1. Program summary
1.1 Firewall
With the opening of the network security market, more and more companies have joined the ranks of network security software and hardware development, and various types of firewalls have begun to appear on the market. The basic principle is to achieve the goal through the interconnection of source and destination addresses. The security of the host. Whether the ultimate goal is reached, whether the firewall can operate stably under strong security, whether the rule is executed accurately and without error, etc., these require rigorous testing and inspection to draw conclusions. Only through rigorous inspection can the security of the core system and the host be guaranteed, so testing is very important for firewall product inspection.
The firewall checks the data flow generated by the various layer protocols in the Open System Interconnection Model (OSI). To know what type of structure the firewall is, the key is to know which layer of the OSI model the firewall works. The higher the level of the firewall working in the OSI model, the more information it checks in data packets. Therefore, the longer the processor working cycle consumed by the firewall, the better the security protection level it provides.
According to the different filtering levels of firewalls in the network protocol stack, firewalls are usually divided into three types: packet filtering firewalls, circuit-level gateway firewalls, and application-level gateway firewalls.
At present, after several generations of development, firewall technology mainly includes IP packet filtering technology, application proxy technology, state inspection packet filtering technology, NP technology and so on.
Evaluating a firewall system and testing a firewall equipment are mainly conducted from four aspects: safety function, safety assurance, environmental adaptability and performance requirements. The security function requirements are specific requirements for the security functions that the firewall should have, including network layer control, application layer control, and security operation and maintenance management; security assurance requirements put forward specific requirements for the content of the firewall development and use documents, such as configuration management , Delivery and operation, development and guidance documents; environmental adaptability requirements are specific requirements for the deployment mode and application environment of the firewall; performance requirements are requirements for the performance indicators that the firewall should achieve, including throughput, latency, Maximum number of concurrent connections and maximum connection rate, etc.
Xinertai test instrument can provide comprehensive test for packet filtering firewall; it can provide partial test solution for application-level gateway firewall.
1.2 Test solution positioning
Figure 1: BigTao network tester
Figure 2: DarYu network tester
The BigTao series is positioned in the testing of network 2-3 layer demand scenarios, such as:
· Broadband access products (PON, EOC, xDSL, etc.) products and network testing;
· Data exchange products (switches, routers, POE switches, packet core networks, etc.) ) Product and network testing.
The Daryu series not only covers the traffic test and protocol simulation functions of BigTao products, but also has excellent performance in the performance tests of the 4-7 layer application layer protocols. It can perform function and performance tests for application layer devices and application layer servers, and supports large Scale playback function (SPE), targeted at the testing of network layer 2-7 demand scenarios, such as:
· firewall products and network testing;
· application server products and network testing;
· application layer simulation of IDS, VPN , and load balancing equipment /Safety testing;
· Complex protocol testing for industrial communications and special industries.
1.3 Main advantages
· Abundant port rates: 10M/100M/100M, GE/2.5G/5G/10G/25G/40G/50G/100G
· Leading the way in the field of large-scale production and testing: relying on powerful automated test suites for communication equipment manufacturing and processing enterprises The industry’s highest test efficiency and reliable test stability. It is a mainstream supplier of test solutions manufactured by Huawei, ZTE, H3C, Fiberhome, Bell, Ruijie, etc.
· R&D functional performance test field: with the best test cost performance, Help network communication equipment manufacturers reduce research and development costs
· Highly customizable: provide customized test solutions, customers can find their own test products and solutions in Xinertai
1.4 Function introduction
For Ethernet 2~7 layer traffic testing and protocol simulation, it can quickly and comprehensively evaluate the performance of network equipment. Such as RFC2544, RFC2889 and RFC3918 benchmark test, routing simulation and capacity test, based on application layer new connection, concurrent connection and throughput performance index test.
The playback function SPE (ScalablePlaybackEmulation) supports playback based on Pcap files and playback based on traffic, which can more comprehensively and effectively satisfy users' testing of application layer services.
