A Systematic Approach for Understanding and Modeling the Performance of Network Security Devices
In this dissertation, we attempt to understand and predict the performance of security devices. More specifically, we examine the following types of questions: (a) Given a security device, and a traffic load, can we predict the performance of the device? (b) Given a traffic load and a security device, how can we tune the performance of the device to achieve the desired trade-off between security and performance? We consider both stateful firewalls and Network Intrusion Prevention systems (NIPS). For stateful firewalls we focus on three enterprise class firewalls from Hewlett Packard, SonicWall, and Fortinet. For NIPS we focus on the most widely deployed open Network Intrusion Detection and Prevention system, Snort.
Despite an increase in deployment of security devices, and their increasing complexity to detect ever more sophisticated network attacks, there have been limited studies to understand latencies introduced by these devices to Networks. Vendors release performance datasheets that often display the best performance numbers, by conducting measurements with unrealistic traffic profiles, and configurations that don't represent real networks. This practice forces buyers to make purchasing decisions based on guesses, which may cause them to end up buying costly products that they don't need, or to buy underperforming products that could potentially introduce bottlenecks in their networks. The main purpose of our work is to assist system administrators in selecting security devices that meet their networks' current and future performance requirements. We also examined the performance impact of key configuration parameters and provide deployment tips to tune Snort for improved performance. Besides we cover the performance and security limitations of Snort.
In this study, we develop two separate models: i) SyFi for stateful firewalls and ii) PreNIPS for Network Intrusion Prevention systems. The stateful firewall model is based on measurements conducted on two enterprise-grade stateful firewalls and a third enterprise-grade stateful firewall was used to validate the finding. Our evaluation on a third firewall shows that our model can estimate throughput across different traffic profiles with over 94% accuracy. PreNIPS is based on measurements conducted on a Snort deployment with several HTTP packet traces, and validated with HTTP packet traces captured from a different website. Our measurements show PreNIPs has over 89\% accuracy.