Appliance Sizing Tool - General Assumptions & Testing Methodology
|
This document presents the general assumptions & performance testing methodologies taken for the Appliance Selection Tool.
This document is being updated periodically with new methodologies upon new features and requirements (Last updated - Oct 2013). |
General Assumptions
Blade Inspection Policy
In order to apply 'Internet only' traffic to the blade inspection, you should validate the inspection scope on each blade policy.
Appliance Selection tool - Security requirements step.
Testing Methodology
Lab Setup
This section provides general information about the topologies and test-beds of the performance tests for the Appliance Selection Tool.
During the performance tests, the DUT (device under tests) can contain the maximum possible network interfaces connected.
Traffic Blends
Internet Blend
- Represents the type of Internet traffic, security appliances handle on a day-to-day basis.
- Based on customer research conducted by Check Point performance labs.
- Consists from the following Streams/Protocols: HTTP; HTTPS; SMTP; DNS; POP3; FTP; Telnet.
- The majority of the traffic is Internet Access (HTTP).
Full traffic blend description
|
Protocol
|
Action
|
Details
|
Distribution
|
|---|
|
HTTP
|
Amazon Home Page
|
HTTP GET of Amazon Home Page, 676K
|
16%
|
|
Yahoo Home Page
|
HTTP GET of Yahoo Home Page, 292K
|
16%
|
|
Facebook Home Page
|
HTTP GET of Facebook Home Page, 271K
|
16%
|
|
Google Search
|
HTTP GET of Google Home Page, 41K
|
17%
|
|
Google Mail
|
HTTP GET of Gmail index.html file, 21K
|
2%
|
|
HTTP Post
|
100K PDF file
|
1%
|
|
Total HTTP Protocol
|
|
68%
|
|
SMTP
|
SMTP 17K
|
MIME Message with PDF Attachment file
|
7%
|
|
|
SMTP 100K
|
MIME Message with MS word Attachment file
|
6%
|
|
|
Total SMTP Protocol
|
|
13%
|
|
HTTPS
|
HTTPS 10K
|
HTTPS GET of 10K file
|
5%
|
|
|
HTTPS 100K
|
HTTPS GET of 100K file
|
5%
|
|
|
Total HTTPS
|
|
10%
|
|
Other Protocols
|
DNS
|
DNS Query
|
6%
|
|
|
POP3
|
Message size: 256-512 bytes
|
1%
|
|
|
Telnet
|
Login; cd /disk/images; ls
|
1%
|
|
|
FTP
|
FTP get, 1MB file
|
1%
|
|
|
Total Other Protocols
|
|
9%
|
Data Center Blend
- Check Point empirical study found the following common applications in the Data Center: Web Services, File Stores, Authentication Services, Line-of-Business Applications, Custom Applications and Data Intensive Applications.
- Consists from the following Stream/Protocols : HTTP; HTTPS ; SMTP ; SMB_CIFS ; SQL ; NFS ; SMB_DCERPC ; Oracle ; DNS ; LDAP ; SSH ; FTP.
- Typical Data Center traffic blends consume around 20% more SPU power than Internet traffic blend.
Topology Diagram
SecureXL & CoreXL
- Check Point SecureXL - Enabled.
- Check Point CoreXL - Enabled (Out-of-the-box configuration).
SIM Affinity
Performance Pack is able to utilize architecture of multiple CPUs and Cores. In order to optimize results, Performance Pack attaches different NICs IRQs, to different CPUs or cores. This process is done automatically and by default by Performance Pack.
For these performance tests we used manual assignment in order to achieve maximum results.
Security Management Deployment
Standalone Deployment - Where the gateway and the Security Management server are installed on the same machine.
Distributed Deployment - Where the gateway and the Security Management server are installed on different machines.
Security Policy
Firewall Rule Base
- 100 Firewall Rules.
- Traffic is evenly distributed amongst these rules.
Logging
- All rules are configured to send a log record per connection.
Network Address Translation (NAT)
- Perform on all connections that pass through the Security Gateway.
Software Blades Configuration
IPS Blade
Profile Assignment: Pre-defined Profile: "Recommended_Protection".
Protection Scope: Protect Internal Hosts only.
Mobile Access Blade
- Simulating Mobile Users connecting securely to corporate resources through SSL VPN Portal.
- The sizing of Mobile Access Blade is optimized for portal Scenario. Read Security Knowledge sk96450 for advanced mobile blade sizing with SSL Network Extender (SNX).
- Mobile Access Mode: Integrated.
- Link Translation Method: Path Translation (Default).
- Simulated Web Application: Outlook Web Access.
- Simulated OWA usage profile: Heavy Usage (based on the assumption that remote access users are usually busier with email than in-office users).
- Our Profile is based on MS article describes several OWA usage profiles:
|
Actvity per day
|
Light
|
Medium
|
Heavy
|
Very Heavy
|
|---|
|
Messages sent
|
5
|
10
|
20
|
30
|
|
Messages recieved
|
20
|
40
|
80
|
120
|
|
Messages read
|
20
|
40
|
80
|
120
|
|
Messages deleted
|
10
|
20
|
40
|
60
|
|
Log on and log off
|
2
|
2
|
2
|
2
|
The average message size for all profiles is 50 KB.
- Bandwidth for Heavy OWA Profile: Every User will generate network traffic of 50KB per Minute.
- 2% of the users are generating new login traffic - for each 100 concurrent users, there are 2 concurrent new login requests per second.
- Secure Work Space's (SWS) contribution to SPU is already weighted in the sizing calculation.
IPSEC VPN Blade
- Simulating VPN Remote Access Clients connecting securely to corporate resources.
- Bandwidth per User: 20Kbps.
- IPSEC Security Association (Phase 2): Encryption Algorithm: AES128.
Anti-Bot & Anti-Virus Blades
- Out-of-the-box configuration.
- According to the Anti-Bot and Anti-Virus Policy.
- Up to date Signatures.
Application Control & URL Filtering Blades
- Out-of-the-box configuration.
- Up to date Signatures.
Data Loss Prevention Blade
- Default Deployment - Uses the Data Loss Prevention policy provided Out of the Box.
- Out-of-the-box Data Loss Prevention with a basic policy (DLP Software Blade comes with a large number of built-in data types that can be quickly applied as a default policy).
- Default Applied Protocols: Email (Scan outgoing Emails).
Threat Emulation Blade
- Emulation Location: 'Check Point ThreatCloud Emulation' / 'Private Cloud Emulation'.
- Out of the box Threat Emulation Profile.
- File emulation rate: Emulated file for every 250MB of traffic.