting network traffic to and from hosts contained within the isolated network. Trusted This is typically an internal network that is considered secure and protected. The NSS firewall tests verify performance and the ability to enforce policy between the following: Trusted to Untrusted Untrusted to DMZ Trusted to DMZ Note: Firewalls must provide at a minimum one DMZ interface in order to provide a DMZ or transition point between untrusted and trusted networks. 3.1.1 Baseline Policy Routed configuration with an allow all policy 3.1.2 Simple Policies Simple outbound and inbound policies allowing basic browsing and email access for external clients and no other external access 7

3.1.3 Complex Policies Complex outbound and inbound policies consisting of many rules, objects, and services 3.1.4 Static NAT (Network Address Translation) Inbound network address translation (NAT) to DMZ using fixed IP address translation with one-to-one mapping 3.1.5 Dynamic/Hide NAT (Network Address Translation) Outbound network address translation (NAT) (from internal to external), where all outbound traffic hides behind the IP address of the external interface of the firewall utilizing a pool of high ports to manage multiple connections 3.1.6 SYN Flood Protection The basis of a SYN flood attack is to fail to complete the three-way handshake necessary to establish a legitimate session. The objective of SYN flooding is to disable one side of the TCP connection, which will result in one or more of the following: The server is unable to accept new connections. The server crashes or becomes inoperative. Authorization between servers is impaired. 3.1.7 IP Address Spoofing This test attempts to confuse the firewall into allowing traffic to pass from one network segment to another. By forging the IP header to contain a different source address from where the packet was actually transmitted, an attacker can make it appear that the packet was sent from a different (trusted) machine. The endpoint that receives successfully spoofed packets will respond to the forged source address (the attacker). The DUT is expected to protect against IP address spoofing. 3.1.8 TCP Split Handshake Spoof This test attempts to confuse the firewall into allowing traffic to pass from one network segment to another. The TCP split handshake blends features of both the three-way handshake and the simultaneous-open connection. The result is a TCP spoof attack that allows an attacker to bypass the firewall by instructing the target to initiate the session back to the attacker. Popular TCP/IP networking stacks respect this handshaking method, including Microsoft, Apple, and Linux stacks, with no modification. The DUT is expected to protect against TCP split handshake spoofing. 8

4 Performance This section measures the performance of the firewall using various traffic conditions that provide metrics for realworld performance. Individual implementations will vary based on usage; however, these quantitative metrics provide a gauge as to whether a particular DUT is appropriate for a given environment. 4.1 Raw Packet Processing Performance (UDP Traffic) This test uses UDP packets of varying sizes generated by traffic generation tools. A constant stream of the appropriate packet size, with variable source and destination IP addresses transmitting from a fixed source port to a fixed destination port, is transmitted bi-directionally through each port pair of the DUT. Each packet contains dummy data and is targeted at a valid port on a valid IP address on the target subnet. The percentage load and frames per second (fps) figures across each inline port pair are verified by network monitoring tools before each test begins. This traffic does not attempt to simulate any form of real-world network condition. No TCP sessions are created during this test, and there is very little for the state engine to do. The aim of this test is to determine the raw packet processing capability of each inline port pair of the DUT and to determine its effectiveness at forwarding packets quickly in order to provide the highest level of network performance and the lowest latency. 4.1.1 64 Byte Packets Maximum 1,488,000 frames per second per gigabit of traffic. This test determines the ability of a device to process packets from the wire under the most challenging packet processing conditions. 4.1.2 128 Byte Packets Maximum 844,000 frames per second per gigabit of traffic 4.1.3 256 Byte Packets Maximum 452,000 frames per second per gigabit of traffic 4.1.4 512 Byte Packets Maximum 234,000 frames per second per gigabit of traffic. This test provides a reasonable indication of the ability of a device to process packets from the wire on an average network. 4.1.5 1024 Byte Packets Maximum 119,000 frames per second per gigabit of traffic 4.1.6 1514 Byte Packets Maximum 81,000 frames per second per gigabit of traffic. This test assesses a device s maximum achievable bit rate, with a minimum of influence by its packet forwarding capacity. 9

4.2 Latency The purpose of the latency test is to determine the amount of time it takes for network traffic to pass through a DUT under a range of load conditions. The average latency (s) is recorded for each specified packet size at a load level of 90% of the maximum throughput with zero packet loss, as previously determined in section 4.1. 4.2.1 64 Byte Frames Maximum 1,488,000 frames per second per gigabit of traffic. 4.2.2 128 Byte Frames Maximum 844,000 frames per second per gigabit of traffic 4.2.3 256 Byte Packets Maximum 452,000 frames per second per gigabit of traffic 4.2.4 512 Byte Packets Maximum 234,000 frames per second per gigabit of traffic 4.2.5 1024 Byte Packets Maximum 119,000 frames per second per gigabit of traffic 4.2.6 1514 Byte Packets Maximum 81,000 frames per second per gigabit of traffic 4.3 Maximum Capacity The use of traffic generation equipment allows NSS engineers to create true real-world traffic at multi-gigabit speeds as a background load for the tests. The purpose of these tests is to stress the inspection engine and determine how it handles high volumes of TCP connections per second, application layer transactions per second, and concurrent open connections. All packets contain valid payload and address data, and these tests provide an excellent representation of a live network at various connection/transaction rates. The following behaviors are used as failure criteria for each of these tests: Excessive concurrent TCP connections Excessive response time for HTTP transactions Unsuccessful HTTP transactions 10

4.3.1 Theoretical Maximum Concurrent TCP Connections This test is designed to determine the maximum concurrent TCP connections of the DUT with no data passing across the connections. This type of traffic would not typically be found on a normal network, but it provides a means to determine the maximum possible concurrent connections figure. An increasing number of Layer 4 TCP sessions are opened through the DUT. Each session is opened normally and then held open for the duration of the test as additional sessions are added, up to the maximum possible. The test traffic load is increased until no further connections can be established. The maximum number of established connections is recorded. 4.3.2 Theoretical Maximum Concurrent TCP Connections with Data This test is identical to the test in section 4.3.1, but with the addition of 21 KB data, which is transmitted in 1 KB segments during the session. This ensures that the DUT is capable of passing data across the connections once they have been established. 4.3.3 Maximum TCP Connections per Second This test is designed to determine the maximum TCP connection rate of the DUT with one byte of data passing across the TCP connections. This type of traffic would not typically be found on a normal network, but it provides the means to determine the maximum possible TCP connection rate of the DUT. An increasing number of new sessions are established through the DUT and ramped slowly to determine the exact point of failure. Each session is opened normally, one byte of data is passed to the host, and then the session is closed immediately. Load is increased until one or more of the breaking points defined earlier is reached. 4.3.4 Maximum HTTP Connections per Second This test is designed to determine the maximum TCP connection rate of the DUT with a 1-byte HTTP response size. The response size defines the number of bytes contained in the body, excluding any bytes associated with the HTTP header. A 1-byte response size is designed to provide a theoretical maximum HTTP connections per second rate. Client and server are using HTTP 1.0 without keep-alive. The client will open a TCP connection, send one HTTP request, and once the request is fulfilled, close the connection. This ensures that any concurrent TCP connections that occur are a result of the latency induced by the DUT. The test traffic load is increased until one or more of the points of failure defined earlier is reached. 4.3.5 Maximum HTTP Transactions per Second This test is designed to determine the maximum HTTP transaction rate of the DUT with a 1-byte HTTP response size. The object size is the number of bytes contained in the body, excluding any bytes associated with the HTTP header. A 1-byte response size is designed to provide a theoretical maximum connections per second rate. Client and server are using HTTP 1.1 with keep-alive, and the client will open a TCP connection, send 10 HTTP requests, and close the connection. This ensures that TCP connections remain open until all 10 HTTP transactions are complete, thus eliminating the maximum connection per second rate as a bottleneck (1 TCP connection = 10 HTTP transactions). Load is increased until one or more of the breaking points defined earlier is reached. 11

