firewall testing update paul schopis [email protected]
TRANSCRIPT
![Page 2: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/2.jpg)
Overview
• Problem Statement
• Participants
• Problem Classification
• Scope of Current Testing
• Preliminary Results
![Page 3: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/3.jpg)
Participants
• Terri Beamer – Denison (Check Point)
• Joe Simpson – Miami ( PIX )
• Tom Ridgeway – UC (PIX)
• Greg Trefz – Stratacache (Packeteer)
• Gene Bassin/Jason MacDonald – OARnet IOS Firewall
![Page 4: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/4.jpg)
Reported Problems
• H.323 won’t work at all.
• Connection gets made but performance is not good.
• H.323 seems to be in a state of flux e.g. it changes over time (can get better or worse).
![Page 5: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/5.jpg)
So what are the problems?
• Protocol Specific – Firewall assumes it is an attack– NAT is generally bad for H.323
• Packet Handling– Does firewall exceed necessary parameters for
good performance to meet security need?
• Network in Conjunction with other two– Traffic Bursts
![Page 6: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/6.jpg)
Scope of Current Testing
• We know what is necessary for good H.323 sessions– http://www.adec.edu/nsf/Traffic%20draftv3.
0.pdf
– http://www.adec.edu/nsf/Summary%20Test%20H.323.v7.pdf
• Is it simply a case of poor performance at the packet layer?
![Page 7: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/7.jpg)
Basic Testing Procedure
• Use Smartbits 600 with SmartFlow and SmartWindow
• Added VoIP PSQM for further insight• Find effective throughput without
filtering e.g. baseline• Test by systematically varying
allowed/denied traffic ratio to find performance bounds.
![Page 8: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/8.jpg)
Preliminary Results
• Cisco 2651
• Running IOS Firewall Suite
• Version 12.2(7c)– 2600-dos3s-mz.122-7c.bin
• Tested on two Fastethernet ports
![Page 9: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/9.jpg)
Raw Throughput
• Max @ 1518 Byte Frames (Including ethernet header and FCS fields) 27.578 Mbps
• Min @ 64 Byte Frames 12.109 Mbps
![Page 10: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/10.jpg)
![Page 11: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/11.jpg)
Raw Latency
• Jitter = Max - Min• Max Jitter @ 128 Byte packet 10 Mbps
Load 118ms• Min Jitter @ 256 Byte Packet 20 Mbps
Load 1ms• Packet Sizes 128-1518 bulk of 10-50ms
Latency • 1152 at 10-20 Mbps down ward shift
![Page 12: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/12.jpg)
![Page 13: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/13.jpg)
![Page 14: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/14.jpg)
![Page 15: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/15.jpg)
Throughput Filtered
• Max @ 1518 Byte Packet 20Mbps– ~26% hit
• Min @ 64 Byte Packet 4.375 Mbps– ~67% hit
![Page 16: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/16.jpg)
![Page 17: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/17.jpg)
Latency Filtered
• Max @ 64 Byte Packet 20 % load 57ms Jitter
• Min @ 64 Byte Packet 10% Load less than 1ms
• Latency Distribution – 100-50ms below 128 Bytes– 50-10ms around 256– 100-50ms at 1024 bytes
![Page 18: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/18.jpg)
![Page 19: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/19.jpg)
![Page 20: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/20.jpg)
![Page 21: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/21.jpg)
Throughput Mix
• 20/5– Max @ 1518 Byte Packets is 20 Mbps– Min @ 64 Byte Packets is 2.687 Mbps
• 15/10– Max @ 1518 Byte Packets 11.875 Mbps– Min @ 64 Byte Packets is 1.562 Mbps
• 10/15– Router dies
![Page 22: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/22.jpg)
![Page 23: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/23.jpg)
![Page 24: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/24.jpg)
![Page 25: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/25.jpg)
Jitter Mix• 20/5
– Max @ 64 Byte Packets is 135ms STD 6.234 ms
– Min @ 512 Byte Packets is 6ms STD 2.295 ms
• 15/10– Max @ 64 Bytes is 112ms STD 5.6 ms– Min @ 1280 Bytes is 12 ms STD 6.206 ms
• 10/15– Death
![Page 26: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/26.jpg)
Latency Distribution Mix
• 20/5– Lt 512 is 50-100ms range
• 15/10– Ditto
![Page 27: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/27.jpg)
![Page 28: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/28.jpg)
![Page 29: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/29.jpg)
![Page 30: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/30.jpg)
![Page 31: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/31.jpg)
PSQM
• 0 is best
• 6.5 is worst
• Not real measure for H.323 but might help give insight
• G.711 ulaw = 218 byte frames e.g. four codec frames per packet
• It is less than 1% of traffic
![Page 32: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/32.jpg)
64 byte background
![Page 33: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/33.jpg)
128 Byte Background
![Page 34: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/34.jpg)
256 Byte Background
![Page 35: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/35.jpg)
512 Byte Background
![Page 36: Firewall Testing Update Paul Schopis pschopis@itecohio.org](https://reader035.vdocuments.mx/reader035/viewer/2022070402/56649f265503460f94c3d2ee/html5/thumbnails/36.jpg)
1024 & 1518 Byte Background