1 / 36

Firewall Testing Update

Firewall Testing Update. Paul Schopis pschopis@itecohio.org. Overview. Problem Statement Participants Problem Classification Scope of Current Testing Preliminary Results. Participants. Terri Beamer – Denison (Check Point) Joe Simpson – Miami ( PIX ) Tom Ridgeway – UC (PIX)

krista
Download Presentation

Firewall Testing Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewall Testing Update Paul Schopis pschopis@itecohio.org

  2. Overview • Problem Statement • Participants • Problem Classification • Scope of Current Testing • Preliminary Results

  3. Participants • Terri Beamer – Denison (Check Point) • Joe Simpson – Miami ( PIX ) • Tom Ridgeway – UC (PIX) • Greg Trefz – Stratacache (Packeteer) • Gene Bassin/Jason MacDonald – OARnet IOS Firewall

  4. Reported Problems • H.323 won’t work at all. • Connection gets made but performance is not good. • H.323 seems to be in a state of flux e.g. it changes over time (can get better or worse).

  5. So what are the problems? • Protocol Specific • Firewall assumes it is an attack • NAT is generally bad for H.323 • Packet Handling • Does firewall exceed necessary parameters for good performance to meet security need? • Network in Conjunction with other two • Traffic Bursts

  6. Scope of Current Testing • We know what is necessary for good H.323 sessions • http://www.adec.edu/nsf/Traffic%20draftv3.0.pdf • http://www.adec.edu/nsf/Summary%20Test%20H.323.v7.pdf • Is it simply a case of poor performance at the packet layer?

  7. Basic Testing Procedure • Use Smartbits 600 with SmartFlow and SmartWindow • Added VoIP PSQM for further insight • Find effective throughput without filtering e.g. baseline • Test by systematically varying allowed/denied traffic ratio to find performance bounds.

  8. Preliminary Results • Cisco 2651 • Running IOS Firewall Suite • Version 12.2(7c) • 2600-dos3s-mz.122-7c.bin • Tested on two Fastethernet ports

  9. Raw Throughput • Max @ 1518 Byte Frames (Including ethernet header and FCS fields) 27.578 Mbps • Min @ 64 Byte Frames 12.109 Mbps

  10. Raw Latency • Jitter = Max - Min • Max Jitter @ 128 Byte packet 10 Mbps Load 118ms • Min Jitter @ 256 Byte Packet 20 Mbps Load 1ms • Packet Sizes 128-1518 bulk of 10-50ms Latency • 1152 at 10-20 Mbps down ward shift

  11. Throughput Filtered • Max @ 1518 Byte Packet 20Mbps • ~26% hit • Min @ 64 Byte Packet 4.375 Mbps • ~67% hit

  12. Latency Filtered • Max @ 64 Byte Packet 20 % load 57ms Jitter • Min @ 64 Byte Packet 10% Load less than 1ms • Latency Distribution • 100-50ms below 128 Bytes • 50-10ms around 256 • 100-50ms at 1024 bytes

  13. Throughput Mix • 20/5 • Max @ 1518 Byte Packets is 20 Mbps • Min @ 64 Byte Packets is 2.687 Mbps • 15/10 • Max @ 1518 Byte Packets 11.875 Mbps • Min @ 64 Byte Packets is 1.562 Mbps • 10/15 • Router dies

  14. Jitter Mix • 20/5 • Max @ 64 Byte Packets is 135ms STD 6.234 ms • Min @ 512 Byte Packets is 6ms STD 2.295 ms • 15/10 • Max @ 64 Bytes is 112ms STD 5.6 ms • Min @ 1280 Bytes is 12 ms STD 6.206 ms • 10/15 • Death

  15. Latency Distribution Mix • 20/5 • Lt 512 is 50-100ms range • 15/10 • Ditto

  16. PSQM • 0 is best • 6.5 is worst • Not real measure for H.323 but might help give insight • G.711 ulaw = 218 byte frames e.g. four codec frames per packet • It is less than 1% of traffic

  17. 64 byte background

  18. 128 Byte Background

  19. 256 Byte Background

  20. 512 Byte Background

  21. 1024 & 1518 Byte Background

More Related