Abstract
Firewalls are one of the most commonly used security systems to protect networks and hosts. Most researchers have focused on analyzing the latency and throughput of router firewalls. Different from this approach, this research focuses on studying the performance impact and the sensitivity of the Linux firewall (iptables) for a single host. In order to be able to measure the performance and the sensitivity of the firewall, we designed and instrumented each layer of the Linux TCP/IP stack. This instrumentation was used to test the host’s firewall under two scenarios: In the first scenario, we captured the path and the latency of one single packet; in the second scenario, we captured the latency of multiple packets sent to the host at various transmission rates. Our measurement results indicate that the firewall is sensitive to the number of rules, the type of filtering, and the transmission rate. The results of our first scenario demonstrate that for each type of filtering, latency increases linearly as the number of rules increase. Furthermore, the second test scenario shows that latency decreases as the packet transmission rate increases. The results also show that the percentage overhead generated by a firewall when a single packet of 64 bytes of payload travels the TCP/IP stack, for a rule-set of zero and 100 rules, ranges from 6 % to up to 75%, respectively. 1
CiteSeerX — Abstract Performance analysis of the Linux firewall in a host
扫一扫
523
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
