Like me, you can probably remember the good old days when that not that long ago we used things like Raptor firewalls and Checkpoint on old Sparcstation 10's at the high-end of firewall performance.
The PIX used to be the standard when it came to "Big Iron" for firewalls. We all bowed down before the PIX. I'm sure you remember those times well.
But even knowing how far we've come the performance of this modern firewall will really blow your socks off, I mean right off!! Check this out: http://www.networkworld.com/reviews/2009/022309-juniper-firewall-test.html
It is worthy to mention the equipment used in this test. I'm not going to mention it here, it is Spirent equipment, and you can read all about it in the article.
The key is, this is a cutting edge firewall, and to properly test it means simulating realistic traffic, not fake traffic.
To simulate enough traffic to hit the performance marks of this firewalls with of realism is no small task. Network World and Opus 1 looked to Spirent for the right blend of equipment here.
Getting completely real means you need to arrange your test and get 100,000 users really using real applications like Siebel, Oracle, real Web surfing, and real virus's and threats. Not gonna happen.
The opposite end of the spectrum is pure dumb performance, with very little control over the L4-L7 state of the simulated users.
So let me rant about my Top Complaints about Fake L4-L7 testers out there:
For some claimed L4-L7 test boxes out there, they can't even work against a real Apache server. Wow! How much can you trust something that claims to simulate real network applications but can't even connect to an actual server?? That doesn't sound very realistic to me.
Especially when the same test equipment tries to do L2-L3 traffic at the same time, with a very cartoonish user interface, there are diminishing returns and the the end user does not have much control over the realism.
The huge risk you take with this fake traffic is that the firewall test will look good on paper but fail in the real network.
Easy to do and on a superficial level looks good, but there's not much behind it, it falls over very quickly under scrutiny from a competent firewall test professional who knows their chops.
Bottom Line: Firewalls are Big & Bad now, and when it comes to testing them remember this: Performance without realism is worthless.
-Dr. TCP
mandatory little disclaimer: The views expressed here are not necessarily those of Spirent Communications. They are my own personal views, and this is a personal blog of mine.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment