|
NETWORK SECURITY From the September 2004 issue of Communications News |
Validating IPSec devices Security at the edge is growing with the need to prevent outside security threats and to accommodate a high corporate rollout of virtual private network (VPN) access to remote users and sites. Security within the LAN is also gathering momentum. Both trends are driving the development of high-performance network security devices that support IPsec. These new devices are driving IPsec test needs beyond basic functional and interoperability testing and toward performance and scalability validation. The security provided by IPsec comes at a performance cost–how well an IPsec device makes the tradeoff between security and performance is a required measurement. IPsec performance is also a key variable used by device manufacturers to competitively position their products. Enterprise network operators should dimension their network to handle the expected number of end-users and sites interconnected through IPsec VPNs. Many different devices support IPsec VPNs, each targeted for a specific network size and configuration and each filling a specific performance bracket. Network managers should evaluate all potential IPsec devices and determine which performance and configuration combination will provide optimal application and network performance for their enterprise. IPsec provides encryption and authentication services to IP traffic, and these services impose an overhead on the traffic transported between IPsec end points. How well a device can maximize IPsec throughput and minimize application latencies across VPN connections are important tests. An IPsec device also needs to support a large number of IPsec connections (or tunnels) and be able to add new IPsec tunnels quickly. These measurements relate to how well a device will be able to scale to support large numbers of enterprise end-users and applications. Applications and services running over IPsec VPNs include e-mail, Web browsing, file sharing, application data streaming and various client/server programs. Accurate qualification of an IPsec device requires testing with real, stateful application traffic. As real-time voice and video become more common VPN applications, IPsec performance should be tested with such applications. Performance characterization of an IPsec device means testing with the types of applications that will be running in a real IPsec VPN environment. Firewall support, VPN services, intrusion detection, intrusion prevention and virus scanning are being integrated into single-blade or single-module solutions for routers and switches. The integration of single-function network security devices into standalone devices (called integrated security appliances) is also emerging. This convergence of security functions imposes further test challenges because all features must co-exist and operate simultaneously in a production network environment. Measuring IPsec performance in isolation is no longer sufficient–it should be evaluated in the presence of other functions. The key metrics and performance benchmarks commonly used for IPsec devices are:
An important initial step to begin testing IPsec performance is to establish a test environment that simulates the enterprise network. Such a test environment should include emulated IPsec VPN clients and security gateways that initiate and establish many IPsec tunnels against a device under test. Stateful application traffic is then configured for transmission over these IPsec tunnels. Equally important is verifying the characteristics of an IPsec device when it needs to accommodate many tunnels, with each tunnel transporting a realistic mix of applications. This will help to determine how the device will perform when deployed in a real enterprise network. For more information from Agilent: This article was provided by Peter Atanasovski, who is in the Australian office of Agilent Technologies, which is based in Palo Alto, Calif.
|