Performance Modelling and Evaluation of Firewall Architectures for Multimedia Applications

Firewalls are a well-established security mechanism to restrict the traffic exchanged between networks to a certain subset of users and applications. In order to cope with new application types like multimedia applications, new firewall architectures are necessary. The performance of these new architectures is a critical factor because Quality of Service (QoS) demands of multimedia applications have to be satisfied. We show how the performance of firewall architectures for multimedia applications can be determined. A model is presented which can be used to describe the performance of multimedia firewall architectures. This model can be used to dimension firewalls for usage with multimedia applications. In addition, we present the results of a lab experiment, used to evaluate the performance of a distributed firewall architecture and to validate the model. 1 Motivation and Introduction Within a global networked environment, security aspects have become more and more important and access control at network borders is considered essential. For this purpose firewalls are used. As an integral part of the network infrastructure, firewalls are strongly affected by the development and deployment of new communication paradigms and applications. Recently, there has been a rise in the use of multimedia applications which, from the perspective of firewalls, differ in many aspects from “traditional” applications. One of the most important aspects is the difference in performance requirements. Existing firewalls are not able to support multimedia applications in an efficient and secure manner [1]. In particular, a traditional firewall may not be able to support the QoS requirements of a multimedia application. To overcome these deficiencies, new firewall architectures are currently discussed and proposed. Besides many other facets e.g. security, maintainability, flexibility these are intended to optimize firewall performance. Of course, all these characteristics have to be optimized simultaneously to meet the given requirements. Currently, appropriate methods and tools to evaluate the performance of multimedia firewall architectures are missing. Hence, ascertained performance parameters of proposed firewall architectures are also unavailable. To solve these problems the following topics are covered in this paper: (i) Analysis of performance bottlenecks in multimedia firewall architectures; (ii) Performance modelling of multimedia firewall architectures; (iii) Experimental performance evaluation and model validation. In the remaining paragraphs of this section the terms “multimedia application” and “firewall architecture” are described in detail as they are used in the context of this paper. In Section 2, the parameters which characterize the performance of a multimedia firewall are defined. Further, performance bottlenecks in firewall architectures are analyzed. In Section 3, the performance model is introduced. In Section 4, the lab experiment is described, including measurement methods and tools that were used. In Section 5, the experimental results are compared with the model and the model is validated. Section 6 reviews related work. In the last section, our findings are summarized. Multimedia Applications. Multimedia applications use a combination of continuous and discrete media data, with the continuous media usually being audio and/ or video streams. The discrete media often consist of control data streams for the audio and video data streams and additional information. In order to describe communication scenarios, the following terms to distinguish the granularity at which an application's data stream is considered are defined. A flow is a single data stream, identified by a tuple of characteristic values (e.g. source address, source port, destination address, destination port, protocol number). A session describes the association of multiple flows which together constitute an application's data stream. Firewall Types and Architectures. A firewall examines all network traffic between connected networks. Only data that is explicitly allowed to, as specified by a security policy, is able to pass through it. The tasks of a firewall are well defined, but there are many possible firewall architectures to fulfil them. Firewalls may consist of different firewall components, e.g. filters, stateful filters or proxies. In addition, the applications may interact explicitly with a firewall to support it to fulfil its task. To select a useful architecture for the usage in conjunction with multimedia applications the following basic evolution of firewall types illustrated by Figure 1 has to be taken into account [1]. Figure 1a) abstractly describes the behavior of a “standard firewall”. All traffic is sent through the firewall component which is responsible to apply the security functionality. In this case the specific characteristics of multimedia applications’ traffic are not taken into account. If these specific characteristics (as shown in Figure 1b)) are regarded it is obvious that the same firewall component has to take care of different traffic types of the different traffic flows (control and media flows). In this case, it is not possible to adapt the one firewall component to the needs of the two different flow types. This results in many problems, in particular performance problems [2]. To overcome this weakness, two different