Performance Evaluation and Comparative Analysis of
Network Firewalls
Chirag Sheth
Tata Consultancy Services Limited,
Info-Tower-1, Infocity, Gandhinagar – 382009, India
[email protected]
Abstract— Firewalls are no longer just perimeter devices for the
data center, but should be weaved into the fabric of the network
from edge to edge such as to offer security layered in-depth and
ubiquitous. The next evolution of the firewall has to combine
dynamic policy-based security with performance, rapid scaling,
high availability and application intelligence. Today, increasing
attention is paid to network firewall design quality due to
regulations such as the Sarbanes-Oxley act, CobiT framework,
the Payment-Card Industry Data Security Standard (PCI DSS)
and the NIST standard. All these regulations include specific
sections dealing with firewall configuration, management and
audit.
This paper is a humble attempt to examine various
types of firewalls operational as on today and cross reference
each firewall operation with causes and effects of weaknesses in
their operation. In addition, we analyze reported problems with
existing firewalls. Detailed analysis and comparison is done in
terms of cost, security, operational ease and implementation of
Open source packet filter (PF) firewall, Checkpoint SPLAT and
Cisco ASA in a testing environment with laboratory generated
traffic. Various throughputs and connections statistics were used
as benchmark for performance comparison. The results
indicated that Cisco ASA outperforms its peers in most
performance criterions. Checkpoint SPLAT and OpenBSD PF
also provides reasonably good and competitive performance. The
results reported in this paper will also be useful in comparing
vendors to procure firewall based on one’s own organizational
business requirements.
Keywords— Network Security, Distributed Firewall, Checkpoint
NGX, Cisco ASA, OpenBSD PF
I. INTRODUCTION
“Cyber Attacks Hit 75% of Global Enterprises in 2009”
[Symantec, Feb-2010]
As enterprises take on the Internet as a new business tool -
whether to sell, to collaborate or to communicate - web
applications have become the new weakest link in the
organization's security strategy. Technological innovations are
fundamentally changing the way people live, work, play,
share information and communicate with each other.
Network Firewalls protect a trusted network from an un-
trusted network by filtering traffic according to a specified
security policy. A firewall is often placed at the entrance of
each private network in the Internet. The function of a firewall
978-1-4244-9190-2/11/$26.00 ©2011 IEEE
Rajesh Thakker
Electronics & Commu Dept,
Vishwakarma Govt. Engg. College,
Chandkheda, Gandhinagar – 382424, India
[email protected]
is to examine each packet that passes through the entrance and
decide whether to accept the packet and allow it to proceed or
to discard the packet. A firewall's basic task is to regulate
some of the flow of traffic between computer networks of
different trust levels. Typical examples are the Internet which
is a zone with no trust and an internal network which is a zone
of higher trust. A zone with an intermediate trust level,
situated between the Internet and a trusted internal network, is
often referred to as a "perimeter network" or Demilitarized
zone (DMZ).
A firewall’s configuration contains a large set of access
control rules, each specifying source addresses, destination
addresses, source ports, destination ports, one or multiple
protocol ids, and an appropriate action. The action is typically
“accept” or “deny.” Some firewalls can support other types of
actions such as sending a log message, applying a proxy, and
passing the matched packets into a VPN tunnel. For most
firewalls, the rule set is order-sensitive. An incoming packet
will be checked against the ordered list of rules. The rule that
matches first decides how to process the packet. Due to the
multidimensional nature of the rules (including
source/destination addresses and ports), the performance of a
firewall degrades as the number of rules increases.
Commercially deployed firewalls often carry tens of
thousands of rules, creating performance bottlenecks in the
network. More importantly, the empirical fact shows that the
number of configuration errors on a firewall increases sharply
along with the size of the rule set. A complex rule set can
easily lead to mistakes and mal-configuration [1-3].
Despite their critical role, firewalls have traditionally been
tested without well-defined and effective methodologies.
Currently, a diverse set of firewalls are being used. Because it
is infeasible to examine each firewall separately for all
potential problems, a general mechanism is required to
understand firewall vulnerabilities in the context of firewall
operations. The firewall data flow model presented in this
report gives an overall description of firewalls by detailing the
operations they perform (depicted in figure 1). When a packet
is received by a firewall, it first undergoes link layer filtering.
Then, it is checked against a dynamic rule set. The packet then
undergoes packet legality checks, and IP and port filtering.
Finally, network/port address translation is performed.
 discovery are common to all. Some of the criteria in Audit
checklist which demand efficient firewall configuration and
management [4-6] are given in Table I.
TABLE I
MAJOR CRITERIONS IN AUDIT CHECKLIST FOR FIREWALL
CONFIGURATION IN VARIOUS REGULATORY COMPLIANCE

Major Regulatory Standards

Payment Card ISO – 27002 Control
Industry – Data Information Objectives for
Security Security Information and
Standards (PCI- Standard related
DSS) Requirements Technology
Requirements (COBIT)
Requirements
1. Install and 1. Network (where 1. Plan and
maintain a firewall business partner’s organize effective,
configuration to and/ or third robust and scalable
protect cardholder parties need access Network Security
data to information policy.
system) should be
Fig. 1 Firewall operations and data flow. 2. Encrypt segregated using 2. Define the level
Sophisticated firewalls also reassemble packets and transmission of perimeter security of security and
perform application level analysis. After a routing decision is cardholder data mechanisms such control that is
across open and as firewalls. necessary to
made on the packet, out-bound filtering may also be
public networks protect companies’
performed. Each of these operations is optional, and the order 2. Information assets through the
in which the packet traverses may also differ in different 3. Use and security policy development of an
firewalls. regularly update should be IT governance
anti-virus software approved by the model.
II. NETWORK FIREWALL – REGULATORY COMPLIANCE or programs management,
Managing the security of critical information has proven a published and 3. All users and
challenge for businesses and organizations of all sizes. Even 4. Track and communicated to their activity
companies that invest in the latest security infrastructure and monitor all access all employees. should be uniquely
to network identifiable and
tools soon discover that these technology-based solutions are resources and 3. Should have monitored.
short-lived. Primary objective of information security is to cardholder data controls such as
protect information from unauthorized access and maintain firewalls, 4. User access
confidentiality, integrity and availability of information. 5. Maintain a Operating system rights to systems
policy that hardening, any and data should be
addresses Intrusion detection in line with
information type of tools used defined and
security for to monitor the documented
employees and system etc. business needs and
contractors job requirements.
4. Encryption
6. Develop and techniques should 5. Define and
maintain secure be used to protect implement
systems and the data. procedures to
applications ensure integrity
5. Regular and consistency of
7. Do not use assessments should all data stored in
vendor-supplied be conducted to electronic form,
Fig. 2 Network security objectives. defaults for system analyze the such as databases,
passwords and sensitivity of the data warehouses
Information technology (IT) security is indispensable to an other security data and the level and data archives.
organization’s ability to conduct business and achieve its parameters. of protection
objectives. Security requirements affect almost every business needed.
process and system, and successful security measures help
protect a business’ brand value, stakeholder confidence, risk III. PERFORMANCE COMPARISIONS OF VARIOUS FIREWALLS
management strategies, and compliance status. Requirements In spite of exponential rise in firewall deployment, no
vary among industries, geographies, and regions, but the need standard method of firewall performance evaluation is
to protect privacy, retain important data, and facilitate e- prevalent in market. The primary reason for the same is that
firewall implementations vary widely making it difficult to TABLE IIII
PERFORMANCE TEST RESULTS
carry out direct performance comparisons. As more and more
organizations deploy firewalls on their networks, question System Under Test – Firewall
arises whether the products they buy will stand up and sustain Key Performance Products
to relatively heavy loads. Indicators (KPI) Cisco CP OpenB
ASA SPLAT SD PF
A. Performance Testing Setup Firewall Licensing Proprietary Proprietary BSD
In order to characterize performance of firewall, the testing Application Intelligence Yes Yes No
environment setup shown in Fig. 3 is used to compare Firewall Management Local Centralize Local
performance of three most operational firewalls in market. HTTP Throughput
10.6 5.6 4.5
(Gbps)
TCP Throughput (Gbps)
18.6 14.2 10.2
(Object size = 512 KB)
Concurrent Connections 200K 250K 500K
UDP Throughput (Gbps)
8 4 7
(Object size = 512 KB)
Connections per Second 160K 68K 180K

Fig. 3 Setup diagram for performance testing.

Test traffic is generated using Open-Source tool called

Curl-Loader. The Curl-Loader is capable of simulating
application behaviour of hundreds of thousands of
HTTP/HTTPS clients, each with its own source IP-address.
Performance of System under Test (SUT) is tested with
necessary laboratory traffic generated with gateway in the
middle and under various scenarios.
TABLE II
SUT CONFIGURATIONS

System Under Test – Firewall Products

Firewall Checkpoint
OpenBSD
Configurations Cisco ASA (CP)
PF
SPLAT
Cisco ASA -
Platform HP DL 380 HP DL 380
5580
SPLAT 2.4
Operating ASA V 8.2.2 Checkpoint
Free BSD
System ASDM 6.2.5 NGX Fig.4- Throughput and connections comparison.
R65 HFA 50
1) Firewall Licensing: Purpose of licensing is to ensure
Product Multi-processor, authorized use of the product. The license structure of Cisco is
Architecture Multi-core mainly based on per-connection whereas the license structure
Processing of Checkpoint is mainly based on per protected host
8
Cores Compared with both, OpenBSD PF comes with BSD licence
Gigabit which is most cost effective.
Ethernet 0
Interfaces 2) Firewall Management: Criteria for the comparison is Ease
10 Gigabit of firewall management in distributed firewall environment.
Ethernet 4 Checkpoint has very functional GUI Interface and is more
Interfaces user-friendly than Cisco. Checkpoint provides centralized
policy management which can be applied to set of firewalls
B. Performance Testing Results with similar accesses. Whereas Cisco and PF firewalls can be
Some of the major Key Performance Indicators (KPI) given only locally managed.
in Table III are explored in order to compare performance of 3) Application Intelligence: It is the ability of firewall to
three of the most widely used firewall products in market as filter packets based on Application layer Intelligence. Cisco
on today [7-10]. and Checkpoint both uses stateful inspection technologies for
filtering traffic, whereas PF firewall provides limited layer 7
intelligence.
4) HTTP Throughput: It is the maximum offered HTTP load,
expressed in either bits per second or packets per second, at
which no packet loss is detected. The goal of this test is to
characterize the performance of the SUT when deployed to
protect a high performance Web-based application. Cisco
outperformed other firewalls in real-world HTTP performance
tests (See Fig. 4).
5) TCP Throughput: It is the maximum offered TCP load,
expressed in either bits per second or packets per second, at
which no packet loss is detected. This test will allow better
understanding of how firewall will perform in highly
transactional environments sch as streaming media. Test
included opening a TCP connection, transferring an object
using HTTP and closing the TCP connection with object size
512 KB. Cisco again outperforms other firewalls with highest
obtained TCP throughput (See Fig. 4).
6) Concurrent Connection: It is the aggregate number of
simultaneous connections between hosts across SUT. It gives
number of connections handled by firewall simultaneously.
This is critical aspect of data centre firewall implementations,
as it directly affects the ability to deploy large scale
applications.
7) UDP Throughput: Though it seems paradoxical,
connectionless protocols such as UDP may also involve
connections, at least for the purposes of firewall performance
measurement. For example, one host may send UDP packets
to another across a firewall. If the destination host is listening
on the correct UDP port, it receives the UDP packets,
otherwise we will have host unreachable message. For the
purposes of firewall performance measurement, this is
considered a connection. Test included performance
measurement of UDP throughput using 512KB UDP packets
using QCheck application tool. Cisco and PF stands at par
showing good performance.
8) Connections per Second: It is number of connections
handled per second. It is very important criterion and may
render an otherwise high throughput firewall useless in
production environments. It is also necessary when defending
against denial of service (DoS) attacks.
C. Deviation from Data Sheets
For the configuration used in testing setup, Cisco mentions
of achieving up to 10 Gbps of real-world HTTP firewall
throughput performance and 1,50,000 connections per second
[11]. The results shown in Fig. 4 agree with the same. In fact,
we are able to achieve 10.2 Gbps HTTP throughput with real
world traffic and around 160, 000 connections per second. It is
slightly better compared to performance reported by Cisco.
In comparison, Checkpoint mentions of achieving upto 12
Gbps of maximum HTTP throughput performance [12].
However, Checkpoint recommends IBM systems for
achieving maximum throughput, and also mentions that
throughput performance may vary depending on hardware. In
our testing setup, we are able to achieve 5.6 Gbps throughput
with HP Hardware Platform.
OpenBSD also mentions that performance of PF firewall
varies with hardware platform, performance of system bus,
efficiency of network card and type of application [13]. PF is
a kernel-based process and therefore, it will not use swap
spare and will degrade in performance with lesser RAM size.
In our laboratory setup, we are able to achieve 4.5 Gbps
HTTP throughput performances with HP hardware platform.
However, to the best of author’s knowledge, exact UDP
throughput and TCP throughput were not specified in the
product literature. In testing setup, attempt was made to
generate different traffic patterns to measure and compare
performance. UDP throughput and concurrent connections
supported by PF firewall obtained were impressive and saw
good rise as compared with its HTTP throughput performance.
IV. SECURITY COMPARISIONS OF VARIOUS FIREWALLS
The testing objective in this study is to observe and
compare the behaviour of each firewall to compare behaviour
shown under adapted and common attack methods. We have
broken down attack into two types groups: discovery and
penetration. The discovery group establishes or verifies the
actual location of the target device. The penetration group
observes the defensive measures of each firewall [14-16].
A. Security Testing Setup
The overall testing setup is developed from the perspective
of an outside intruder and shown in Fig. 5. Because of this,
our protected network provided public access to itself as a
means of establishing a gateway. We placed an FTP server
inside the network and gave the outside world (Source: Any))
access to it. This gave the outside intruder a legitimate means
of knowing the IP address of the FTP server.
Fig. 5 Setup diagram for security testing.
The aim of this setup is to simulate a condensed, real-world,
corporate network layout. The access list of all three SUT
firewalls permit WWW traffic to pass out on port 80 while at
the same time allowing for FTP to pass in on port 21. For
performing security testing, we used application called
NetWag. Respective tests are performed by opening NetWag,
selecting respective test and entering the target IP Address of
our SUT. Firewall configurations taken are similarly used for
performance testing as shown in TABLE II. The brief
description of various tests conducted to verify ability of
firewall to identify common attach types and block intruder
are listed in Table IV.
 TABLE IV
SECURITY TEST DESCRIPTION
Test Group Test Type Purpose
Network Discover target IP address and
Sniffer protocols used on target network.
Discovery Locate target device and all
Trace route intermediate routers, switches and
systems.
Check if firewall can overcome a
Synflood repeated open connection request
and also log attack.
Check if firewall can overcome
Garbage random data packets on random
ports.
Penetration
Check if firewall can overcome a
UDP Ping
large UDP ping packet sent to it.
TCP Ping
Check if firewall can overcome
large TCP ping packet sent to it.
Ping of Check if firewall can overcome a
Death single over-sized packet sent to it.
B. Security Testing Results
Regardless of which port the attack has used, with the
stateful packet inspection activated, all the three test firewalls
demonstrated good resistance and blocked all transmissions
on every test conducted in this study. All of them also
continued to allow the proper connections that were not
considered as attacks during the tests, and effectively blocked
the outgoing and incoming packets. OpenBSD PF has all
required features which one might expect from an open source
firewall. It has the power and potential of Cisco ASA and
Checkpoint SPLAT with lower cost. It also keeps detailed text
log files for each attack, which are fairly easy to read, but it
does not provide any type of graphical result analysis of the
logged attacks which Cisco and Checkpoint provide.
OpenBSD PF also does stateful or stateless packet inspections,
remembers sessions, and modulates the session to assist in
prevention of the data connections from being hijacked.
V. CONCLUSIONS
In the paper, we have attempted to evaluate performance of
major operational firewalls in the market today. With
increasing importance of Network Security in any
organization, we have summarized major regulatory
compliance and need to have efficient, clean and robust
firewall configuration and management. To the best of
author’s knowledge, most currently undertaken and reported
research work on firewall have been carried out theoretically
and lacks practical implementation. We have attempted to
compare performance of various firewalls based on practical
implementation. Comparison of various firewalls presented in
this paper will also help in selecting right vendor at time of
procurement.
The performance testing results clearly indicated that Cisco
ASA provides better performance and Checkpoint SPLAT
provides better functionality. OpenBSD PF also proves to be
best open source solution if cost is the deciding factor.
Checkpoint provides better Firewall Management with
centralized policy management and better user interface than
Cisco and PF. Security Testing results indicated that all the
three firewall demonstrated basic intrusion detection
capability and blocked transmission against common attack
types. Choosing the right firewall depends on the needs of
business and network. Cisco ASA is one of the best choices
for large corporate networks. For complex production
networks which demand high protection, Checkpoint SPLAT
provides an upper edge over Cisco. PF is one of the best
inexpensive open source solutions which provides equally
competent performance as compared with proprietary
products, but lacks on application layer intelligence.
Author also recommends that the benchmark that counts
system performance is the network environment. A
benchmark that does not replicate exact network environment
will not properly help in planning firewall system. The best
benchmark is to setup network conditions as close as possible
that the actual firewall would experience.
REFERENCES
[1] M.G. Gouda and A.X. Liu, “A Model of Stateful Firewalls and Its
Properties,” Proc. IEEE Int’l Conf. Dependable Systems and
Networks (DSN), pp. – 128-137, June 2005.
[2] MyungKeun Yoon, Shigang Chen, and Zhan Zhang, “Minimizing
the Maximum Firewall Rule Set in a Network with Multiple
Firewalls” Proc. IEEE Transactions on Computers, Vol. 59,Issue.
2,pp. – 218-230, Feb. 2010
[3] Ritchey, R. O'Berry, B. Noel, S., “Representing TCP/IP
connectivity for topological analysis of network security”, In Proc.
IEEE Computer Security Applications Conference, 2002.
Proceedings, pp.-25-31, 2002.
[4] PCI data security standard (PCI DSS). Payment Card Industry -
Security Standards Council, 2006 www.pcisecuritystandards.org/
[5] Control objectives for information and related technology (CobiT).
IT Governance Institute (ITGI), 1992-2008 www.cobit.org
[6] The International Organization for Standards(ISO)
www.27000.org/iso-27002.htm
[7] D. Newman, Benchmarking Terminology for Firewall
Performance, IETF RFC2647, August 1999
[8] M.G. Gouda and A.X. Liu, “Firewall Design: Consistency,
Completeness and Compactness,” Proc. Int’l Conf. Distributed
Computing Systems (ICDCS ’04), pp. 320-327, Mar. 2004.
[9] A.X. Liu and M.G. Gouda, “Diverse Firewall Design,” Proc. IEEE
Int’l Conf. Dependable Systems and Networks (DSN ’04), pp. 595-
604, June 2004.
[10] H. Hamed, A. El-Atawy, and E. Al-Shaer, “On Dynamic
Optimization of Packet Matching in High Speed Firewalls,” IEEE
J. Selected Areas in Comm., vol. 24, no. 10, pp. 1817-1830, Oct.
2006
[11] Cisco Systems Inc., Cisco ASA 5500 Series Security Appliances
http://www.cisco.com/en/US/products/ps6120/prod_models_comp
arison.html
[12] Check Point Technologies Ltd., NGX R65 Security Platform
http://www.checkpoint.com/press/2007/r65unifiedsecurity.html
[13] PF: The OpenBSD Packet Filter http://www.openbsd.org/faq/pf/
[14] Luis Martin Garcin, “Programming with Libpcap – Sniffing the
network from our own application”, Hakin9 Magazine, pp.38-46,
February 2008
[15] Bremler-Barr, A. Levy, H, “Spoofing Prevention Method”, in
proceedings of 24th Annual Joint Conference of IEEE computer
and communications societies , Infocom V1, pages 536-547, 2005
[16] L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, and P. Mohapatra,
“FIREMAN: A toolkit for Firewall Modeling and Analysis”, In
Proc. IEEE Symposium on Security and Privacy, pages 199–213,
2006.