Support the following protocol simulation and performance testing:
· Routing: RIPv1/v2, OSPFv2/v3, ISISv4/v6, BGP/BGP+, LDP/L3***, L2***;
· Access: PPPoEClient/Server, DHCPv4Client /Server, DHCPv6Client/Server, L2TPv2, DHCPv6PDClient/Server, 802.1x, IPv6 Autoconfiguration;
· Multicast: IGMPv1/v2/v3, MLDv1/v2, IGMP/MLD Querier, PIM-SM;
· Data Center: VXLAN, OpenFlow, OVSDB, E***;
· Ethernet: 802.3ah, 802.1ag;
· L4~7: HTTP, HTTPS, FTP, TCP, SIP, DNS, Mail, SSH, TFTP, Telnet, UDP;
· Playback: HTTP, CIFS, DNS, SIP, TELNET, POP3, SMTP, GTP, FTP, RADIUS, NFS, LDAP, FIX, Mysql, NTP, Syslog, Exchange, etc.
2. Test plan
This program will elaborate on three aspects of security function testing, environmental adaptability requirements and performance requirements that are concerned by firewall equipment.
2.1 Safety function test
Security function testing refers to the functional testing of firewall equipment to verify the integrity of supporting functions. The functional verification test can be tested from three aspects: network layer function support degree, application layer protocol support degree, and security test.
2.1.1 Network layer control
The network layer control function of the firewall refers to the filtering, analysis, and management of the 2-3 layer network of the communication flowing through the firewall, and the function that has reached the security access restriction; it also includes the routing function and NAT that should be provided for the second and third layer devices Conversion function, status detection function.
Xinertai test instrument can perform tests including the following but not limited to the following content for the firewall network layer function:
2.1.2 Application layer protocol control
The application layer firewall should have support for common application layer protocols, such as HTTP, TELNET, FTP and other protocols, application content access control, user control and other application layer functions.
Xinertai test instrument can perform tests including the following but not limited to the following contents for the firewall application layer function:
2.1.3 Security test
Under the correct configuration of the authorized administrator, the firewall should be able to resist most attacks on the inside of the protected network and its own system, that is, the firewall should have the ability to detect ***, such *** includes IP address spoofing*** , ICMP***, IP fragmentation***, DoS (denial of service)***, password inquiry***, email fraud***, etc. The firewall should have the ability to defend against external security (human intrusion detection) to achieve the purpose of protecting the internal network system. At the same time, it records security event logs, alarms the administrator, and cuts off the connection to the source of security.
Xinertai test instrument can support the following types of VPNs to verify the anti-denial of service functions of the firewall:
IP address spoofing***, ICMP***, IP fragmentation***, DOS (deny Services*** (ICMP Flood***, UDP Flood***, SYN Flood***, Tear Drop***, Land***, super-large ICMP data***), etc.
*Virus database*** is currently not supported, and supplementary support can be provided in the future according to the project.
2.2 Environmental adaptability requirements
2.2.1 Transmission mode
A firewall is a hardware device deployed in a network to strengthen network security protection capabilities. There are multiple deployment methods, including bridge mode, network management mode, and NAT mode.
1. Bridge mode
Bridge mode can also be called transparent mode. The simplest network consists of a client and a server, and the client and server are on the same network segment. For security considerations, a firewall device is added between the client and the server to control the passing traffic. A normal client request is sent to the server through the firewall, and the server returns the response to the client, and the user will not feel the presence of the intermediate device. The firewall working in bridge mode does not have an IP address. When expanding the network, there is no need to re-plan the network address, but it sacrifices functions such as routing and VPN.
2. Gateway mode The
gateway mode is suitable for situations where the internal and external networks are not in the same network segment. The firewall sets the gateway address to realize the function of the router and route and forward for different network segments. The gateway mode has higher security than the bridge mode, realizes security isolation while performing access control, and has a certain degree of privacy.
3. NAT mode
NAT (Network Address Translation) address translation technology uses the firewall to translate the IP address of the internal network, and replaces the source address of the internal network with the IP address of the firewall to send data to the external network; when the response data traffic from the external network returns After reaching the firewall, the firewall replaces the destination address with the source address of the internal network. NAT mode can realize that the external network cannot directly see the IP address of the internal network, which further enhances the security protection of the internal network. At the same time, in the NAT mode network, the internal network can use private network addresses, which can solve the problem of limited number of IP addresses.