firewall components for the processing of the two different flows can be used (Figure 1c)) [1]. This additional degree of freedom allows specific component optimizations for the different flow types. To maintain session state within the firewall, information exchange between the components is necessary. If the separation between signalling and media processing Figure 1 Firewall Types a) b) c) d) Signalling Processing Media Processing Combined Processing is further extended by even physically distributing them (Figure 1d) additional optimizations are possible [1], [3]. In this case the information exchange between the components has to be realized by an appropriate network protocol [4]. The implementation of the useful firewall types shown in Figure 1c) and Figure 1d) lead to different multimedia firewall architectures which are currently proposed. The focus is on these architectures in the remaining paper: • Architecture AI (implementation of firewall type c)): The firewall consists of a single computer system containing a signal and media flow processing component. Well known firewalls following this design principle include firewall products like CISCO’s PIX and Checkpoint’s Firewall-1. • Architecture AII (implementation of firewall type d)): The firewall consists of several computers. A well defined interface between signalling and media processing component(s) is used. A practical implementation of such an architecture is the Netscreen 500 firewall for SIP based IP-telephony applications [5]. • Architecture AIII (implementation of firewall type d)): In this case, the available signalling processing component within multimedia applications in end systems is used. By choosing this architecture, the need of centralized signalling processing components is avoided. These systems are not used today, but theoretical work exists [4]. To select one of the architectures, one has to consider the advantages and disadvantages and rate how important they are in the considered target scenario. Independent from these considerations, the firewall system has to be dimensioned to meet the QoS requirements of multimedia applications. It is necessary to know how many signalling and media processing units are necessary and what capacity they should have. 2 Firewall Performance To determine the performance of a multimedia firewall architecture it is necessary to define the term performance in this context first. The performance of a firewall, respectively of a firewall architecture, is defined by: (i) its influence on applications’ QoS parameters (ii) its total capacity The influence on QoS parameters of multimedia applications by a firewall within the communication path should be low and predictable. The maximum possible throughput, its capacity, should be as high as possible. 2.1 Quality of Service Parameters To be able to rate the performance of a multimedia firewall, useful quality parameters have to be defined. These quality parameters should allow the objective validation of a firewall’s performance. In the following, the necessary QoS parameters of multimedia applications are described. From these parameters quality parameters necessary to rate firewalls are derived. Signalling Flow. The quality of the signalling plane is mostly influenced by the session setup delay. If the necessary time for a session setup is too long, a user of a multimedia application will feel disturbed or will regard the connection’s quality unacceptable. The following definition is used: The session setup time is the time from the setup of the control flow till the start of the first media flow. The determination of boundary values and an exact definition depends on the type of investigated application. The session setup time can also be divided in substeps, which might be subject to different requirements. The requirements for the session setup time for IP-telephony applications are described below, because these applications are used in the experiment described in Section 4. Figure 2 describes the substeps within the session setup as used in H.323 based IP-telephony applications [7]. In this case, the session setup time is given by . In addition, the post dial delay and post pickup delay can be defined. The post pickup delay is particulary critical. If the latter value is too high, the first words of the conversation are lost because the media channels are not yet established. Boundary values can be derived from values given for ISDN networks [6]. The post dial delay should be between 2 and 7 seconds, the post pickup delay should be between 0.75 and 2 seconds. Media Flow. The media flows also have to meet specific requirements. Possible effects if specific bounds are violated might be for example echo or noise. The characteristic parameters to describe the quality of a media stream are delay , jitter and loss . As the experiments described in this paper target the control plane, we refer to [1] for a detailed definition and explanation of theses parameters. Quality Index. Firewall quality indices can be derived from the previously described QoS parameters of multimedia applications. The following definition for quality indices is used: The quality index defines the percentage of the upper bound of a QoS parameter of a specific multimedia application that is consumed by the firewall. The different quality indices may depend on the number of similar active application sessions that are handled by the firewall. The quality indices are then given by: