Método de Equilibrio Límite

Abstract

This test determines the maximum transaction rate the firewall can sustain. It defines method for closing TCP connections. The test must be performed with either a three-way or four-way handshake. In a four-way handshake, each side sends separate FIN and ACK messages. In a three- way handshake, one side sends a combined FIN/ACK message upon receipt of a FIN. It defines whether closing of connections is to be initiated from the client or from the server.

This test ensures the users understand the upper transaction rate limit of the firewall to prevent anomalous dropped packets and sessions.

Description

For each iteration of the test, HTTP 1.1 or higher simulated clients vary the aggregate GET request rate offered to HTTP 1.1 or higher servers. The simulated clients maintain the offered request rate for the defined test duration.

If a simulated client makes multiple HTTP GET requests per connection, it must request the same object size for each GET request. Multiple tests may be performed with different object sizes.

Target Users

Product verification, Engineering

Target Device Under Test (DUT)

Firewall

Reference

RFC 3511

Relevance

For the networks that a firewall secures, often the value of the data and systems that they must help protect cost many times that of the firewall and the testing. Deploying a security

infrastructure without understanding its performance and security runs the risk of doing little to protect the network, especially if it also introduces apathy from a false sense of security. Among the reasons that show the criticality of testing firewalls:

Security at load: Often, security flaws do not appear until the network encounters a large load. Attacks can hide more easily within large amounts of traffic, potentially causing problems right

53

warning. Second, the failure state of the firewall is known—firewalls that fail closed will stop all traffic from passing (essentially a successful denial of service, or DoS, attack), and firewalls that fail open permit all traffic, which is a security failure.

Pre-deployment capacity planning: Deployment of a security infrastructure will most likely affect overall network performance. Testing the effect on network performance ensures that the increased security does not decrease performance beyond the levels acceptable for the business.

Version

1.0

Test Category

Testing Firewalls and VPN

PASS

[X] Performance [X] Availability [X] Security [X] Scale

Required Tester Capabilities

Generate performance test for connections per second. Load profiles for different step iterations and test duration. Server transactions profile support for different object sizes.

Real-time and summary reports on highest connections tear down rate, minimum connection tear down time, maximum connection tear down time, average connection tear down time, aggregate connection tear down time.

Topology Diagram

Test Procedure

1. Reserve two test ports.

2. Connect cabling to the DUT. Cable tester port 1 as the client side to the configured firewall- capable DUT. Connect port 2 as the server side to the other side of DUT. Establish the link. 3. Begin Step 1 – Generate the HTTP 1.1 transactions per second performance test:

a. Enter the management IP address of the client port. b. Enter the management IP address of the server port.

c. Select the performance test for the specific equipment used in this test. d. Configure HTTP 1.1 for both client and server.

e. To maximize the performance of the tester, send 10 HTTP level 1 GET requests from each SimUser.

f. Each TCP connection accepts one HTTP transaction as maximum transaction, therefore each of the SimUsers generate 10 TCP connections sequentially.

4. Begin Step 2 – Test the effect of load, object size, and duration. a. Client side:

i. HTTP version 1.1.

ii. HTTP GET Per SimUser is 50.

55

iii. Connection Termination with FIN.

iv. Object/Page size is 64b, 512b, 1024b, 10240b. 5. End test.

Control Variables & Relevance

Variable Relevance Default Value

Packet sizes – 64b, 512b, 1024b, 10240b

Determine the maximum throughput for the firewall DUT per fixed packet size.

980 Mbps throughput Test Duration At least 10 minutes. 10 minutes

Key Measured Metrics

Matric Relevance Metric Unit

Maximum transaction rate

Maximum rate for all transactions, that is all requests/responses are completed

tps

Max transaction time

Transaction time starts when client issues GET request and end when client receives the last bit of request object

ms

Min transaction time

Transaction time starts when client issues GET request and end when client receives the last bit of request object

ms

Average

transaction time

Transaction time starts when client issues GET request and end when client receives the last bit of request object

ms

Desired Result

The test results include GET request attempt rate, number of requested attempted, number and percentage of requests completed, number of responses attempted, number and percentage of responses completed minimum transaction time, average transaction time, and maximum transaction time.

The test results also include the number of connections attempted, number and percentage of connections completed, number and percentage of connection teardowns completed.

Analysis

There should be no packet loss. Metrics of interest include maximum TCP connections tear down rate, minimum connection tear down time, maximum connection tear down time, average connection tear down time, aggregate connection tear down time, number of connections, aging time, close method, and close direction. Different packet sizes should produce different