Connections per Second Mbps NSS Labs Data Center Firewall Test Methodology v2.0 4.4 HTTP Capacity with No Transaction Delays The aim of these tests is to stress the HTTP detection engine and determine how the DUT copes with network loads of varying average packet size and varying connections per second. By creating genuine session-based traffic with varying session lengths, the DUT is forced to track valid TCP sessions, thus ensuring a higher workload than for simple packet-based background traffic. This provides a test environment that simulates real-world HTTP transactions in the lab, while ensuring absolute accuracy and repeatability. Each transaction consists of a single HTTP GET request and there are no transaction delays (i.e., the web server responds immediately to all requests). All packets contain valid payload (a mix of binary and ASCII objects) and address data, and this test provides an excellent representation of a live network (albeit one biased towards HTTP traffic) at various network loads. 44Kbyte Response 21Kbyte Response 10Kbyte Response Figure 1 HTTP Capacity 4.4.1 44 KB HTTP Response Size 2,500 Connections per Second Maximum 2,500 new connections per second per gigabit of traffic with a 44 KB HTTP response size maximum 140,000 packets per second per gigabit of traffic. With relatively low connection rates and large packet sizes, all hosts should be capable of performing well throughout this test. 4.4.2 21 KB HTTP Response Size 5,000 Connections per Second Maximum 5,000 new connections per second per gigabit of traffic with a 21 KB HTTP response size maximum 185,000 packets per second per gigabit of traffic. With average connection rates and average packet sizes, this is a good approximation of a real-world production network, and all hosts should be capable of performing well throughout this test. 4.4.3 10 KB HTTP Response Size 10,000 Connections per Second Maximum 10,000 new connections per second per gigabit of traffic with a 10 KB HTTP response size maximum 225,000 packets per second per gigabit of traffic. With smaller packet sizes coupled with high connection rates, this represents a very heavily used production network. 4.4.4 4.5 KB HTTP Response Size 20,000 Connections per Second 4.5Kbyte Response 1.7Kbyte Response CPS 2,500 5,000 10,000 20,000 40,000 Mbps 1,000 1,000 1,000 1,000 1,000 Maximum 20,000 new connections per second per gigabit of traffic with a 4.5 KB HTTP response size maximum 300,000 packets per second per gigabit of traffic. With small packet sizes and extremely high connection rates, this is an extreme test for any host. 12

4.4.5 1.7 KB HTTP Response Size 40,000 Connections per Second Maximum 40,000 new connections per second per gigabit of traffic with a 1.7 KB HTTP response size maximum 445,000 packets per second per gigabit of traffic. With small packet sizes and extremely high connection rates, this is an extreme test for any DUT. 4.5 Application Average Response Time: HTTP Test traffic is passed across the infrastructure switches and through all inline port pairs of the DUT simultaneously (the latency of the basic infrastructure is known and is constant throughout the tests). The results are recorded at each response size (44 KB, 21 KB, 10 KB, 4.5 KB, and 1.7 KB HTTP responses) load level of 90% of the maximum throughput with zero packet loss as previously determined in section 4.4. 4.6 HTTP Connections per Second and Capacity (with Delays) Typical user behavior introduces delays between requests and reponses; for example, think time, as users read web pages and decide which links to click next. This group of tests is identical to the previous group except that these include a 5-second delay in the server response for each transaction. This has the effect of maintaining a high number of open connections throughout the test, thus forcing the DUT to utilize additional resources to track those connections. 4.7 Real-World Traffic Where previous tests provide a pure HTTP environment with varying connection rates and average packet sizes, the goal of this test is to simulate a real-world environment by introducing additional protocols and real content, while still maintaining a precisely repeatable and consistent background traffic load. The result is a background traffic load that is closer to what may be found on a heavily-utilized normal production network. 4.7.1 Real-World Protocol Mix (Data Center Financial) Traffic is generated across the DUT comprising a protocol mix typical of that seen in a large financial institution data center. 4.7.2 Real-World Protocol Mix (Data Center Virtualization Hub) Traffic is generated across the DUT comprising a protocol mix typical of that seen in a large data center focusing on virtualization traffic (for example, VMotion, Hyper-V migration). 4.7.3 Real-World Protocol Mix (Data Center Mobile Users and Applications) Traffic is generated across the DUT comprising a protocol mix typical of that seen in a large mobile carrier. 4.7.4 Real-World Protocol Mix (Data Center Web-Based Applications and Services) Traffic is generated across the DUT comprising a protocol mix typical of that seen in a web hosting data center. 13

