Performance Evaluation and Comparative Analysis of Network Firewalls

Firewalls are no longer just perimeter devices for the data center, but should be weaved into the fabric of the network from edge to edge such as to offer security layered in-depth and ubiquitous. The next evolution of the firewall has to combine dynamic policy-based security with performance, rapid scaling, high availability and application intelligence. Today, increasing attention is paid to network firewall design quality due to regulations such as the Sarbanes-Oxley act, CobiT framework, the Payment-Card Industry Data Security Standard (PCI DSS) and the NIST standard. All these regulations include specific sections dealing with firewall configuration, management and audit. This paper is a humble attempt to examine various types of firewalls operational as on today and cross reference each firewall operation with causes and effects of weaknesses in their operation. In addition, we analyze reported problems with existing firewalls. Detailed analysis and comparison is done in terms of cost, security, operational ease and implementation of Open source packet filter (PF) firewall, Checkpoint SPLAT and Cisco ASA in a testing environment with laboratory generated traffic. Various throughputs and connections statistics were used as benchmark for performance comparison. The results indicated that Cisco ASA outperforms its peers in most performance criterions. Checkpoint SPLAT and OpenBSD PF also provides reasonably good and competitive performance. The results reported in this paper will also be useful in comparing vendors to procure firewall based on one's own organizational business requirements.

[1]  Ehab Al-Shaer,et al.  On Dynamic Optimization of Packet Matching in High-Speed Firewalls , 2006, IEEE Journal on Selected Areas in Communications.

[2]  Steven Noel,et al.  Representing TCP/IP connectivity for topological analysis of network security , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[3]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[4]  David Newman,et al.  Benchmarking Terminology for Firewall Performance , 1999, RFC.

[5]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[6]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[7]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Zhan Zhang,et al.  Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls , 2010, IEEE Transactions on Computers.

[9]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).