rfc2647.txt

<VC++网络游戏建摸与实现>源代码

3.24 Protected network

   Definition:
     A network segment or segments to which access is controlled by the
     DUT/SUT.

   Discussion:
     Firewalls are intended to prevent unauthorized access either to or
     from the protected network. Depending on the configuration
     specified by the policy and rule set, the DUT/SUT may allow hosts
     on the protected segment to act as clients for servers on either
     the DMZ or the unprotected network, or both.

     Protected networks are often called "internal networks." That term
     is not used here because firewalls increasingly are deployed within
     an organization, where all segments are by definition internal.

   Unit of measurement:

   not applicable

   Issues:

   See also:
     demilitarized zone (DMZ)
     unprotected network
     policy
     rule set
     unprotected network






Newman                       Informational                     [Page 18]

RFC 2647            Firewall Performance Terminology         August 1999


3.25 Proxy

   Definition:
     A request for a connection made on behalf of a host.

   Discussion:
     Proxy-based firewalls do not allow direct connections between
     hosts.  Instead, two connections are established: one between the
     client host and the DUT/SUT, and another between the DUT/SUT and
     server host.

     As with packet-filtering firewalls, proxy-based devices use a rule
     set to determine which traffic should be forwarded and which should
     be rejected.

     There are two types of proxies: application proxies and circuit
     proxies.

   Unit of measurement:
     not applicable

   Issues:
     application

   See also:
     application proxy
     circuit proxy
     packet filtering
     stateful packet filtering

3.26 Rejected traffic

   Definition:
     Packets dropped as a result of the rule set of the DUT/SUT.

   Discussion:
     For purposes of benchmarking firewall performance, it is expected
     that firewalls will reject all traffic not explicitly permitted in
     the rule set. Dropped packets must not be included in calculating
     the bit forwarding rate or maximum bit forwarding rate of the
     DUT/SUT.

   Unit of measurement:
     not applicable

   Issues:





Newman                       Informational                     [Page 19]

RFC 2647            Firewall Performance Terminology         August 1999


   See also:
     allowed traffic
     illegal traffic
     policy
     rule set

3.27 Rule set

   Definition:
     The collection of access control rules that determines which
     packets the DUT/SUT will forward and which it will reject.

   Discussion:
     Rule sets control access to and from the network interfaces of the

     DUT/SUT. By definition, rule sets do not apply equally to all
     network interfaces; otherwise there would be no need for the
     firewall. For benchmarking purposes, a specific rule set is
     typically applied to each network interface in the DUT/SUT.

     The tester must describe the complete contents of the rule set of
     each DUT/SUT.

     To ensure measurements reflect only traffic forwarded by the
     DUT/SUT, testers are encouraged to include a rule denying all
     access except for those packets allowed by the rule set.

   Unit of measurement:
     not applicable

   Issues:

   See also:
     allowed traffic
     demilitarized zone (DMZ)
     illegal traffic
     policy
     protected network
     rejected traffic
     unprotected network

3.28 Security association

   Definition:
     The set of security information relating to a given network
     connection or set of connections.





Newman                       Informational                     [Page 20]

RFC 2647            Firewall Performance Terminology         August 1999


   Discussion:
     This definition covers the relationship between policy and
     connections. Security associations (SAs) are typically set up
     during connection establishment, and they may be reiterated or
     revoked during a connection.

     For purposes of benchmarking firewall performance, measurements of
     bit forwarding rate or UOTs per second must be taken after all
     security associations have been established.

   Unit of measurement:
     not applicable

   See also:
     connection
     connection establishment
     policy
     rule set

3.29 Stateful packet filtering

   Definition:
     The process of forwarding or rejecting traffic based on the
     contents of a state table maintained by a firewall.

   Discussion:
     Packet filtering and proxy firewalls are essentially static, in
     that they always forward or reject packets based on the contents of
     the rule set.

     In contrast, devices using stateful packet filtering will only
     forward packets if they correspond with state information
     maintained by the device about each connection. For example, a
     stateful packet filtering device will reject a packet on port 20
     (ftp-data) if no connection has been established over the ftp
     control port (usually port 21).

   Unit of measurement:
     not applicable

   Issues:

   See also:
     applicaton proxy
     packet filtering
     proxy





Newman                       Informational                     [Page 21]

RFC 2647            Firewall Performance Terminology         August 1999


3.30 Tri-homed

   Definition:
     A firewall with three network interfaces.

   Discussion:
     Tri-homed firewalls connect three network segments with different
     network addresses. Typically, these would be protected, DMZ, and
     unprotected segments.

     A tri-homed firewall may offer some security advantages over
     firewalls with two interfaces. An attacker on an unprotected
     network may compromise hosts on the DMZ but still not reach any
     hosts on the protected network.

   Unit of measurement:
     not applicable

   Issues:
     Usually the differentiator between one segment and another is its
     IP address. However, firewalls may connect different networks of
     other types, such as ATM or Netware segments.

   See also:
     homed

3.31 Unit of transfer

   Definition:
     A discrete collection of bytes comprising at least one header and
     optional user data.

   Discussion:
     This metric is intended for use in describing steady-state
     forwarding rate of the DUT/SUT.

