1. Manuals
  2. Brands
  3. Compaq Manuals
  4. Server
  5. 117755-003 - ProSignia - 740
  6. White paper

Compaq 117755-003 - ProSignia - 740 White Paper

Performance analysis and tuning of raptor’s eagle nt 3.06 firewall on compaq servers
Hide thumbs Also See for 117755-003 - ProSignia - 740:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
April 1997
Prepared By
Intranet/Groupware
Solutions Group
Compaq Computer
Corporation
C
O N T E N T S
Introduction ..................... 3
Executive Summary.......... 3
Benchmark Tools ............. 3
NSTL Methodology
of Internet Firewalls ......... 4
Configuration ........................ 4
Test Bed Setup ..................... 7
Hardware and
Software Tuning
Characteristics............... 10
Hardware Characteristics ..... 10
Software Characteristics ...... 11
Base System....................... 12
Test Configurations
of the Firewall................ 13
Evaluation of
Results ......................... 14
Tests results with HTTP
and FTP Transactions.......... 14
Tests Results
with HTTP Only ................... 20
Conclusions................... 23
Appendix A.................... 24
Appendix B.................... 25
278A/0497
W
HITE
. .
. .
. .
Performance Analysis and Tuning of
. .
. .
. .
. .
Raptor's Eagle NT 3.06 Firewall on
. .
. .
. .
Compaq Servers
. .
. .
. .
. .
As firewalls make their mark as a security measure used to protect intranetworks, it is
. .
. .
not clear what is lost from network performance when security is implemented. Today,
. .
the lack of multi-protocol benchmark tools makes it difficult to determine network
. .
. .
performance through firewalls. Since few tools are available and most are used to
. .
. .
determine http performance, determining the loss of network performance and what
. .
can be done to improve it remains difficult.
. .
. .
. .
This paper looks at performance of firewalls using Raptor's Eagle NT 3.06 product on
. .
Compaq servers, and the popular protocols ftp and http. It answers questions about
. .
. .
the level of hardware needed to address capacity planning, software tuning
. .
. .
parameters for the system and firewall, and what to expect in performance gains and
. .
losses while incorporating a secure environment for internet connections.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
1
P
APER

Advertisement

Table of Contents
loading

Related Manuals for Compaq 117755-003 - ProSignia - 740

Summary of Contents for Compaq 117755-003 - ProSignia - 740

  • Page 1 This paper looks at performance of firewalls using Raptor’s Eagle NT 3.06 product on NSTL Methodology Compaq servers, and the popular protocols ftp and http. It answers questions about of Internet Firewalls ..4 the level of hardware needed to address capacity planning, software tuning Configuration ......
  • Page 2 This test is not a determination of product quality or correctness, nor does it ensure compliance with any federal, state or local requirements. Compaq does not warrant products other than its own strictly as stated in Compaq product warranties.
  • Page 3 HITE APER (cont.) N T R O D U C T I O N The intent of this paper is to help answer questions about performance of firewalls so that logical decisions can be made for capacity planning using Raptor’s Eagle NT 3.06 firewall product. A base line for a specified firewall system is defined, options are added to the base line, and the load differences and performance are evaluated.
  • Page 4 HITE APER (cont.) variability of multi-protocol loads through gateways/firewalls. Multi-protocol benchmarks allow firewalls to be stressed in ways, which closely simulate real network traffic. Of the four benchmarks described below, NSTL’s Benchmark enables two protocols to be used, HTTP and FTP, which are the two most used on the Internet and thus the tool used to test performance of the firewall in this paper.
  • Page 5 HITE APER (cont.) This scenario, described in more detail below, is the scenario used in the benchmark tests for this paper. Performance ratings for the test runs are calculated from individual performance scores for Transaction refers to the amount of time it takes to open a the number of virtual clients used in the tests.
  • Page 6 HITE APER (cont.) The security rule set contains the following rules using FTP ports (20,21), HTTP port (80) protocols: Private to Private, Private to Hostile, and Private to DMZ - Allow All Hostile/DMZ to Private - Allow only to specified servers. Logging affects the firewall throughput;...
  • Page 7 HITE APER (cont.) Using NSTL’s two-zone configuration (private zone behind the firewall and DMZ and hostile zone in front of the firewall), two physical servers are located in the DMZ/hostile zone and one physical server is located in the private zone. Physical client configurations place the control station between the two network segments (client01), four clients in the private zone (client02 through client05), and three clients in the DMZ/hostile zone (client06 through client08).
  • Page 8 HITE APER (cont.) Table 4 shows the hardware and software makeup of the firewall for the base system. Machine Hardware Software firewall01 ProLiant 5000, 64 MB Windows NT Raptor’s Eagle NT RAM, 1-Pentium PRO 3.51 Server, 3.06 firewall software 200/512K cache, 2 EISA Service Pack 5 and Hawk GUI.
  • Page 9 HITE APER (cont.) Screen 2: Network Entries Eagle NT promotes transparency of IP addresses, meaning the only IP address the DMZ/Hostile zone can see is the outside interface of the firewall. Specifically, FTP transfers from the outside to the inside must first be connected to the firewalls outside interface, the FTP username becomes Error! Reference source not found., and the password becomes the password for FTP at the FTP server.

