Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Testing Update Paul Schopis

Published byHenry McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewall Testing Update Paul Schopis"— Presentation transcript:

1 Firewall Testing Update Paul Schopis pschopis@itecohio.org

2 Overview Problem Statement Participants Problem Classification Scope of Current Testing Preliminary Results

3 Participants Terri Beamer – Denison (Check Point) Joe Simpson – Miami ( PIX ) Tom Ridgeway – UC (PIX) Greg Trefz – Stratacache (Packeteer) Gene Bassin/Jason MacDonald – OARnet IOS Firewall

4 Reported Problems H.323 won’t work at all. Connection gets made but performance is not good. H.323 seems to be in a state of flux e.g. it changes over time (can get better or worse).

5 So what are the problems? Protocol Specific –Firewall assumes it is an attack –NAT is generally bad for H.323 Packet Handling –Does firewall exceed necessary parameters for good performance to meet security need? Network in Conjunction with other two –Traffic Bursts

6 Scope of Current Testing We know what is necessary for good H.323 sessions –http://www.adec.edu/nsf/Traffic%20draftv3. 0.pdfhttp://www.adec.edu/nsf/Traffic%20draftv3. 0.pdf –http://www.adec.edu/nsf/Summary%20Test %20H.323.v7.pdfhttp://www.adec.edu/nsf/Summary%20Test %20H.323.v7.pdf Is it simply a case of poor performance at the packet layer?

7 Basic Testing Procedure Use Smartbits 600 with SmartFlow and SmartWindow Added VoIP PSQM for further insight Find effective throughput without filtering e.g. baseline Test by systematically varying allowed/denied traffic ratio to find performance bounds.

8 Preliminary Results Cisco 2651 Running IOS Firewall Suite Version 12.2(7c) –2600-dos3s-mz.122-7c.bin Tested on two Fastethernet ports

9 Raw Throughput Max @ 1518 Byte Frames (Including ethernet header and FCS fields) 27.578 Mbps Min @ 64 Byte Frames 12.109 Mbps

10

11 Raw Latency Jitter = Max - Min Max Jitter @ 128 Byte packet 10 Mbps Load 118ms Min Jitter @ 256 Byte Packet 20 Mbps Load 1ms Packet Sizes 128-1518 bulk of 10-50ms Latency 1152 at 10-20 Mbps down ward shift

12

13

14

15 Throughput Filtered Max @ 1518 Byte Packet 20Mbps – ~26% hit Min @ 64 Byte Packet 4.375 Mbps – ~67% hit

16

17 Latency Filtered Max @ 64 Byte Packet 20 % load 57ms Jitter Min @ 64 Byte Packet 10% Load less than 1ms Latency Distribution –100-50ms below 128 Bytes –50-10ms around 256 –100-50ms at 1024 bytes

18

19

20

21 Throughput Mix 20/5 –Max @ 1518 Byte Packets is 20 Mbps –Min @ 64 Byte Packets is 2.687 Mbps 15/10 –Max @ 1518 Byte Packets 11.875 Mbps –Min @ 64 Byte Packets is 1.562 Mbps 10/15 – Router dies

22

23

24

25 Jitter Mix 20/5 –Max @ 64 Byte Packets is 135ms STD 6.234 ms –Min @ 512 Byte Packets is 6ms STD 2.295 ms 15/10 –Max @ 64 Bytes is 112ms STD 5.6 ms –Min @ 1280 Bytes is 12 ms STD 6.206 ms 10/15 –Death

26 Latency Distribution Mix 20/5 –Lt 512 is 50-100ms range 15/10 –Ditto

27

28

29

30

31 PSQM 0 is best 6.5 is worst Not real measure for H.323 but might help give insight G.711 ulaw = 218 byte frames e.g. four codec frames per packet It is less than 1% of traffic

32 64 byte background

33 128 Byte Background

34 256 Byte Background

35 512 Byte Background

36 1024 & 1518 Byte Background

Download ppt "Firewall Testing Update Paul Schopis"

Similar presentations

U.S. Army Research Laboratory

U.S. Army Research Laboratory
Access Control List (ACL)

Access Control List (ACL)
A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET.

A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET.
Telecommunications Industry AssociationTR-30.3/06-05-011.

Telecommunications Industry AssociationTR-30.3/
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.

Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University, Australia.

Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University, Australia.
Reduced TCP Window Size for Legacy LAN QoS II Niko Färber Sept. 20, 2000.

Reduced TCP Window Size for Legacy LAN QoS II Niko Färber Sept. 20, 2000.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.

ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson

ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson
VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.

VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.
Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.

Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.

PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
K. Salah 1 Chapter 28 VoIP or IP Telephony. K. Salah 2 VoIP Architecture and Protocols Uses one of the two multimedia protocols SIP (Session Initiation.

K. Salah 1 Chapter 28 VoIP or IP Telephony. K. Salah 2 VoIP Architecture and Protocols Uses one of the two multimedia protocols SIP (Session Initiation.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Doc.: IEEE 802.11-13/0728r1 SubmissionSlide 1 Network Optimization for Expected HEW Traffic Patterns Date: 2013-07 Authors: W.Carney, K.Agardh, H.Suzuki.

Doc.: IEEE /0728r1 SubmissionSlide 1 Network Optimization for Expected HEW Traffic Patterns Date: Authors: W.Carney, K.Agardh, H.Suzuki.

Similar presentations

Ads by Google