     The unit of transfer (UOT) definition is deliberately left open to
     interpretation, allowing the broadest possible application.
     Examples of UOTs include TCP segments, IP packets, Ethernet frames,
     and ATM cells.

     While the definition is deliberately broad, its interpretation must
     not be. The tester must describe what type of UOT will be offered
     to the DUT/SUT, and must offer these UOTs at a consistent rate.
     Traffic measurement must begin after all connection establishment
     routines complete and before any connection completion routine
     begins.  Further, measurements must begin after any security
     associations (SAs) are established and before any SA is revoked.



Newman                       Informational                     [Page 22]

RFC 2647            Firewall Performance Terminology         August 1999


     Testers also must compare only like UOTs. It is not appropriate,
     for example, to compare forwarding rates by offering 1,500-byte
     Ethernet UOTs to one DUT/SUT and 53-byte ATM cells to another.

   Unit of measurement:
     Units of transfer
     Units of transfer per second

   Issues:

   See also:
     bit forwarding rate
     connection

3.32 Unprotected network

   Definition:
     A network segment or segments to which access is not controlled by
     the DUT/SUT.

   Discussion:
     Firewalls are deployed between protected and unprotected segments.
     The unprotected network is not protected by the DUT/SUT.

     Note that a DUT/SUT's policy may specify hosts on an unprotected
     network. For example, a user on a protected network may be
     permitted to access an FTP server on an unprotected network. But
     the DUT/SUT cannot control access between hosts on the unprotected
     network.

   Unit of measurement:
     not applicable

   Issues:

   See also:
     demilitarized zone (DMZ)
     policy
     protected network
     rule set

3.33 User

   Definition:
     A person or process requesting access to resources protected by the
     DUT/SUT.





Newman                       Informational                     [Page 23]

RFC 2647            Firewall Performance Terminology         August 1999


   Discussion:
     "User" is a problematic term in the context of firewall performance
     testing, for several reasons. First, a user may in fact be a
     process or processes requesting services through the DUT/SUT.
     Second, different "user" requests may require radically different
     amounts of DUT/SUT resources. Third, traffic profiles vary widely
     from one organization to another, making it difficult to
     characterize the load offered by a typical user.

     For these reasons, testers should not attempt to measure DUT/SUT
     performance in terms of users supported. Instead, testers should
     describe performance in terms of maximum bit forwarding rate and
     maximum number of connections sustained. Further, testers should
     use the term "data source" rather than user to describe traffic
     generator(s).

   Unit of measurement:
     not applicable

   Issues:

   See also:
     data source

4. Security Considerations

   The primary goal of this memo is to describe terms used in
   benchmarking firewall performance. However, readers should be aware
   that there is some overlap between performance and security issues.
   Specifically, the optimal configuration for firewall performance may
   not be the most secure, and vice-versa.

   Further, certain forms of attack may degrade performance. One common
   form of denial-of-service (DoS) attack bombards a firewall with so
   much rejected traffic that it cannot forward allowed traffic. DoS
   attacks do not always involve heavy loads; by definition, DoS
   describes any state in which a firewall is offered rejected traffic
   that prohibits it from forwarding some or all allowed traffic. Even a
   small amount of traffic may significantly degrade firewall
   performance, or stop the firewall altogether. Further, the safeguards
   in firewalls to guard against such attacks may have a significant
   negative impact on performance.

   Since the library of attacks is constantly expanding, no attempt is
   made here to define specific attacks that may affect performance.
   Nonetheless, any reasonable performance benchmark should take into





Newman                       Informational                     [Page 24]

RFC 2647            Firewall Performance Terminology         August 1999


   consideration safeguards against such attacks. Specifically, the same
   safeguards should be in place when comparing performance of different
   firewall implementations.

5. References

   Bradner, S., Ed., "Benchmarking Terminology for Network
           Interconnection Devices", RFC 1242, July 1991.

   Bradner, S. and J. McQuaid, "Benchmarking Methodology for Network
           Interconnect Devices", RFC 2544, March 1999.

   Mandeville, R., "Benchmarking Terminology for LAN Switching Devices",
           RFC 2285, February 1998.

   Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear,
           "Address Allocation for Private Internets", BCP 5, RFC 1918,
           February 1996.

6. Acknowledgments

   The author wishes to thank the IETF Benchmarking Working Group for
   agreeing to review this document. Several other persons offered
   valuable contributions and critiques during this project: Ted Doty
   (Internet Security Systems), Kevin Dubray (Ironbridge Networks),
   Helen Holzbaur, Dale Lancaster, Robert Mandeville, Brent Melson
   (NSTL), Steve Platt (NSTL), Marcus Ranum (Network Flight Recorder),
   Greg Shannon, Christoph Schuba (Sun Microsystems), Rick Siebenaler,
   and Greg Smith (Check Point Software Technologies).

7. Contact Information

   David Newman
   Data Communications magazine
   3 Park Ave.
   31st Floor
   New York, NY 10016
   USA

   Phone: 212-592-8256
   Fax:   212-592-8265
   EMail: dnewman@data.com









Newman                       Informational                     [Page 25]

RFC 2647            Firewall Performance Terminology         August 1999


8.  Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Newman                       Informational                     [Page 26]