  • Page 10: Hardware Characteristics

    Hardware Characteristics The various hardware options used in the tests are described below. Each hardware configuration change made was re-configured using the Compaq system partition utilities found by pressing the F10 key during the system bootup process. Processor...

  • Page 11: Software Characteristics

    HITE APER (cont.) RAM MB Bus Subsystem Bus Type - EISA and PCI Compaq NetFlx-3 10/100 card Compaq S2-Array Controller card Drive Controller / Disks Drive Disks Controller Compaq S2- Raid 0 - No Fault Array Controller Tolerant, 1 and 5...

  • Page 12: Base System

    Add the following parameter: MaxReceives = REG_DWORD 0x1F4 = 500 Increases the number of MaxReceives counters for Compaq Netelligent 10/100TX Network Controller to 500. (The default is 100.) Specifies the maximum number of receive lists the driver allocates for receive frames...
  • Page 13 PP200,512c EISA *5/S2-A, PCI on/on/4 Runs 16, 17, 18 listed in the table below are for the Compaq ProSignia 500, ProLiant 800, and ProLiant 4500 respectively. These runs were done to show differences between hardware configurations and processor speeds. Processor...

  • Page 14: Tests Results With Http And Ftp Transactions

    HITE APER (cont.) The test runs labeled below correspond to HTTP only tests. These tests are done on the ProLiant 5000. Test 19 is considered as a base system for HTTP only traffic through the firewall. Again the * represents the change from the base system. Processor Disk/Drive MaxRecv...
  • Page 15 HITE APER (cont.) subsection contains some test runs based on lower end ProLiant and ProSignia systems and was run to show performance on lower-end systems. Base System The base system, test run 1, consists of the ProLiant 5000 system, 1Pentium Pro 200 MHz, 512K cache processor, 64 MB RAM, 2-EISA NetFlx-3 10/100, PCI Smart/2-Array Controller Raid 0, 1 SCSI Disk, MaxReceive Buffers is 100, HTTPD cache is on, DNS Lookups for HTTPD is on, and 100Mb Network.
  • Page 16 HITE APER (cont.) R u n # 2 a n d # 3 in T P M 1 1 0 0 1 0 0 0 9 0 0 8 0 0 B a s e R u n 7 0 0 B a s e w /1 2 8 m b R A M 6 0 0 5 0 0...
  • Page 17 HITE APER (cont.) not a big increase in performance since FTP transfers are still doing DNS Lookups. On HTTP only transfers, the TPM and the percent TPM difference increase from the base system is higher because the HTTP daemon supports the switch for no DNS Lookups and FTP currently does not. Please refer to section Test Results with HTTP Only for HTTP only test results.
  • Page 18 HITE APER (cont.) Network Speed In Run #10, the 100Mb hubs were replaced with 10Mb hubs to show the degradation of performance by the network. The overall negative percent difference that was shown by the network, from 1 to 72 virtual clients, was 2%. The lows were down to 10% negative difference for 24 virtual clients and 7% negative percent difference for 48 virtual clients from the base system.
  • Page 19 HITE APER (cont.) Runs #12, #13, and #15 in TPM 1100 1000 Base Run On Board PCI Ctlr S2-Array EISA Raid 0, 1 drive S2-Aray PCI Raid 0, 4 drives 24 32 36 48 56 72 Virtual Clients Graph 5: Base Run with On Board PCI Ctlr, S2-Array EISA-R0-1D, S2-Array PCI-R0- Full System Run #11 adds a Pentium Pro 200-512K cache processor, 256 MB RAM, sets MaxRecieve buffers for NetFlx-3 cards to 500, changes to PCI bus for NIC cards, and sets DNS Lookups for HTTPD...

