How to Measure the Performance of Personal Firewalls

A question from a reader:


I am currently a student at Liverpool John Moores University in BEng Computer and Control engineering and I have got a project to do.

The title of the project is “Performance of firewalls”, the goal is to compare the performance of different personal firewalls. I have already done a theoretical study thanks to your web page on firewalls and others books.

Now I’m faced with several problems for the practical test, because I do not know really how I can test the performances of different personal firewalls, how I can launch threats against the firewall to see his reaction, I wanted to know if you are able to guide me for carrying on my project, or when you can point me to people that could help me.

And my response (after the jump):

To test how well firewalls work, I’d get a computer with lots of vulnerabilities (such as a fresh installation of Windows XP, with no updates) and put together a suite of attacks. Install the firewall software, start Performance Monitor recording key performance statistics, and then attempt lots of bad things against it.

First, start by doing normal tasks on the computer and see how much the firewall interferes. Visit regular, safe websites, and measure how annoying the firewall is and how much it slows down the computer.

Next, start testing for vulnerabilities. For attacks across the (local) network, Nessus is good–it will attempt hundreds of attacks. There are other software packages that do automated attacks against a computer, too. Here are some:

I suspect any firewall will block all those vulnerabilities, however.

You’ll also need to include attacks initiated from the client side, like visiting websites that automatically attempt to install malware (such as those that exploit ActiveX vulnerabilities) or trick the user into installing something. I always have a hard time finding such websites, since google blocks them from search results, but there are literally thousands out there. You might have luck by misspelling common urls (such as

Good luck, and let me know if there’s something else I can do to help.

Comments are closed.