Evaluation report of 12 types of firewalls for the

  • Detail

As the preferred network security product for enterprise users, the firewall has always been the focus of attention of users and manufacturers. In order to provide an objective basis for users to choose the firewall that meets their needs from the dazzling products, a comparative evaluation of the mainstream firewall products in the current market is carried out

the products we collected in this evaluation include two series of 100m and Gigabit firewalls. The products sent for testing this time include 14 products from 12 manufacturers at home and abroad. Among them, the 100 megabyte firewall includes LinkTrust cyberwall -100pro from Andersen Internet Co., Ltd., fangzheng Fangyu fgfw from Founder Digital, Lenovo Royal 2000, netscreen-208, Tsinghua Deshi netst2104, sg300 from servgate, dcfw-1800 from digital China, tianrongxinluo defender ngfw4000, Samsung securewall firewall and Longma defender firewall from Weishitong Longma, Gigabit firewall includes Beida Bluebird jb-fw1, netscreen-5200, servgate sg2000h and amritte f600+. Samsung secuiwall firewall and Beida Bluebird jb-fw1 firewall have not completed the performance test, so they quit this comparison test by themselves. With the joint efforts of our evaluation engineers, we successfully completed the evaluation of 12 other products

the test content mainly covers three aspects: performance, anti attack ability and function, including quantitative and qualitative tests in accordance with rfc2504, rfc2647 and Chinese standards. Our performance test and anti attack ability mainly use the SmartBits 6000b tester of sprint company as the main test equipment, and use smartflow and WebSuite firewall test software to test. In order to accurately determine whether the packet received by the attacked party is an attack packet when measuring the anti attack ability, we also used the Sniffer Pro software of Nai company to analyze the packet capture

performance overview

for network devices, performance is the first thing to consider. Compared with other network devices, the performance of firewall has always been considered as the bottleneck affecting network performance. How to ensure the high performance of firewall while starting various functions is a great challenge for firewall

in the process of our test, the deepest feeling is that due to the huge differences in architecture and implementation methods between firewalls, the performance differences between different firewalls are very obvious. In terms of the hardware architecture of firewall, there are mainly three kinds at present, one is using ASIC System, one is using network processor (NP), and the other is also the most common, using ordinary computer architecture. There are significant differences in the processing capacity of various architectures for data packets. The running efficiency of firewall software itself will also have a great impact on performance. At present, some firewall software platforms are optimized on Open Systems (such as Linux, OpenBSD), some use their own special operating system, and some have no operating system at all. We try to minimize the factors that affect the performance of the firewall during the performance test. When testing the performance of the firewall, we configure the firewall as the simplest way: all in and out in the routing mode

during our test, the performance test items for 100m and Gigabit firewalls are the same, mainly including bidirectional performance, unidirectional performance, performance after NAT function and maximum concurrent connections. Bidirectional performance test items include throughput, delay at 10% line speed, delay at throughput and frame loss rate; One way performance test items include throughput and delay at 10% line speed; The performance test after starting the NAT function includes throughput and delay at 10% line speed

performance analysis of 100m firewall

as one of the most important indicators for users to select and measure firewall performance, the throughput determines the maximum rate of forwarding packets without losing frames. Among the two-way throughput of 64 byte frames, Andersen Lingxin firewall is the most outstanding, reaching 51.96% of the interface temperature and line speed, and netscreen-208 can also reach 44.15%. In the one-way throughput test, the 64 byte frame length netscreen-208 firewall has reached 83.60%, ranking first, followed by Fangzheng Fangyu firewall, with the result of 71.72%

delay determines the time for packets to pass through the firewall. The delay test results of two-way 10% line speed show that the value of Lenovo Royal 2000 is equal to that of dragon horse guard, ranking first

the frame loss rate determines the percentage of frames that the firewall should forward under continuous load, but cannot forward due to lack of resources. This index has a certain correlation with throughput. The frame loss rate of firewall with high throughput is generally low. Under the five frame lengths tested, the result of netscreen-208 is 0 in 256, 512 and 1518 byte frames and 57.45% in 64 byte frames

generally speaking, the performance of the firewall after NAT is slightly lower than the previous one-way performance, because enabling NAT naturally takes up more system resources. The throughput of 64 byte frames after the NAT function of the Anshi Lingxin firewall and Tsinghua Deshi netst 2104 firewall is slightly higher than the one-way throughput result

the maximum number of concurrent connections determines the number of concurrent users that the firewall can support at the same time, which is also a very distinctive and important performance index for the firewall, especially when the network protected by the firewall provides Web services to external networks. Tianrongxin NGFW 4000 ranked first with the largest number of concurrent connections of 1million, while Longma defender firewall also achieved 800000

our anti attack capability test project mainly simulates seven major DoS attacks through SmartBits 6000b. We also tried to establish 50000 tcp/http connections in the anti attack test to investigate the firewall's ability to handle normal connections while starting the anti attack ability

