Ipolicy Networks' ipEnforcer Enforces Security Policies

We tested an 3400 at the Network Performance Research Lab at Cal Poly-San Luis Obispo. The device we received, a 2U, rack-mountable unit with three Gigabit Ethernet interfaces, comes with a separate 10/100-Mbps link for the management connection. We also were sent a 1U rack-mountable USM (Unified System Manager) Express 3000. This essential management device is sold separately and can be used to configure up to 1,000 ipEnforcers. The idea is to distribute your 3400s around your enterprise and use one USM to manage them all. The connection between the USM and the 3400 is secured using SSL.

We ran a wizard on the USM 3000 to configure basic USM and 3400 device information, including management IPs, interface IPs and NAT (Network Address Translation) features. We set up the 3400 as a gateway, and used two Gigabit Ethernet links for our test network, which comprised a security domain for LAN traffic and a DMZ of five Web servers, one e-mail server and one DNS server. We used the third Gigabit Ethernet link for Internet access.

Running Traffic

To test load, we set up an Ixia 1600T running IxWeb to generate HTTP and FTP traffic from 200 simulated users. The multiple traffic streams from the Ixia device were sent through our Extreme Networks Summit1i switch and into the 3400's LAN interface. The WAN traffic returned through a similar path.

The 3400 throughput peaked at 400 Mbps. URL filtering and intrusion-detection monitoring had almost no impact on throughput or latency. To tax the device further, we added 102 rules to the firewall. There was no change in performance.

Next we tested the 3400's intrusion-detection/-prevention functionality. The 3400 provides signatures for detecting more than 1,400 intrusions and lets you create custom signatures. Our test consisted of sending a SYN attack and a ping flood at the device. Both were detected.

We configured the response to the ping flood to rate-limit the incoming ICMPs once the attack was detected. This feature worked well, automatically throttling the ICMP traffic back. Upon detecting an intrusion, the device can also issue a warning to an admin, block the intrusion or issue a notice while hardening the 3400's firewall--dropping the traffic for a preconfigured length of time.

URL filtering is supported on HTTP, POP3 and FTP. We tried to access 120 porn and gambling sites through the device. The 3400's blacklist caught 119.Hugh Smith is a professor in the computer science department at California Polytechnic University in San Luis Obispo and a member of the Cal Poly Network Performance Research Lab. Jesse Englert and Michael Watts are members of the NetPRL testing team. Write to them at [email protected].