SyFi: a systematic approach for estimating stateful firewall performance

Authors:
Yordanos Beyene;Michalis Faloutsos;Harsha V. Madhyastha
Affiliations:
Department of Computer Science and Engineering, UC Riverside;Department of Computer Science and Engineering, UC Riverside;Department of Computer Science and Engineering, UC Riverside
Venue:
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Year:
2012

Citing 9
Cited 0

Fast and Scalable Conflict Detection for Packet Classifiers

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Measurements of Wide Area Internet TraffiC

Measurements of Wide Area Internet TraffiC
Packet classification in large ISPs: design and evaluation of decision tree classifiers

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Dynamic rule-ordering optimization for high-speed firewall filtering

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Structured firewall design

Computer Networks: The International Journal of Computer and Telecommunications Networking
Predicting the Resource Consumption of Network Intrusion Detection Systems

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Firewall Policy Queries

IEEE Transactions on Parallel and Distributed Systems
Conflict classification and analysis of distributed firewall policies

IEEE Journal on Selected Areas in Communications
Change-impact analysis of firewall policies

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Due to the lack of a standardized methodology for reporting firewall performance, current datasheets are designed for marketing and provide inflated throughput measurements obtained under unrealistic scenarios. As a result, customers lack usable metrics to select a device that best meets their needs. In this paper, we develop a systematic approach to estimate the performance offered by stateful firewalls. To do so, we first conduct extensive experiments with two enterprise firewalls in a wide range of configurations and traffic profiles to identify the characteristics of a network's traffic that affect firewall performance. Based on the observations from our measurements, we develop a model that can estimate the expected performance of a particular stateful firewall when deployed in a customer's network. Our model ties together a succinct set of network traffic characteristics and firewall benchmarks. We validate our model with a third enterprise-grade firewall, and find that it predicts firewall throughput with less than 6-10% error across a range of traffic profiles.