Johnston Mark <[EMAIL PROTECTED]> wrote:
>I have an appliance firewall which I would like to do some load testing
>against. I'm planning to host web sites and I need to know of the FW is
>going to handle all the connections. I have a rough idea of what amount of
>hits I expect per domain per month.
>
>a) What is a good way to approach this type of project
>b) Is there software etc to do this or some scripts that I can run on a
>unix box
There are some old documents and scripts on:
http://web.ranum.com/pubs/fwperf/index.htm
describing some thinking me and a few friends did on firewall performance
testing in the "old days" of firewalls.
I suspect with a "modern" firewall the differences in performance will be even
more interesting. For example, does the firewall just look at SSL ("oh,
look. SSL.
I can't do anything with that, let me open a rule and pass all packets.")
or does
it try to parse anything and/or record stuff? So if you want to test you'll
need
valid traffic not just a bunch of random frames from a smartbits... Expect your
mileage to vary wildly and remember that faster is not more secure. In fact
speed and security have no relationship whatsoever...*
mjr.
(* Before someone argues "slower is probably more secure" consider the
case of a packet filter with a delay loop to make it look "more secure") ;)
---
Marcus J. Ranum Chief Technology Officer, NFR Security Inc.
Work: http://www.nfr.com
Play: http://www.ranum.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
