Re: [fw-wiz] firewall stress testing tool



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Pavan,

Window's firewall does not have any rate limiting features (i.e. only
500 open sessions, etc) so you can only test compliance...

I would create the policy to disallow all traffic besides port 80 with
the windows firewall. Run netstat on the windows system and use a
traffic generation tool (like the one I wrote @ imperfectnetworks ***)
to blast TCP SYN traffic from lots of spoofed hosts at port 445. Slowly
increase the rate of traffic to gig and see:

1. Did netstat get anything for RPC
2. Can I still resolve a web page under stress

Phil

***please forgive the plug but its relevant ;)

Marcus J. Ranum wrote:
pavan shah wrote:

I have configured windows 2003 server to allow only traffic to port
80.I want to check for the stability of the firewall under heavy load.
Could any one suggest any firewall stress testing tool?


There aren't any decent firewall stress testing tools out there. Obviously,
real network traffic would be the ideal test-bed. Second to that would
be replays of packets captured at a real firewall installation.

Using something like a smartbits is pointless because they're generating
synthetic traffic, which would make the firewalls that do any layer 7
processing look worse (from a performance standpoint) than the firewalls
that are doing only "stateful inspection" or "deep inspection" We saw
a lot of cooked benchmarks early in the IDS days where unscrupulous
vendors posted unrealistically high performance numbers for IDS packet
capture by using synthetic traffic that the IDS "knew" to discard. There
was the famous intrusion.com benchmark done by Meir Communications
in which intrusion.com demonstrated gigabit speed IDS with no packet
loss - as long as you threw 1 gb/s of 100K packets at TCP port 0. If
you have a firewall that (for example) is trying to do protocol state
parsing for SMTP, it'll look much worse under a synthetic test than
one that simply goes "wow, that's port 25! let it through if you see a
HELO!" Under synthetic testing a "stateful" firewall will fare extremely
well, from a performance standpoint, if all the packets are directed at
an un-established flow.

One of the ironies of "stress testing" security products is that the
ones that do LESS security processing almost always do better
under a load test. Furthermore, the ones that do LESS processing
appear to do better in terms of (let's loosely call it)"reliability" since
they will favor letting things through. I saw this back in 1995 when
one of my customers chose a "stateful" firewall over a proxy because
in synthetic testing the proxy kept terminating a non-standards-compliant
FTP command stream, whereas the "stateful" firewall was just looking
for "PORT" commands and letting everything else through. The
customer felt that the "stateful" firewall was "better" because it was
"more reliable" - meaning "easier to get through." So, if you're stress
testing for "reliability" you need to ask yourself, first, what exactly
you mean by "reliable." It keeps coming back to the eternal trade-off
between performance and accessibility on one hand versus conservative
design and security on the other.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEch7wosz5/4IhOt4RAuTKAJ9vCg39y8vQf0rh3+pDUwdhttgupgCeJBdS
p77Ux3l5gQGO51NbU+By078=
=DX7u
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] firewall stress testing tool
    ... 80.I want to check for the stability of the firewall under heavy load. ... There aren't any decent firewall stress testing tools out there. ... processing look worse (from a performance standpoint) than the firewalls ... vendors posted unrealistically high performance numbers for IDS packet ...
    (Firewall-Wizards)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Re: Is IDS/IPS worthless?
    ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    (Focus-IDS)
  • Gartner comments (was Re: Rather funny; looks like page defacement to me)
    ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
    (Focus-IDS)
  • Re: IDS on Switched Networks
    ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
    (Focus-IDS)