For this kind of functional test, Xinertai test instrument can support the test of each mode, support editing the corresponding data flow for data flow forwarding, to verify the firewall's support for each mode.
2.2.2 Next Generation Internet Support
Since the biggest problem of IPv4 is the limited network address resources, it severely restricts the application and development of the Internet. The use of IPv6 not only solves the problem of the number of network address resources, but also solves the barriers for multiple access devices to connect to the Internet. As an important network security device, a firewall is indispensable for IPv6 support. For IPv6 testing, testing can be carried out in terms of the degree of support for various protocols in the IPv6 pure network environment, the robustness of the protocol, and the support of the transition environment from IPv4 to IPv6 to ensure smooth and stable application of firewall equipment to IPv6 Web environment.
Xinertai test instrument can test the firewall's support for IPv6 network including the following but not limited to the following content:
2.3 Performance requirements
With the increasing requirements for information security, firewalls have become an indispensable network element. However, the main function of firewall equipment in the network is not to forward packets, but to perform packet detection and access control. The existence of firewalls will inevitably affect the normal use of the network by security users. The performance indicators for measuring firewalls mainly include throughput, message forwarding rate, maximum number of concurrent connections, number of new connections per second, forwarding delay, jitter, etc.
For the firewall performance test, Xinertai test instrument can provide test schemes measured at three levels: network layer, transport layer and application layer.
2.3.1 Network layer
The firewall network layer forwarding performance test project mainly refers to RFC2544 and RFC3511. The RFC2544
protocol is an international standard proposed by the RFC organization for evaluating network interconnection equipment (firewall, IDS, Switch, etc.). It mainly refers to the specific test methods and results of performance evaluation parameters. The submission form has been specified in more detail.
RFC3511 mainly provides detailed regulations on the specific test methods and results submission form for firewall performance evaluation parameters. The test methods of IP throughput and delay are mainly specified for the network layer.
RFC2544 mainly includes the following 4 test items:
Throughput: The maximum data flow that the device under test can forward without packet loss.
Loss Rate (LostRate): Under a certain load, the percentage of packets that cannot be forwarded due to lack of resources to the number of packets that should be forwarded.
Latency: Reflects the speed at which the device under test processes data packets.
Back-to-Back: Reflects the ability of the device under test to process burst data (data caching capability).
The firewall forwarding performance test program provided by Xinertai has the following contents
Test content: throughput, delay, packet loss rate, back-to-back
test topology: 1-to-1, 1-to-many, Backbone, Fullmesh and other topological
features: simple configuration, multiple test items run sequentially, fully automatic
test report execution : Provide a detailed, standard test report, which can be saved as PDF, XLS format
. The forwarding performance test that the Xinertai test instrument can test includes but is not limited to the following:
2.3.2 Transport layer
For the evaluation of the performance of the firewall's transport layer, the RFC3511 standard specifies the test plan and report form for the three performance parameters of the maximum number of concurrent TCP connections, the maximum TCP connection establishment rate, and the maximum TCP connection removal rate.
• The number of concurrent TCP connections of the firewall refers to the maximum total number of TCP connections that can be maintained simultaneously between hosts passing through the device under test or between the host and the device under test. Mainly reflects the ability of the device under test to maintain multiple sessions.
• The maximum TCP connection establishment rate of the firewall refers to the maximum TCP connection establishment rate that the tested device can withstand successfully establishing all requested connections. It mainly reflects the real-time response ability of the device under test to connection requests.
• The maximum TCP connection teardown rate of the firewall refers to the rate at which the TCP connection is torn down when the device under test can successfully establish all requested connections. This parameter index generally has little effect on firewall performance.
Xinertai test instrument can test the performance of the firewall transmission layer including but not limited to the following:
2.3.3 Application layer
For the evaluation of firewall application layer performance, the RFC3511 standard specifies the test plan and report form for the two performance parameters of HTTP transmission rate and maximum HTTP transaction processing rate.
• The HTTP transmission rate of the firewall is also called application layer throughput (Goodput). In the case of a certain connection establishment and concurrency, the application layer data carrying capacity of a single message largely determines the application layer message forwarding capability.
• Firewall Maximum HTTP Transaction Processing Rate This test aims to find the objects with the maximum rate that users can access.
