📄 rfc2647.txt
字号:
RFC 2647 Firewall Performance Terminology August 1999
reason this must always be so. A growing number of firewalls are
controlling access at the application layer, using user
identification as the criterion. And firewalls for ATM networks may
control access based on data link-layer criteria.
Unit of measurement:
not applicable
Issues:
See also:
DMZ
tri-homed
user
3.17 Goodput
Definition:
The number of bits per unit of time forwarded to the correct
destination interface of the DUT/SUT, minus any bits lost or
retransmitted.
Discussion:
Firewalls are generally insensitive to packet loss in the network.
As such, measurements of gross bit forwarding rates are not
meaningful since (in the case of proxy-based and stateful packet
filtering firewalls) a receiving endpoint directly attached to a
DUT/SUT would not receive any data dropped by the DUT/SUT.
The type of traffic lost or retransmitted is protocol-dependent.
TCP and ATM, for example, request different types of
retransmissions. Testers must observe retransmitted data for the
protocol in use, and subtract this quantity from measurements of
gross bit forwarding rate.
Unit of measurement:
bits per second
Issues:
allowed vs. rejected traffic
See also:
allowed traffic
bit forwarding rate
rejected traffic
Newman Informational [Page 14]
RFC 2647 Firewall Performance Terminology August 1999
3.18 Homed
Definition:
The number of logical interfaces a DUT/SUT contains.
Discussion:
Firewalls typically contain at least two logical interfaces. In
network topologies where a DMZ is used, the firewall usually
contains at least three interfaces and is said to be tri-homed.
Additional interfaces would make a firewall quad-homed, quint-
homed, and so on.
It is theoretically possible for a firewall to contain one physical
interface and multiple logical interfaces. This configuration is
discouraged for testing purposes because of the difficulty in
verifying that no leakage occurs between protected and unprotected
segments.
Unit of measurement:
not applicable
Issues:
See also:
tri-homed
3.19 Illegal traffic
Definition:
Packets specified for rejection in the rule set of the DUT/SUT.
Discussion:
A buggy or misconfigured firewall might forward packets even though
its rule set specifies that these packets be dropped. Illegal
traffic differs from rejected traffic in that it describes all
traffic specified for rejection by the rule set, while rejected
traffic specifies only those packets actually dropped by the
DUT/SUT.
Unit of measurement:
not applicable
Issues:
Newman Informational [Page 15]
RFC 2647 Firewall Performance Terminology August 1999
See also:
accepted traffic
policy
rejected traffic
rule set
3.20 Logging
Definition:
The recording of user requests made to the firewall.
Discussion:
Firewalls typically log all requests they handle, both allowed and
rejected. For many firewall designs, logging requires a significant
amount of processing overhead, especially when complex rule sets
are in use.
The type and amount of data logged varies by implementation.
Testers may find it desirable to log equivalent data when comparing
different DUT/SUTs.
Some systems allow logging to take place on systems other than the
DUT/SUT.
Unit of measurement:
not applicable
Issues:
rule sets
See also:
allowed traffic
connection
rejected traffic
3.21 Network address translation
Definition:
A method of mapping one or more private, reserved IP addresses to
one or more public IP addresses.
Discussion:
In the interest of conserving the IPv4 address space, RFC 1918
proposed the use of certain private (reserved) blocks of IP
addresses. Connections to public networks are made by use of a
device that translates one or more RFC 1918 addresses to one or
more public addresses--a network address translator (NAT).
Newman Informational [Page 16]
RFC 2647 Firewall Performance Terminology August 1999
The use of private addressing also introduces a security benefit in
that RFC 1918 addresses are not visible to hosts on the public
Internet.
Some NAT implementations are computationally intensive, and may
affect bit forwarding rate.
Unit of measurement:
not applicable
Issues:
See also:
3.22 Packet filtering
Definition:
The process of controlling access by examining packets based on the
content of packet headers.
Discussion:
Packet-filtering devices forward or deny packets based on
information in each packet's header, such as IP address or TCP port
number. A packet-filtering firewall uses a rule set to determine
which traffic should be forwarded and which should be blocked.
Unit of measurement:
not applicable
Issues:
static vs. stateful packet filtering
See also:
application proxy
circuit proxy
proxy
rule set
stateful packet filtering
3.23 Policy
Definition:
A document defining acceptable access to protected, DMZ, and
unprotected networks.
Newman Informational [Page 17]
RFC 2647 Firewall Performance Terminology August 1999
Discussion:
Security policies generally do not spell out specific
configurations for firewalls; rather, they set general guidelines
for what is and is not acceptable network access.
The actual mechanism for controlling access is usually the rule set
implemented in the DUT/SUT.
Unit of measurement:
not applicable
Issues:
See also:
rule set
3.24 Protected network
Definition:
A network segment or segments to which access is controlled by the
DUT/SUT.
Discussion:
Firewalls are intended to prevent unauthorized access either to or
from the protected network. Depending on the configuration
specified by the policy and rule set, the DUT/SUT may allow hosts
on the protected segment to act as clients for servers on either
the DMZ or the unprotected network, or both.
Protected networks are often called "internal networks." That term
is not used here because firewalls increasingly are deployed within
an organization, where all segments are by definition internal.
Unit of measurement:
not applicable
Issues:
See also:
demilitarized zone (DMZ)
unprotected network
policy
rule set
unprotected network
Newman Informational [Page 18]
RFC 2647 Firewall Performance Terminology August 1999
3.25 Proxy
Definition:
A request for a connection made on behalf of a host.
Discussion:
Proxy-based firewalls do not allow direct connections between
hosts. Instead, two connections are established: one between the
client host and the DUT/SUT, and another between the DUT/SUT and
server host.
As with packet-filtering firewalls, proxy-based devices use a rule
set to determine which traffic should be forwarded and which should
be rejected.
There are two types of proxies: application proxies and circuit
proxies.
Unit of measurement:
not applicable
Issues:
application
See also:
application proxy
circuit proxy
packet filtering
stateful packet filtering
3.26 Rejected traffic
Definition:
Packets dropped as a result of the rule set of the DUT/SUT.
Discussion:
For purposes of benchmarking firewall performance, it is expected
that firewalls will reject all traffic not explicitly permitted in
the rule set. Dropped packets must not be included in calculating
the bit forwarding rate or maximum bit forwarding rate of the
DUT/SUT.
Unit of measurement:
not applicable
Issues:
Newman Informational [Page 19]
RFC 2647 Firewall Performance Terminology August 1999
See also:
allowed traffic
illegal traffic
policy
rule set
3.27 Rule set
Definition:
The collection of access control rules that determines which
packets the DUT/SUT will forward and which it will reject.
Discussion:
Rule sets control access to and from the network interfaces of the
DUT/SUT. By definition, rule sets do not apply equally to all
network interfaces; otherwise there would be no need for the
firewall. For benchmarking purposes, a specific rule set is
typically applied to each network interface in the DUT/SUT.
The tester must describe the complete contents of the rule set of
each DUT/SUT.
To ensure measurements reflect only traffic forwarded by the
DUT/SUT, testers are encouraged to include a rule denying all
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -