Performance Evaluation and Comparative Analysis of Network Firewalls

Firewalls are no longer just perimeter devices for the data center, but should be weaved into the fabric of the network from edge to edge such as to offer security layered in-depth and ubiquitous. The next evolution of the firewall has to combine dynamic policy-based security with performance, rapid scaling, high availability and application intelligence. Today, increasing attention is paid to network firewall design quality due to regulations such as the Sarbanes-Oxley act, CobiT framework, the Payment-Card Industry Data Security Standard (PCI DSS) and the NIST standard. All these regulations include specific sections dealing with firewall configuration, management and audit. This paper is a humble attempt to examine various types of firewalls operational as on today and cross reference each firewall operation with causes and effects of weaknesses in their operation. In addition, we analyze reported problems with existing firewalls. Detailed analysis and comparison is done in terms of cost, security, operational ease and implementation of Open source packet filter (PF) firewall, Checkpoint SPLAT and Cisco ASA in a testing environment with laboratory generated traffic. Various throughputs and connections statistics were used as benchmark for performance comparison. The results indicated that Cisco ASA outperforms its peers in most performance criterions. Checkpoint SPLAT and OpenBSD PF also provides reasonably good and competitive performance. The results reported in this paper will also be useful in comparing vendors to procure firewall based on one's own organizational business requirements.