early version of the next generation firewall from Positive Technologies

Technical characteristics of stand components

We used the demo sample PT-NGFW-GW-HW-3010-X-NIC as the PT NGFW server

Server, Positive Technologies Next Generation Firewall security gateway GW-3010, 2U case, network interfaces 1 Gbps RJ-45 and 10 Gbps SFP+, additional hardware card PT-NGFW-NIC-4X, network card 4 x 10Gbps, SFP+ (for demonstration purposes the SR650 platform from Lenovo was used).

What else was included in the stand:

Stand diagrams

For functional load tests, we organized the following bench layout:

To carry out load tests:

And for functional testing:

Test results

To begin with, I will give a list of functional and load tests that PT NGW underwent during testing.

Load checks:

• Bandwidth in IPS mode: at least 10 Gbit/s.

• Simultaneous sessions: at least 10,000,000.

• Support for extended VLAN ID range: no less than 4096.

• Maximum number of active VLANs: at least 4096.

Functional tests:

• Web interface for equipment management.

• Configurable logging of individual access list lines.

• The system for managing device settings and security policies is centralized (filtering, IPS).

• Create, distribute and store security policies using a hierarchical model.

• Support for system management using API.

• At least 4 contextual firewall operating modes.

• Application detection and banning.

• Traffic filtering function with connection state monitoring.

• Traffic filtering function based on source and destination IP addresses.

• Function of filtering traffic by protocol (encapsulated in IP) and by port.

• Function for creating object groups to simplify access lists.

• Function for adjusting the system configuration in real time without stopping processing.

• Analysis of traffic transmitted over the IPv4 protocol.

• Support for HTTPs inspection, TLS decryption, certificate spoofing.

• Detection of intrusions in traffic using signatures.

Tested operating modes:

• An open standard that describes a procedure for tagging traffic to convey VLAN membership information. Since 802.1Q does not change the frame headers, network devices that do not support this standard can transmit traffic without regard to its VLAN membership. 802.1Q places a tag inside the frame that conveys information about the traffic's VLAN membership.

• Static routing support.

• Throughput in firewall mode is at least 30 Gbit/s when using 85,000 rules

• IPS throughput of at least 10 Gbps when using 85,000 rules

• The number of rules does not affect the firewall throughput

  Additional checks:

• When you create an object, you can bind a port to a protocol at the application level.

Example: when opening access via TCP port 80 and binding it at the http application level, only http traffic should pass, if they try to generate a request on this port that is not http traffic, then the request should be blocked (inspection protocol on firewall)

For an early version, the list of supported functions is already significant. In addition, the vendor promises to release the next two versions in 2024: in May and November. For example, in May 2024 there will be:

• Create your own IPS signatures, create IPS profiles, and expand the available intrusion prevention system settings.

• GeoIP support (we are really looking forward to this feature, tricky tests have already been prepared)

• URL filtering.

• Failover cluster support.

• NAT support.

Also in May 2024, the guys from Positive Technologies promise to present their own hardware platforms for a Russian-made firewall. Our team will definitely retest them.

Results of load testing of ITU PT NGFW

Now comes the fun part. How true are the throughput figures that the vendor actively publishes in its materials? We share the results of load tests in the table below.

Conclusions:

Overall, our technical team was pleased with the test results.

Pros:

• hierarchical model of security policy management. This approach should be especially convenient for our clients with extensive divisional structures. You can create groups and subgroups of devices in which rules are inherited;

• flexibility in setting up the rules themselves and the results of their work (you can not only drop packets, but also, for example, close a session);

• the presence of virtual contexts, which we frankly missed in Russian solutions. You can divide one box into 100-150 logical ones and build complex logical topologies.

• the speed of applying policies is practically independent of the load on the firewall. We loaded 85,000 filtering rules under a 30 Gbps load and all the rules were applied in less than two minutes;

• open API. As you can imagine, we would be especially sad to load 85,000 rules without it;

• really fast IPS (the vendor didn’t deceive us here). We compared performance with IPS on and off and found no more than a 10% difference (for most domestic solutions, our tests showed a difference many times greater);

• support for a large number of rules and a weak impact of the number of rules on performance.

Minuses:

• lack of NAT and dynamic routing in a modern firewall (Positive Technologies promises to add it in the next version, and we will definitely follow the updates);

• lack of product documentation. We, of course, understand that we received the solution before the official release, but we would like to have at least some instructions for setting it up. To be fair, Positive Technologies was ready to advise us on every issue, but the lack of documentation greatly delayed our tests.