Skip to main content
SpringerLink
Log in

SyFi: A Systematic Approach for Estimating Stateful Firewall Performance

  • Conference paper
Book cover Passive and Active Measurement (PAM 2012)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 7192))

Included in the following conference series:

Abstract

Due to the lack of a standardized methodology for reporting firewall performance, current datasheets are designed for marketing and provide inflated throughput measurements obtained under unrealistic scenarios. As a result, customers lack usable metrics to select a device that best meets their needs.

In this paper, we develop a systematic approach to estimate the performance offered by stateful firewalls. To do so, we first conduct extensive experiments with two enterprise firewalls in a wide range of configurations and traffic profiles to identify the characteristics of a network’s traffic that affect firewall performance. Based on the observations from our measurements, we develop a model that can estimate the expected performance of a particular stateful firewall when deployed in a customer’s network. Our model ties together a succinct set of network traffic characteristics and firewall benchmarks. We validate our model with a third enterprise-grade firewall, and find that it predicts firewall throughput with less than 6-10% error across a range of traffic profiles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Comparison shopping for scalable firewall products, http://tinyurl.com/7smaqet

  2. Data sheets lie: How to measure the performance, security and stability of network devices, http://resources.breakingpoint.com/acton/form/567/0024:d-0004/0/

  3. Fortinet FortiGate-ONE, http://www.fortinet.com/products/fortigate/one.html

  4. HP Threat Management Services zl module, http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-6512ENN.pdf/

  5. Next Generation Firewalls not ready to replace all legacy firewalls, http://searchnetworking.techtarget.com/news/1520651/Next-generation-firewalls-not-ready-to-replace-all-legacy-firewalls/

  6. SonicWALL E-class network security appliance E5500, http://www.firewalls.com/sonicwall/sonicwall-firewall/sonicwall-e-class-series/

  7. Acharya, S., Wang, J., Ge, Z., Zane, T.F., Greenberg, A.: Traffic-aware firewall optimization strategies. In: ICC (2006)

    Google Scholar 

  8. Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. In: IEEE JSAC (2005)

    Google Scholar 

  9. Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: IEEE ICNP (2002)

    Google Scholar 

  10. BreakingPoint firewall performance testing, http://www.breakingpointsystems.com/solutions/firewall-testing/

  11. Bradner, S., McQuaid, J.: Benchmarking methodology for network interconnect devices. RFC 2544 (1999)

    Google Scholar 

  12. Cohen, E., Lund, C.: Packet classification in large ISPs: Design and evaluation of decision tree classifiers. In: ACM SIGMETRICS (2005)

    Google Scholar 

  13. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the Resource Consumption of Network Intrusion Detection Systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. El-Atawy, A., Al-Shaer, E., Tran, T., Boutaba, R.: Adaptive early packet filtering for protecting firewalls against DoS attacks. In: IEEE INFOCOM (2009)

    Google Scholar 

  15. Gouda, M.G., Liu, A., Jafry, M.: Verification of distributed firewalls. In: IEEE GLOBECOM (2008)

    Google Scholar 

  16. Gouda, M.G., Liu, A.X.: Structured firewall design. Computer Networks (2007)

    Google Scholar 

  17. Hamed, H., Al-Shaer, E.: Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS (2006)

    Google Scholar 

  18. Hari, A., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: IEEE INFOCOM (2000)

    Google Scholar 

  19. Liu, A.X.: Change-impact analysis of firewall policies. In: European Symp. Research Computer Security (2007)

    Google Scholar 

  20. Liu, A.X.: Firewall policy verification and troubleshooting. In: ICC (2008)

    Google Scholar 

  21. Liu, A.X., Gouda, M.G.: Firewall policy queries. IEEE Trans. on Parallel and Distributed Systems (2009)

    Google Scholar 

  22. Newman, D.: Benchmarking terminology for firewall devices. RFC 2647 (1999)

    Google Scholar 

  23. NSS Labs. IPS, UTM, Web application firewall testing lab, http://nsslabs.com

  24. Shaer, E.A., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM (2004)

    Google Scholar 

  25. Caceres, R.: Measurements of Wide-Area Internet Traffic, UCB/CSD.89/550, Univ. CA, Berkeley (1989)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, UC Riverside, USA

    Yordanos Beyene, Michalis Faloutsos & Harsha V. Madhyastha

Authors
  1. Yordanos Beyene
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michalis Faloutsos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Harsha V. Madhyastha
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technicolor, 735 Emerson Street, 94301, Palo Alto, CA, USA

    Nina Taft

  2. FTW Forschungszentrum Telekommunikation Wien GmbH, Donau-City-Straße 1, 1220, Wien, Österreich, Austria

    Fabio Ricciato

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Beyene, Y., Faloutsos, M., Madhyastha, H.V. (2012). SyFi: A Systematic Approach for Estimating Stateful Firewall Performance. In: Taft, N., Ricciato, F. (eds) Passive and Active Measurement. PAM 2012. Lecture Notes in Computer Science, vol 7192. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28537-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28537-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28536-3

  • Online ISBN: 978-3-642-28537-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation