Re: [fw-wiz] Firewall rules order and performance

I've done this in the past with professional test equipment like SmartBits
or Web Avalanche that was able to measure performance, latency, connection
rates, etc.

The challenge was establishing unique connections from multiple MAC & IP
addresses to emulate real endpoints, and not just alias multiple IPs on the
same NIC. Mostly because of the ARP process prior to making a connection.
It's a lot faster making 65,000 connections from 1 MAC/IP to another than 10
connections to 6,500 unique MAC/IP/Src/Dest combinations.
The test gear could simulate real hosts with unique MAC & IP addrs.

We tested 1, 10, 100, 1000 & 10000 rules, all with different IP/port
combinations. UDP & TCP with different packets sizes, etc.

I was representing a now defunct product at the time, but the product faired
pretty well because the rule matches where a tree lookup to select the rule.
The overall difference between number of rules on our product was pretty
negligible, but it did a lot better than checkpoint at the time.

AIR, the rule selection wasn't the bottleneck, the number of already
established connections in the kernel was the primary factor. You'd plateau
after a certain point as new connections were trying to allocate the memory.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-
wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Pierre Blanchet
Sent: Friday, July 17, 2009 10:52 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Firewall rules order and performance

This is a well known idea that the rules order is important for the best
performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections
to allow traffic. That means that their performance is more related to the
number of existing sessions rather than the number of rules, or more
exactly it is tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use
hardware-based or tree-based model. Again, the number of rules has less
effect on the performance.

I'm looking for benchmarks/ideas that could prove I'm right or wrong. I
know for sure that FW-1 and IOS depend on the rules order but what about
the others ? Google didn't give any information one way or the other.

Pierre Blanchet
firewall-wizards mailing list

firewall-wizards mailing list