Processing time comparison of a hardware-based firewall and its virtualized counterpart

Abstract

The network functions virtualization (NFV) paradigm promises higher flexibility, vendor-independence, and higher costefficiency for network operators. Its key concept consists of virtualizing the functions of specialized hardware-based middleboxes like load balancers or firewalls and running them on commercial off-the-shelf (COTS) hardware. This work aims at investigating the performance implications that result from migrating from a middlebox-based hardware deployment to a NFV-based software solution. Such analyses pave the way towards deriving guidelines that help determining in which network environments NFV poses a viable alternative to today’s middlebox-heavy architectures. To this end, a firewall is chosen as an exemplary network function and a performance comparison between a dedicated hardware device and a commercially distributed virtualized solution by the same vendor is drawn. This comparison focuses on the packet delay, while varying the load level that is applied to the network function under test. Based on traffic measurements of a university campus network, conclusions regarding possible fields of application are drawn.