4.7.5 Real-World Protocol Mix (Data Center Internet Service Provider (ISP) Mix) Traffic is generated across the DUT comprising a protocol mix typical of that seen in an ISP installation covering all types of traffic. 14

5 Stability and Reliability Long-term stability is particularly important for an inline device, where failures can result in network outages. These tests verify the stability of the DUT along with its ability to maintain security effectiveness while under normal load and while enforcing security policies. Products that are not able to sustain legitimate traffic (or that crash) while under hostile attack will not pass. The DUT is required to remain operational and stable throughout these tests, and to block 100% of previously blocked traffic, raising an alert for each. If any prohibited traffic passes successfully, caused by either the volume of traffic or by the DUT failing open for any reason, this will result in a FAIL. 5.1 Blocking under Extended Attack The DUT is exposed to a constant stream of security policy violations over an extended period of time. The device is configured to block and alert, and thus this test provides an indication of the effectiveness of both the blocking and alert handling mechanisms. A continuous stream of security policy violations is transmitted through the DUT at a rate not to exceed 80% of the device s stated capacity for 8 hours with a steady stream of legitimate traffic mixed in. This test is not intended as a stress test in terms of traffic load. It is merely a reliability test in terms of consistency of its blocking performance. If any policy violations are passed, this will be considered a fail for this test. 5.2 Passing Legitimate Traffic under Extended Attack A continuous stream of legitimate traffic is transmitted through the DUT at a rate not to exceed 80% of the device s stated capacity for 8 hours with a steady stream of exploits mixed in. This test is not intended as a stress test in terms of traffic load. It is merely a reliability test in terms of consistency of passing legitimate traffic. The DUT is expected to remain operational and stable throughout this test and have no failure to pass legitimate traffic. The connection rate at the point of failure will be recorded. 5.3 Protocol Fuzzing and Mutation This test stresses the protocol stacks of the DUT by exposing it to traffic from various protocol randomizer and mutation tools. Several of the tools in this category are based on the ISIC test suite and other well-known test tools/suites. 15

5.4 Power Fail Power to the DUT is removed whilst passing a mixture of legitimate and disallowed traffic. Firewalls should always be configured to fail closed no traffic should be passed once power has been cut. 5.5 Persistence of Data The DUT should retain all configuration data, policy data, and locally logged data once it is restored to operation following power failure. 5.6 High Availability (HA) High availability (HA) is important to many enterprise customers, and this test is designed to evaluate the effectiveness of available HA options. If no HA offering is available, all results in this section will be marked as NA. 5.6.1 Failover Legitimate Traffic Two identical devices will be configured in an active-passive configuration, and legitimate traffic will be passed through the DUT at 50% of the maximum rated load as determined in section 4.4.2 (21 KB HTTP response size.) Switch connectivity to the primary device will be terminated, and the DUT will be expected to failover seamlessly with zero loss of legitimate traffic (some retransmissions are acceptable). 5.6.2 Time to Failover Time to failover to the standby device will be recorded. 5.6.3 Stateful Operation Is full state maintained across all connections throughout the period of failover? 16

6 Total Cost of Ownership and Value Organizations should be concerned with the ongoing amortized cost of operating security products. This section evaluates the costs associated with the purchase, installation, and ongoing management of the DUT, including: Product Purchase The cost of acquisition Product Maintenance The fees paid to the vendor (including software and hardware support, maintenance, and updates) Installation The time required to take the device out of the box, configure it, deploy it into the network, apply updates and patches, perform initial tuning, and set up desired logging and reporting Upkeep The time required to apply periodic updates and patches from vendors, including hardware, software, and firmware updates 17

Contact Information NSS Labs, Inc. 206 Wild Basin Rd. Building A, Suite 200 Austin, TX 78746 USA info@nsslabs.com www.nsslabs.com This and other related documents available at: www.nsslabs.com. To receive a licensed copy or report misuse, please contact NSS Labs. 2016 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e-mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information