Integrating and Benchmarking Security Gateway with Open Source Firewall, VPN, and IDS

• Main Authors: Shao-Tang Yu, 余少棠
• Other Authors: Ying-Dar Lin
• Format: Others
• Language: en_US
• Published: 2001
• Online Access: http://ndltd.ncl.edu.tw/handle/28383009190883781178

碩士 === 國立交通大學 === 資訊科學系 === 89 === Network security has become a critical issue for enterprises. In this work, we first demonstrate how to build a security gateway capable of firewall, VPN, and IDS functions by integrating open source packages: Linux kernel, ipchains(packet filter), Squid(URL filter), TIS(content filter), FreeS/WAN(VPN), and Snort(IDS).We patch the kernel to ensure interoperability of these packages. Next, we compare this open source solution with commercial products and observe that ipchains and FreeS/WAN are viable but TIS and Snort have performance problems. Our detailed internal benchmarking reveals that the 3DES encryption in FreeS/WAN tops the ranking of packet processing within kernel, 9 times of the MD5 authentication and 31 times of NAT for 1518-byte packets, and TIS tops the ranking of request/response processing at the daemon level, several orders of magnitude higher than Snort and Squid. Further code tracing identifies the improper implementation in TIS and the less scalable linear matching algorithms in ipchains and Snort. Finally, to scale up these packages, we suggest ways of improvement, including enhanced matching algorithms, proper implementation tips, function relocation from daemon to kernel, and hardware accelerators.