syn flood is currently the most common attack mode, and the implementation principle of firewall protection for it is also different. For example, Andersen Lingxin firewall and netscreen-208 adopt syn proxy. When testing these two firewalls, we establish 50000 TCP connection background streams, which can filter out all attack packets. Sg-300 and Lenovo Royal 2000 have protected against all attack packets when tcp/http connections are normally established. Most firewalls can filter out Smurf, Ping of death and land based attack packets

teardrop attack test splits the legitimate packet into three segments, and the offset of one segment of the packet is abnormal. For this attack, we analyze the results obtained through sniffer. The firewall has three protection methods. One is to discard all three attack packets, the other is to discard abnormal attack packets, and combine the remaining two data packets into normal data packets, allowing them to pass through the firewall. The other is to discard the second segment, and the other two segments pass through the firewall respectively. These three methods can effectively prevent this attack. The actual test results show that Fangzheng Fangyu, Anshi Lingxin, sg-300 and Longma guard belong to the first case, digital China dcfw-1800, Deshi netst2104 and Lenovo Royal 2000 belong to the second case, and netscreen-208 belongs to the third case

for Ping sweep and Ping flood attacks, all firewalls can resist these two attacks. Sg-300 firewall filters out all attack packets, while Fangzheng Fangyu firewall only passes through one packet. Although some Ping packets pass through other firewalls more or less, most attack packets can be filtered out. This result mainly depends on the number of Ping packets per second set in the firewall software

analysis of Gigabit firewall performance results

because Gigabit firewalls are mainly used in telecom or large data centers, performance plays a more important role in Gigabit firewalls than 100m firewalls. In general, the differences among the three Gigabit firewalls are quite large, but the performance results are significantly higher than that of the 100m firewall

in the bidirectional throughput test results, netscreen-5200 64, 128, 256, 512, 1518 byte frame results are 58.99%, 73.05%, 85.55%, 94.53%, 97.27% line speed respectively. The delay of Gigabit firewall is significantly lower than that of 100m firewall. The delay of netscreen-5200 under bidirectional 10% line speed is quite low, and the 64 byte frame length is only 4.68 Ω, and the 1518 byte frame length is only 24.94 Ω. After the NAT function is enabled, the throughput of netscreen-5200 firewall with 64 byte frame length is 62.5%. Since the servgate sg2000h does not support routing mode, only NAT results are measured. The firewall has reached 100% line speed in 1518 byte frame length. The NAT function of amritte f600+ has little impact on its performance. The test results of the maximum number of concurrent connections show that the netscreen-5200 firewall reaches 1million

in the anti attack ability test, the three Gigabit firewalls have good protection against Smurf and land based attacks, and none of the attack packets pass through the firewall. For Ping of death attack, netscreen-5200 and amritte f600+ firewall discarded all attack packets. During the test of sg2000h firewall, 45 attack packets sent were discarded, and the next two attack packets were discarded, which would not cause too much harm to the network. When protecting against teardrop attack, f600+ firewall discards all attack packets, servgate-2000 firewall only retains the first attack packet, and netsreen-5200 firewall can be divided into five categories according to the traditional classification method: metal material testing machine, non-metal material testing machine, dynamic balance testing machine, shaking table and nondestructive testing machine, and retains the first and third attack packets. These three cases can protect against this attack. Amritte f600+ and sg2000h tested 1000 attack packets in pingsweep, all of which were filtered out

function overview

in the process of testing the firewall, we felt the great differences between different firewall products, and realized the respective characteristics of the firewall in terms of ease of use, management and log audit through personal configuration

packet filtering, state detection and application layer proxy are the three main implementation technologies of firewall. From the firewall products tested this time, we can clearly see that state detection or mixing state detection with the other two technologies is the mainstream implementation principle

in terms of working mode, most firewalls support routing mode and bridge mode (transparent mode). Sg300 and sg2000h from servgate company mainly work in bridge mode and NAT mode, without the routing mode of general products. The Longma guard firewall of Tianrongxin NGFW 4000 and Weishitong Longma also supports mixed mode

100m firewall

when we get the firewall to be tested, we have a very intuitive feeling that the firewall is no longer just the traditional three ports, but is developing towards multiple ports. Firewalls with four ports are very common. We all know that three ports are used to divide internal, external and DMZ areas, so what is the use of adding the fourth port? There are great differences among different products, but it is mainly used for configuration management. Angle's firewall uses this port as a port to interact with IDS, which is relatively unique. For example, the ngfw4000 of Tianrongxin network guard can be expanded to 12 ports at most, the netscreen-208 has 8 fixed ports, and the netscreen-5200 is a modular Gigabit firewall, which can be inserted with 8 minigbic 1000base SX/LX Gigabit ports or 24 100m ports, which shows the market trend of the integration of firewall and switch

support for DHCP protocol,

Copyright © 2011 JIN SHI