Network security's need for speed

By Kevin Tolly
Network World, 03/05/01

If the turnout for Network World's "Security Showdown" a few weeks ago at ComNet 2001 is any indicator, many people have network security on their minds. A question I made to Check Point about the performance of software-based security appliances was essentially unanswered.

Networking today is all about broadband - for the campus and the metropolitan-area network, if not beyond. Fast Ethernet is now the "small" pipe with Gigabit and soon 10G Ethernet sliding into the "medium" and "large" categories, respectively. While a savvy network designer may wonder how firewalls and VPNs might deal with 10G Ethernet, I propose we take a step back and ask that same question about Fast Ethernet. The answer for many systems is: They drop packets - a lot of packets.

The majority of network security systems today essentially are software systems. Just like last-generation software routers, traffic from the network is fed "up" into the system where software under the control of a main processor inspects, encrypts or decrypts the traffic before passing it to the network.

This is just like a software router - only worse. Firewall and security devices typically expend more resource per packet and, consequently, can get into a processing bind even when handling a small number of network interfaces.

While conducting extensive benchmarks of VPN/firewall Fast Ethernet throughput last year, Tolly engineers got an earful from vendors when we determined that "enterprise-class" firewalls should be held to the same performance standards as the Layer 2/Layer 3 switches. We soon found out why.

When internetworking gear drops packets, its value to the network takes a steep decline. Even one dropped packet causes sharp increases in session latency as the endstation must wait for the lost packet and, when it fails to arrive, initiate a retransmission sequence. For this reason, we terminated our "no loss" tests when packet loss exceeds .001% of the offered load.

When we attempted to benchmark a number of security platforms to determine their performance levels handling bidirectional traffic, we got stopped in our tracks. In several cases, we couldn't even get a reading. Even with only one megabit of traffic offered across a Fast Ethernet IP Security VPN tunnel, more than one packet was getting discarded.

The vendors' response was in effect saying, "The bar is too high." Not only did they suggest only using unidirectional traffic, but also recommended we tolerate a higher frame loss. A common non sequitur was that because the Internet exhibited greater than .001% packet loss, our tests should accept similar loss. Even 1% packet loss means tolerating almost 1,500 lost packets each second, each way on full-duplex Fast Ethernet.

Security system vendors are aware of this situation. Just like ASIC-based switches fought and prevailed in enterprise and service-provider backbones, the software vs. hardware fight is on in the security area. Any network manager looking to secure true high-performance networks better take heed.