How I tested

To test basic firewall connection speeds and performance in fending off attacks, I used a suite of Spirent Communications testing tools including Web Avalanche 5.2, Reflector 5.2, and Avalanche Analyzer 5.2. I used Web Reflector to set up a multi-protocol network on the DMZ (demilitarized zone) made up of 70 percent HTTP, 10 percent FTP, 10 percent POP3, and 10 percent SMTP traffic to establish the maximum number of connections per second the firewall could support in a real-world environment. I then tested for the maximum number of continuous connections. Next, I ran a baseline test using 60 percent of the established maximum CPS (characters per second) figure and subsequently attacked the DMZ from the public side with Syn, Smurf, ARP, and reset floods, which I emulated using Web Avalanche. Each attack ran individually for 10 minutes directing 350 packets per second worth of attack at the device. Finally, I threw all four attacks at the firewalls. Avalanche Analyzer, a downloadable stand-alone application, was used for analysis.

Important VPN functionalities such as individual tunnel throughput and the maximum number of tunnels supported by each firewall were tested using Spirent’s TeraVPN 2.10. Phase 1, the portion of the tunnel between the security gateway and the device public port, was configured as DH2 to support SHA1 IKE authentication with AES (Advanced Encryption Standard) 128-bit IKE encryption. Phase 2, which encompasses the portion of the tunnel from the source network to the destination network, was set up using IP Security. I used up to three card pairs running on Linux, each supporting 3,500 tunnels to test the maximum number of tunnels each firewall supported. The cards supported 200 tunnels per card pair for tunnel data performance tests. Spirent will be releasing a new version of TeraVPN in October that will measure tunnel setup and buildtime as well as add support for DH Group 5 and the ability to import test results into Excel to its testing arsenal.