  • Page 20: Tests Results With Http Only

    HITE APER (cont.) Other Systems and Configurations This section includes test runs with other systems and configurations. It also includes other runs using the base system described above with other configurations. Graph 7 includes runs #16, #17, and #18 for ProSignia 500, ProLiant 800, and the ProLiant 4500 respectively.
  • Page 21 HITE APER (cont.) Base Run The base system, test run 1, consists of the ProLiant 5000 system, 1Pentium Pro 200 MHz, 512 cache processor, 64Mb RAM, 2-EISA NetFlx-3 10/100, PCI S2-Array Controller Raid 0, 1 SCSI Disk, MaxReceive Buffers is 100, HTTPD cache is on, DNS Lookups for HTTPD is on, and 100Mb Network.
  • Page 22 HITE APER (cont.) 100 Rules Run #22 applies 100 rules to the firewall rule set to show the decrease in performance. Graph 10 displays the decrease in performance. R un #22 in T PM 2400 2100 1800 1500 H T T P O nly B ase R un 1200 B ase R un + 100...

  • Page 23: Conclusions

    As a result, using Compaq servers and adding specific hardware and software components can reduce this performance hit dramatically while increasing overall performance of the firewall for your environment.
  • Page 24 HITE APER (cont.) P P E N D I X DNS hosts and host.pub files for Raptors Eagle NT 3.06 firewall setup. %systemroot%\system32\drivers\etc\hosts 10.10.10.50 aaa.testbed.com 10.10.10.1 client01.testbed.com client01 10.10.10.2 client02.testbed.com client02 10.10.10.5 client03.testbed.com client03 10.10.10.4 client04.testbed.com client04 10.10.10.6 client05.testbed.com client05 10.10.10.8 server01.testbed.com server01...
  • Page 25 HITE APER (cont.) P P E N D I X Run1 Users URLS %Failures 300.26 0.00 1200 589.78 0.67 2400 577.98 0.54 3200 469.58 1.44 3600 560.95 0.78 4800 579.20 0.75 6000 574.46 0.90 7200 573.71 0.75 Run2 311.12 0.00 1200 573.55 0.25...
  • Page 26 HITE APER (cont.) Run9 Users URLS %Failures 288.80 0.00 1200 641.81 0.92 2400 550.35 1.42 3200 732.57 1.44 3600 616.26 1.47 4800 701.10 4.60 6000 753.75 1.45 7200 906.89 11.79 Run10 267.27 0.00 1200 580.00 0.00 2400 520.36 1.38 3200 537.21 1.03 3600...
  • Page 27 HITE APER (cont.) Run17 Users URLS %Failures 291.91 0.00 1200 618.30 0.33 2400 558.30 1.38 3200 646.74 1.00 3600 634.72 1.00 4800 665.94 0.77 6000 595.91 1.03 7200 626.93 0.78 Run18 291.91 0.00 1200 417.71 0.08 2400 389.75 0.50 3200 390.26 0.41 3600...

This manual is also suitable for:

386819-001 - prosignia - 720Proliant 1000Prosignia 200Prosignia 300Prosignia 500Prosignia 720 ... Show all

Table of Contents