Network Security with Performance

Dave Schneider
March 4, 2011

In response to the ever growing and changing threat landscape, network security appliances have become more sophisticated and powerful. They incorporate advanced techniques such as deep packet inspection (DPI) and massive parallel processing.

Individual appliances, such as firewalls, IDS/IPS, anti-virus, anti-spam and data loss prevention systems, have given way to modern universal threat management (UTM) systems. UTM systems come in all sizes: from small desktop units, to rack-mounted, multi-unit, multi-10 Gigabit systems. Witness the 160 Gbps demonstration of SonicWALL’sSuperMassive E10000 system at RSA, incidentally tested with Ixia appliances.

In evaluation network security solutions one measurement that is often overlooked is “good” traffic performance. A security appliance that is so busy looking for malware or fending off an attack that it can’t maintain throughput for critical business applications is of little use. One could argue, in fact, that such a security appliance had been defeated – effectively denying service to its users.

Intrusion protection is a tricky matter, often requiring (relatively) long term storage while looking for a signature or other pattern. Many, many signatures or other techniques must be applied to determine if the contents of a stream is malware. Line-rate traffic can consume massive amounts of memory and CPU cycles – which must be balanced with handling of “good” traffic.

The evaluation of network security appliances, therefore, must include performance measurement while under attack – at line-rate. Just as security testing uses deliberately constructed test traffic, so “good” traffic load must be constructed to realistically emulate the type of traffic that the network security appliance is expected to handle. For example, if a UTM being evaluated also implements quality of service based on deep packet inspection, then it is essential that multiplay traffic of all types be statefully applied to the UTM for the performance measurement.

Network security testing is a very demanding task, requiring methodologies and equipment that matches the scale of modern security appliances.

blog comments powered by Disqus