Firewall Testing Update Paul Schopis

Slides:



Advertisements
Similar presentations
U.S. Army Research Laboratory
Advertisements

Access Control List (ACL)
A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET.
Telecommunications Industry AssociationTR-30.3/
Basic IP Traffic Management with Access Lists
Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University, Australia.
Reduced TCP Window Size for Legacy LAN QoS II Niko Färber Sept. 20, 2000.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
ISCSI Performance in Integrated LAN/SAN Environment Li Yin U.C. Berkeley.
ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson
VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.
Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
K. Salah 1 Chapter 28 VoIP or IP Telephony. K. Salah 2 VoIP Architecture and Protocols Uses one of the two multimedia protocols SIP (Session Initiation.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Doc.: IEEE /0728r1 SubmissionSlide 1 Network Optimization for Expected HEW Traffic Patterns Date: Authors: W.Carney, K.Agardh, H.Suzuki.
IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.
Draft-constantine-ippm-tcp-throughput-tm-00.txt 1 TCP Throughput Testing Methodology IETF 76 Hiroshima Barry Constantine
Module 1: Reviewing the Suite of TCP/IP Protocols.
OSI Model Routing Connection-oriented/Connectionless Network Services.
Document Number ETH West Diamond Avenue - Third Floor, Gaithersburg, MD Phone: (301) Fax: (301)
Guide to TCP/IP, Third Edition
InterVLAN Routing Design and Implementation. What Routers Do Intelligent, dynamic routing protocols for packet transport Packet filtering capabilities.
1 CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 1/ MODULE 8 Ethernet Switching.
Distributed Multimedia March 19, Distributed Multimedia What is Distributed Multimedia?  Large quantities of distributed data  Typically streamed.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
Access Control Lists (ACLs)
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
Document Number PXE PacketExpert™ - IPLinkSim WAN Link Emulator (PXE200)
Network – internet – part2  Address at diff. layers  Headers at diff. layers  Equipment at diff. layers.
Methods for providing Quality of Service in WLANs W.Burakowski, A. Beben, J.Sliwinski Institute of Telecommunications, Warsaw University of Technology,
27th, Nov 2001 GLOBECOM /16 Analysis of Dynamic Behaviors of Many TCP Connections Sharing Tail-Drop / RED Routers Go Hasegawa Osaka University, Japan.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University, Australia.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs.
A Multiplex-Multicast Scheme that Improves System Capacity of Voice- over-IP on Wireless LAN by 100% * B 葉仰廷 B 陳柏煒 B 林易增 B
LOG Objectives  Describe some of the VoIP implementation challenges such as Delay/Latency, Jitter, Echo, and Packet Loss  Describe the voice encoding.
Chapter 9 Cisco IOS Firewall. IOS Firewall  Stateful packet-filter firewall that runs on a router  Provides firewall capabilities and normal routing.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Cisco Network Devices Chapter 6 powered by DJ 1. Chapter Objectives At the end of this Chapter you will be able to:  Identify and explain various Cisco.
Net Flow Network Protocol Presented By : Arslan Qamar.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
VLAN Trunking Protocol
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Artur BarczykRT2003, High Rate Event Building with Gigabit Ethernet Introduction Transport protocols Methods to enhance link utilisation Test.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Network Processing Systems Design
Ethernet Packet Filtering – Part 2 Øyvind Holmeide 10/28/2014 by.
1 28-Sep-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI network layer CCNA Exploration Semester 1 Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.
أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)
100% Exam Passing Guarantee & Money Back Assurance
Modeling and Simulating MPLS Networks
100% Exam Passing Guarantee & Money Back Assurance
RTP: A Transport Protocol for Real-Time Applications
Why ? VOIP Analysis using OPNET Objective
VoIP Models for System Performance Evaluation
VoIP Models for System Performance Evaluation
Requirements Definition
Networking Essentials For Firewall-1 Administrators
Computer Networks ARP and RARP
ITIS 6167/8167: Network and Information Security
Investigation of Voice Traffic in Wi-Fi Environment
Presentation transcript:

Firewall Testing Update Paul Schopis

Overview Problem Statement Participants Problem Classification Scope of Current Testing Preliminary Results

Participants Terri Beamer – Denison (Check Point) Joe Simpson – Miami ( PIX ) Tom Ridgeway – UC (PIX) Greg Trefz – Stratacache (Packeteer) Gene Bassin/Jason MacDonald – OARnet IOS Firewall

Reported Problems H.323 won’t work at all. Connection gets made but performance is not good. H.323 seems to be in a state of flux e.g. it changes over time (can get better or worse).

So what are the problems? Protocol Specific –Firewall assumes it is an attack –NAT is generally bad for H.323 Packet Handling –Does firewall exceed necessary parameters for good performance to meet security need? Network in Conjunction with other two –Traffic Bursts

Scope of Current Testing We know what is necessary for good H.323 sessions – 0.pdfhttp:// 0.pdf – %20H.323.v7.pdfhttp:// %20H.323.v7.pdf Is it simply a case of poor performance at the packet layer?

Basic Testing Procedure Use Smartbits 600 with SmartFlow and SmartWindow Added VoIP PSQM for further insight Find effective throughput without filtering e.g. baseline Test by systematically varying allowed/denied traffic ratio to find performance bounds.

Preliminary Results Cisco 2651 Running IOS Firewall Suite Version 12.2(7c) –2600-dos3s-mz.122-7c.bin Tested on two Fastethernet ports

Raw Throughput 1518 Byte Frames (Including ethernet header and FCS fields) Mbps 64 Byte Frames Mbps

Raw Latency Jitter = Max - Min Max 128 Byte packet 10 Mbps Load 118ms Min 256 Byte Packet 20 Mbps Load 1ms Packet Sizes bulk of 10-50ms Latency 1152 at Mbps down ward shift

Throughput Filtered 1518 Byte Packet 20Mbps – ~26% hit 64 Byte Packet Mbps – ~67% hit

Latency Filtered 64 Byte Packet 20 % load 57ms Jitter 64 Byte Packet 10% Load less than 1ms Latency Distribution –100-50ms below 128 Bytes –50-10ms around 256 –100-50ms at 1024 bytes

Throughput Mix 20/ Byte Packets is 20 Mbps 64 Byte Packets is Mbps 15/ Byte Packets Mbps 64 Byte Packets is Mbps 10/15 – Router dies

Jitter Mix 20/5 64 Byte Packets is 135ms STD ms 512 Byte Packets is 6ms STD ms 15/10 64 Bytes is 112ms STD 5.6 ms 1280 Bytes is 12 ms STD ms 10/15 –Death

Latency Distribution Mix 20/5 –Lt 512 is ms range 15/10 –Ditto

PSQM 0 is best 6.5 is worst Not real measure for H.323 but might help give insight G.711 ulaw = 218 byte frames e.g. four codec frames per packet It is less than 1% of traffic

64 byte background

128 Byte Background

256 Byte Background

512 Byte Background

1024 & 1518 Byte Background

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.