Re: [fw-wiz] firewall stress testing tool

Hash: SHA1

Hello Pavan,

Window's firewall does not have any rate limiting features (i.e. only
500 open sessions, etc) so you can only test compliance...

I would create the policy to disallow all traffic besides port 80 with
the windows firewall. Run netstat on the windows system and use a
traffic generation tool (like the one I wrote @ imperfectnetworks ***)
to blast TCP SYN traffic from lots of spoofed hosts at port 445. Slowly
increase the rate of traffic to gig and see:

1. Did netstat get anything for RPC
2. Can I still resolve a web page under stress


***please forgive the plug but its relevant ;)

Marcus J. Ranum wrote:
pavan shah wrote:

I have configured windows 2003 server to allow only traffic to port
80.I want to check for the stability of the firewall under heavy load.
Could any one suggest any firewall stress testing tool?

There aren't any decent firewall stress testing tools out there. Obviously,
real network traffic would be the ideal test-bed. Second to that would
be replays of packets captured at a real firewall installation.

Using something like a smartbits is pointless because they're generating
synthetic traffic, which would make the firewalls that do any layer 7
processing look worse (from a performance standpoint) than the firewalls
that are doing only "stateful inspection" or "deep inspection" We saw
a lot of cooked benchmarks early in the IDS days where unscrupulous
vendors posted unrealistically high performance numbers for IDS packet
capture by using synthetic traffic that the IDS "knew" to discard. There
was the famous benchmark done by Meir Communications
in which demonstrated gigabit speed IDS with no packet
loss - as long as you threw 1 gb/s of 100K packets at TCP port 0. If
you have a firewall that (for example) is trying to do protocol state
parsing for SMTP, it'll look much worse under a synthetic test than
one that simply goes "wow, that's port 25! let it through if you see a
HELO!" Under synthetic testing a "stateful" firewall will fare extremely
well, from a performance standpoint, if all the packets are directed at
an un-established flow.

One of the ironies of "stress testing" security products is that the
ones that do LESS security processing almost always do better
under a load test. Furthermore, the ones that do LESS processing
appear to do better in terms of (let's loosely call it)"reliability" since
they will favor letting things through. I saw this back in 1995 when
one of my customers chose a "stateful" firewall over a proxy because
in synthetic testing the proxy kept terminating a non-standards-compliant
FTP command stream, whereas the "stateful" firewall was just looking
for "PORT" commands and letting everything else through. The
customer felt that the "stateful" firewall was "better" because it was
"more reliable" - meaning "easier to get through." So, if you're stress
testing for "reliability" you need to ask yourself, first, what exactly
you mean by "reliable." It keeps coming back to the eternal trade-off
between performance and accessibility on one hand versus conservative
design and security on the other.


firewall-wizards mailing list

Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Fedora -

firewall-wizards mailing list