SyFi: A Systematic Approach for Estimating Stateful Firewall Performance

  • Yordanos Beyene
  • Michalis Faloutsos
  • Harsha V. Madhyastha
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7192)


Due to the lack of a standardized methodology for reporting firewall performance, current datasheets are designed for marketing and provide inflated throughput measurements obtained under unrealistic scenarios. As a result, customers lack usable metrics to select a device that best meets their needs.

In this paper, we develop a systematic approach to estimate the performance offered by stateful firewalls. To do so, we first conduct extensive experiments with two enterprise firewalls in a wide range of configurations and traffic profiles to identify the characteristics of a network’s traffic that affect firewall performance. Based on the observations from our measurements, we develop a model that can estimate the expected performance of a particular stateful firewall when deployed in a customer’s network. Our model ties together a succinct set of network traffic characteristics and firewall benchmarks. We validate our model with a third enterprise-grade firewall, and find that it predicts firewall throughput with less than 6-10% error across a range of traffic profiles.


Packet Size Intrusion Detection System Packet Drop Packet Rate Packet Type 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Comparison shopping for scalable firewall products,
  2. 2.
    Data sheets lie: How to measure the performance, security and stability of network devices,
  3. 3.
  4. 4.
    HP Threat Management Services zl module,
  5. 5.
  6. 6.
    SonicWALL E-class network security appliance E5500,
  7. 7.
    Acharya, S., Wang, J., Ge, Z., Zane, T.F., Greenberg, A.: Traffic-aware firewall optimization strategies. In: ICC (2006)Google Scholar
  8. 8.
    Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. In: IEEE JSAC (2005)Google Scholar
  9. 9.
    Baboescu, F., Varghese, G.: Fast and scalable conflict detection for packet classifiers. In: IEEE ICNP (2002)Google Scholar
  10. 10.
    BreakingPoint firewall performance testing,
  11. 11.
    Bradner, S., McQuaid, J.: Benchmarking methodology for network interconnect devices. RFC 2544 (1999)Google Scholar
  12. 12.
    Cohen, E., Lund, C.: Packet classification in large ISPs: Design and evaluation of decision tree classifiers. In: ACM SIGMETRICS (2005)Google Scholar
  13. 13.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the Resource Consumption of Network Intrusion Detection Systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    El-Atawy, A., Al-Shaer, E., Tran, T., Boutaba, R.: Adaptive early packet filtering for protecting firewalls against DoS attacks. In: IEEE INFOCOM (2009)Google Scholar
  15. 15.
    Gouda, M.G., Liu, A., Jafry, M.: Verification of distributed firewalls. In: IEEE GLOBECOM (2008)Google Scholar
  16. 16.
    Gouda, M.G., Liu, A.X.: Structured firewall design. Computer Networks (2007)Google Scholar
  17. 17.
    Hamed, H., Al-Shaer, E.: Dynamic rule-ordering optimization for high-speed firewall filtering. In: ASIACCS (2006)Google Scholar
  18. 18.
    Hari, A., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: IEEE INFOCOM (2000)Google Scholar
  19. 19.
    Liu, A.X.: Change-impact analysis of firewall policies. In: European Symp. Research Computer Security (2007)Google Scholar
  20. 20.
    Liu, A.X.: Firewall policy verification and troubleshooting. In: ICC (2008)Google Scholar
  21. 21.
    Liu, A.X., Gouda, M.G.: Firewall policy queries. IEEE Trans. on Parallel and Distributed Systems (2009)Google Scholar
  22. 22.
    Newman, D.: Benchmarking terminology for firewall devices. RFC 2647 (1999)Google Scholar
  23. 23.
    NSS Labs. IPS, UTM, Web application firewall testing lab,
  24. 24.
    Shaer, E.A., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: IEEE INFOCOM (2004)Google Scholar
  25. 25.
    Caceres, R.: Measurements of Wide-Area Internet Traffic, UCB/CSD.89/550, Univ. CA, Berkeley (1989)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yordanos Beyene
    • 1
  • Michalis Faloutsos
    • 1
  • Harsha V. Madhyastha
    • 1
  1. 1.Department of Computer Science and EngineeringUC RiversideUSA

Personalised recommendations