The BreakingPoint Resiliency Score - Fortinet

FortiGate-3950B Scores 95/100 on BreakingPoint Resiliency Score 

(Security, Performance, & Stability) 

Overview 

Fortinet® FortiGate®-3950B enterprise consolidated security appliance has 

achieved a BreakingPoint Resiliency Score of 95/100 - the highest 

published score on record. The BreakingPoint Resiliency Score is a test based 

on industry standards for performance, security and stability of network and 

security devices. The BreakingPoint Resiliency Score is presented as a 

numeric grade from 1 to 100. Networks and devices may receive no score if 

they fail to pass traffic at any point or they degrade to an unacceptable 

performance level. 

The BreakingPoint Resiliency Score establishes standards against which 

network and security devices are measured. It provides automated, 

standardized and deterministic methods for evaluating and ensuring the 

resiliency of networks, network equipment and data centers. The 

BreakingPoint Cyber Tomography Machines (CTM) provides a standard 

measurement of the performance, security and stability of networks and data 

centers using real-world application traffic, real-time security attacks, extreme 

user load and application fuzzing. 

The FortiGate-3950B appliance, running FortiOS 4.0 MR3 and utilizing 

its two built-in 10-GbE interfaces was tested. The evaluation was 

performed using one BreakingPoint Storm CTM containing one four-port 

10-GbE card. 

The BreakingPoint Resiliency Score validates the performance of Fortinet’s network security solutions using metric-based, 

rigorous real-world testing. Fortinet customers can deploy products with the utmost confidence, as these standards-based 

evaluations enable enterprises to easily determine the right fit for their environments. As demonstrated by the BreakingPoint 

Resiliency Score testing, the FortiGate-3950B appliance continues to impress with its security capabilities, scalability, flexibility 

and stability. 

For more information on the Fortinet FortiGate-3950B series please visit 

http://www.fortinet.com/products/fortigate/3950series.html 

FortiGate-3950B: Modular Security Platform 

Download the BreakingPoint whitepaper, “A Six-Step Plan for Competitive Device Evaluations” here 

http://www.breakingpointsystems.com/resources/white-papers/six-step-plan-competitive-device-evaluation-bakeoffs/

Firewall Resiliency Report 

1. Firewall Report 

Product: Fortinet FortiGate-3950B 

Resiliency Score: 95 

2. Synopsis 

Throughput 64: 93.75 

1518: 98.43 

Sessions Count: 100.00 

Rate: 79.94 

Rate: 100.00 

Robustness IP: pass 

UDP: pass 

TCP: pass 

Lab Real Session Stress Session Rate Stress 

Rate: 93.28 

Count: 100.00 

Security pass pass pass pass 

Overall Score 95.056404 

Throughput 

 

Sessions 

Measures a device’s ability to handle large numbers of TCP sessions and the rate at which it handles them. 

Robustness 

 

Security 

 

Overall Score 

A blended average of all sub-test. This number represents the over score relative to 

expected performance for the resiliency test.

2.1. Score Calculation 

Overall Score 

Calculation:(A(93) + B(98) + C(93) + D(100) + E(100) + F(79) + G(100)) / 7 

Overall Score = 95.06 

Throughput 

A) I EEE Throughput measurement of 64 byte frames A = (100 X Throughput Achieved[w/64]) / Max Wireline 

Throughput = (100 X 9375) / 10000 Score = 93 

B) IEEE Throughput measurement of 1518 byte frames B = (100 X Throughput Achieved[w/1518]) / Max Wireline 

Throughput = (100 X 9843) / 10000 Score = 98 

C) Throughput, Simulated Real World Conditions C = (100 X Application Frames Rate) / Max Application Frames 

Rate = (100 X 1399140) / 1500000 Score = 93 

Sessions 

D) Concurrent IETF 793 TCP Connections D = (100 X Number Flows) / Max Number Flows = (100 X 10000000) / 

10000000 Score = 100 

E) Concurrent IETF 2581 TCP and IETF 768 UDP Connections E =(100 X Number Flows) / Max Number Flows = 

(100 X 10069955) / 10000000 Score = 100 

F) IETF 793 TCP Connections/sec F = (100 X Flow Rate / Max Flow Rate = (100 X 119908) / 150000) Score = 79 

G) IETF 2581 TCP and IETF 768 UDP Connections/sec G = (100 X Flow Rate) / Max Flow Rate = (100 X 121114) 

/ 100000 Score = 100 

Robustness 

H) IETF 7 91 IP Stack Stability H = Dropped Pings Score = pass 

I) IETF 768 UDP Stack Stability I = Dropped Pings Score = pass 

J) IETF 79 3 TCP Stack Stability J = Dropped Pings Score = pass 

Security 

K) CVE Security F ault Injection, Independent K = Dropped Pings Score = pass 

L) CVE Security Fault Injection, Benign L = Dropped Pings Score = pass 

M) CVE Security Fault Injection, Concurrent Sessions Stress M = Dropped Pings Score = pass 

N) CVE Security Fault Injection, Session Rate Stress N = Dropped Pings Score = pass

2.2. Throughput 

 

for the device. 

Network Packet Stress 

This test will be repeated once with 64 byte and again with 1518 byte packets. These two packet sizes represent the 

smallest and larget valid packet size for a single network frame. The test begins by transmitting packets at half of 

the theoretical maximum rate for the given packet size. Any dropped or corrupted packets result in a failed iteration. 

Testing continues iterating in a binary search pattern;; for each iteration testing at a rate halfway between the last 

passed test and the last failed test, until a maximum successful rate is found. 

Benign Realistic Network Packets 

 

bandwidth. The test begins by transmitting packets at half of the theoretical maximum rate for the given packet size. 

Any dropped or corrupted packets result in a failed iteration. Testing continues iterating in a binary search pattern;; 

for each iteration testing at a rate halfway between the last passed test and the last failed test, until a maximum 

successful rate is found. 

2.3. Sessions 

 

TCP Sessions Stress 

 

 

test begins by opening a single TCP session. Every 5 seconds, 1500 additional TCP sessions are attempted, up to a 

maximum of 10,000,000 concurrent TCP sessions. Once completed, an analysis is made to determine the achieved 

concurrent sessions based on the measured number of active concurrent TCP sessions. 

Benign Realistic Network Sessions 

This test begins by opening a single TCP session, which remains open for the duration of the test. Every 5 seconds 

1500 additional TCP sessions are attempted, up to a maximum of 10,000,000 concurrent TCP sessions. Once 

completed, an analysis is made to determine the achieved concurrent sessions based on the measured number of 

active concurrent TCP sessions.

2.4. Robustness 

 

IP Robustness 

 

 

Packets will have random payload ranging in size from 46 to 1500 bytes, and will be transmitted at a rate between 

2000 and 2500 packets per second. Data will be transmitted for at least one hour, for a minimum of 5,000,000 distinct 

 

the Urgent pointer, and the IP checksum. 

UDP Robustness 

 

 

of the UDP header in addition to the IP header. Packets will have random payload ranging in size from 46 to 1500 

bytes, and will be transmitted at a rate between 2000 and 2500 packets per second. Data will be transmitted for at 

 

TCP Robustness 

This test limits the scope of random testing to Layer 4 by randomizing portions of the TCP header in addition to the 

IP header. Packets will have random payload ranging in size from 46 to 1500 bytes, and will be transmitted at a 

rate between 2000 and 2500 packets per second. Data will be transmitted for at least one hour, for a minimum of 

 

2.5. Security 

 

Security - Laboratory conditions 

 

payloads are blocked or neutered. 

Security - Benign Realistic Conditions 

 

 

 

Security - Concurrent Sessions Stress Conditions 

 

 

 

as measured in the performance baseline. 

Security - Session Open Rate Stress Conditions 

 

 

 

performance baseline.

2.6. Settings 

Setting Value 

Speed 10.00 Gigabits 

Device Type Firewall 

Run Type Full 

Session Rate yes 

Robustness yes 

Throughput yes 

Security yes 

 

Client Routing Server Routing 

Network:192.168.50.0/ 

24 Min:192.168.50.3 

Max:192.168.50.254 

DUT Address:192.168.50.1 

Network:192.168.50.0/ 24 

Gateway:192.168.50.2 

- End of Document - 

DUT Address:192.168.51.1 

Network:192.168.51.0/ 24 

Gateway:192.168.51.2 

Network:10.0.0.0/8 Min:10.0.0.1 

Max:10.255.255.254

The BreakingPoint Resiliency Score 

www.breakingpoint.com 

© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 

All other trademarks are the property of their respective owners. 

BreakingPoint Resiliency Score 

An automated, standardized, and deterministic measure of the performance, security, and stability of network 

and application infrastructure devices and systems 

1

Table of Contents 





Introduction .......................................................................................................................................................................3 

The BreakingPoint Resiliency Score ................................................................................................................................................................ 3 

Resiliency Score Assessment Elements .......................................................................................................................................................... 3 

Prescribed Conguration .................................................................................................................................................................................... 3 

Duration .................................................................................................................................................................................................................... 4 

Results ........................................................................................................................................................................................................................ 4 

Resiliency Score Phases .....................................................................................................................................................4 

Phase 1: Throughput ............................................................................................................................................................................................. 4 

64-Byte Packet ................................................................................................................................................................................................. 5 

1518-Byte Packet Measurement ............................................................................................................................................................... 5 

Real Bandwidth Measurement .................................................................................................................................................................. 6 

Phase 2: Sessions .................................................................................................................................................................................................... 6 

Basic Concurrent Sessions ........................................................................................................................................................................... 6 

Real Concurrent Sessions ............................................................................................................................................................................. 7 

Basic Connections per Second................................................................................................................................................................... 8 

Real Connections per Second .................................................................................................................................................................... 9 

Phase 3: Robustness.............................................................................................................................................................................................. 9 

IP Stability .......................................................................................................................................................................................................... 9 

UDP Stability ..................................................................................................................................................................................................... 9 

TCP Stability ...................................................................................................................................................................................................... 9 

Phase 4: Security .................................................................................................................................................................................................... 10 

Independent Security ................................................................................................................................................................................... 10 

Benign Trac Security .................................................................................................................................................................................. 10 

Concurrent Sessions Security ..................................................................................................................................................................... 10 

Session Open Rate Security ........................................................................................................................................................................ 10 

2





Resiliency Score Setup .......................................................................................................................................................11 

Physical Connection ............................................................................................................................................................................................. 11 

Network Conguration ........................................................................................................................................................................................ 11 

Switch ................................................................................................................................................................................................................. 11 

Router ................................................................................................................................................................................................................. 12 

Load Balancer ................................................................................................................................................................................................... 12 

Proxy .................................................................................................................................................................................................................... 13 

Firewall ............................................................................................................................................................................................................... 13 

Intrusion Prevention System ...................................................................................................................................................................... 14 

Unied Threat Manager ................................................................................................................................................................................ 14 

Summary .............................................................................................................................................................................14 

About BreakingPoint Storm CTM .....................................................................................................................................15 

3

Introduction 





Organizations want measurable answers, not assurances, when it comes to network and application performance, security, and stability. 

We have come to expect evaluation and certication of product performance for everything from our phones to our automobiles—yet 

network and application infrastructures and the equipment upon which they rely have no standardized certication for performance and 

security. Instead, buyers must trust statements made in product marketing literature, which are based on best-case scenarios, not real-world 

evidence. 

The BreakingPoint Resiliency Score puts an end to this problem by establishing a standard against which networks and security devices 

are measured. This document describes a step-by-step approach for determining a BreakingPoint Resiliency Score, as implemented in 

version 2.0 of the BreakingPoint Storm Cyber Tomography Machine (CTM) rmware. 

The BreakingPoint Resiliency Score 

The BreakingPoint Resiliency Score provides an automated, standardized, and deterministic method for evaluating and ensuring the 

resiliency of networks and network equipment. This feature of the BreakingPoint Storm CTM provides a standard measurement of the 

performance, security, and stability of every component of the network and data center using real-world application trac, real-time 

security attacks, extreme user load, and application fuzzing. 

A BreakingPoint Resiliency Score is calculated using standards by organizations such as 

US–CERT, IEEE, and the IETF, as well as real-world trac mixes from the world’s largest 

service providers. A BreakingPoint Storm CTM user simply selects the network or device 

for evaluation and the speed at which the device or system is required to perform for an 

automated measurement of resiliency. The BreakingPoint Storm CTM then subjects the 

device to a battery of simulations using a blended mix of application trac and malicious 

attacks, including obfuscations. The BreakingPoint Storm CTM delivers this measurement in 

the form of a Resiliency Score—much like an Underwriters Laboratories (UL) certication. 

The BreakingPoint Resiliency Score is presented as a numeric grade from 1 to 100. Networks 

and devices may receive no score if they fail to pass trac at any point or degrade to an 

unacceptable performance level. The Resiliency Score takes the guesswork and subjectivity 

out of validation and allows administrators to quickly understand the degree to which system security will be impacted under load and 

under the threat of newly evolved cyber attacks. 

Resiliency Score Assessment Elements 

There are four phases of the Resiliency Scoring process—each with a set of associated measurements—that target specic aspects of 

behavior: 

• Throughput Phase 

• Sessions Phase 

• Robustness Phase 

• Security Phase 

Prescribed Conguration 

Because the BreakingPoint Resiliency Score is a standardized measurement designed to maintain the consistency of scores across vendors, 

the BreakingPoint Storm CTM requires little or no conguration. The user simply chooses a class of device from a set list of options; that 

choice determines the network conguration that will be used. The user congures their own device to support that network conguration, 

then selects a bandwidth limit for the device, in 100 Mbps increments. 

4

Duration 





The Resiliency Score process can be run in either “Full” or “Quick” mode. The “Quick” option allows the user to work through initial issues 

without waiting through the turnaround time required for a full resiliency assessment. However, only the “Full” option provides an actual 

Resiliency Score. 

Results 

Once a full assessment encompassing all elements is complete, resiliency is scored from 0 to 100 by calculating the results from individual 

phases of the Resiliency Score process. If the network or device fails any part of the assessment, no score is given, and the assessment is 

declared “Failed.” 

Resiliency Score Phases 

There are four phases of the process for producing a Resiliency Score for a component of a network or data center: 

Phase 1: Throughput 

The throughput phase targets the device’s basic packet forwarding ability. It consists of three parts: 

64-Byte Packet 

To determine the maximum achievable bandwidth of a device when forwarding 64-byte packets only, the BreakingPoint Storm CTM 

executes a series of simulations in a binary search pattern. For each one, success or failure is determined based on the following criteria: 

• The number of received frames must equal the number of transmitted frames to ensure that there were no dropped packets. 

• No corrupted frames should be received. 

Initially, trac is generated at 50 percent of the user-specied rate of the device. If the device passes this assessment, the next rate attempt 

is halfway between the initial rate and the maximum rate, or 75 percent of the user-specied rate. If the device fails, the next rate attempted 

is 25 percent. The process continues for seven iterations to determine the maximum achieved rate within a 1 percent margin of error. 

The individual score for this portion of the overall Resiliency Score is based on the measured bandwidth of the device and is expressed as 

the percentage of the measured speed versus the user-congured speed. The results of the 64-byte packet assessment are shown in the 

following way in section 2.1 of the report: 

A) IEEE Throughput measurement of 64 byte frames 

A = max(100,100 * Speed(999) 

/ MaxSpeed(1000)) 

=100.00 

1518-Byte Packet Measurement 

Next, a second binary search is run with the frame size set to 1518. Aside from the frame size, this component runs identically to the 64-byte 

packet assessment and is scored the same way. The results below are provided in the nal report: 

B) IEEE Throughput measurement of 1518 byte frames 

B = max(100,100 * Speed(999) 

/ MaxSpeed(1000)) 

=100.00 

5

Real Bandwidth Measurement 





For the nal part of the Throughput Phase, the device’s throughput is measured when presented with a realistic blend of application 

trac. The BreakingPoint Application Simulator transmits at a bandwidth no higher than the user-congured maximum, with maximum 

concurrent sessions set to 10,000,000, and a load prole set to control the session open rate. 

For a full Resiliency Score, the load prole begins by opening sessions at a rate of 100 sessions per second. Every 5 seconds, the attempted 

open rate is increased by another 100 sessions per second, until 750,000 sessions per second is reached. The quick version of the assessment 

proceeds in a similar way, except the initial rate is 10,000, and the attempt rate is increased by 10,000 every ve seconds. 

The bandwidth achieved is determined by searching for the maximum measured received frame rate that was sustained for at least three 

seconds. This bandwidth achieved is factored into the score as a percentage of the congured bandwidth and is also used as a basis to 

determine the rate of some subsequent processes, as detailed below. 

C) Throughput, Real 

C= max(100,100 * Application Frame Rate(1420140) 

/ Max Application Frame Rate(150000)) 

=100.00 

Phase 2: Sessions 

The Sessions Phase of the Resiliency Score focuses on the device’s ability to support UDP and TCP sessions, in terms of both rate and 

number of concurrent sessions. 

Basic Concurrent Sessions 

During the Sessions Phase, the ability of the device to process straightforward TCP sessions is determined using BreakingPoint Session 

Sender. The bandwidth limit is set to the user-congured speed for the device. The steady-state behavior for the TCP sessions is set to “Hold,” 

so that sessions stay open for the duration of the assessment. 

A load prole is generated to control the maximum number of concurrent sessions. For a full Resiliency Score, 5,000 sessions are opened 

at the beginning. Every ve seconds, 5,000 more sessions are opened, up to a maximum of 10,000,000 concurrent sessions. Once the 

6





maximum is reached, the sessions are held open for an additional 30 seconds before wrapping up the assessment. A quick Resiliency Score 

follows similar behavior, except that it starts with 500,000 sessions and adds another 500,000 every ve seconds. 

For scoring, the maximum achieved number of concurrent sessions that was sustained for at least three seconds becomes the measured 

maximum. This is applied to the score as a percentage of the 10-million-session maximum. 

D) Concurrent IETF 793 TCP Connections 

D = max(100,100 * Number Flows(10000000) 

/ Max Number Flows(10000000)) 

=100.00 

Real Concurrent Sessions 

The Sessions Phase also measures the number of concurrent TCP sessions supported by the device using the BreakingPoint Application 

Simulator and the BreakingPoint Enterprise application prole. The bandwidth limit is set to the user-congured speed for the device. 

Again, the steady-state behavior for the TCP sessions is “Hold,” so that they stay open for the duration. The operation is identical to the 

BreakingPoint Session Sender assessment. 

E) Concurrent IETF 2581 TCP and IETF 768 UDP Connections 

E = max(100,100 * Number Flows(10066931) 


=100.00 

7

Basic Connections per Second 





The basic connections per second measurement uses BreakingPoint Session Sender to generate the simple TCP connections required to 

measure the maximum rate at which the device can open new TCP connections. The bandwidth limit for BreakingPoint Session Sender is set 

to the user-specied rate for the device, and the maximum number of cumulative sessions is set to 10,000,000. 

When performing a full Resiliency Score, this process begins by opening TCP sessions at a rate of 100 per second. Every ve seconds, the 

attempt rate is increased by another 100 sessions per second. This continues until the attempted rate is 750,000 connections per second. 

Once the maximum is reached, the process continues at that rate for 30 more seconds. 

The “Quick” resiliency assessment is conducted in a similar way, except that the rate starts at 10,000 and is increased by another 10,000 

every ve seconds. 

For scoring purposes, the BreakingPoint Storm CTM evaluates the maximum achieved connection rate that was held for at least three 

seconds. Then a rate goal is calculated as follows: 

• For a user-specied bandwidth of more than 1Gbps, the goal is 150,000. 

• For user-specied bandwidths of 1Gbps or less, the goal is the bandwidth in Gbps times 150,000. For example, for a user-specied 

bandwidth of 500Mbps, the goal would be half of 150,000, or 75,000. 

The maximum measured rate is then incorporated into the score as a percentage of the determined goal: 

F) IETF 793 TCP Connections/sec 

F = max(100,100 * Number Flows(181390) 


=100.00 

8

Real Connections per Second 





The data from the throughput “Real Bandwidth” measurement is reused to evaluate real connections per second. The same process is run 

when either throughput or sessions is measured; when both are measured, the process is run only once, and the data is used for both. 

The connection rate is scored in a very similar manner to the basic session rate assessment. For scoring purposes, the maximum achieved 

connection rate that was held for at least three seconds is determined. Then a rate goal is calculated as follows: 

• For a user-specied bandwidth of more than 1Gbps, the goal is 100,000. 

• For user-specied bandwidths of 1Gbps or less, the goal is the bandwidth in Gbps times 100,000. In other words, for a user-specied 

bandwidth of 500Mbps, the goal would be half of 100,000, or 50,000. 

The maximum measured rate is then incorporated into the score as a percentage of the determined goal. 

G) IETF 2581 TCP and IETF 768 UDP Connections/sec 

G = max(100,100 * Number Flows(120213) 


=100.00 

Phase 3: Robustness 

Three processes contribute to the robustness score. Each of them is structured very similarly, using a BreakingPoint Stack Scrambler to 

target a dierent layer of the network stack. 

IP Stability 

To evaluate IP stability, BreakingPoint Stack Scrambler is congured to send corruptions at 12 Mbps, including bad IP version elds, bad IP 

options, bad “urgent” pointers, and bad checksums. A diagnostic ICMP ping request is sent every second. The ICMP packet is structured to 

distinguish it from any other packets, and a count is kept of how many of these are received on the other side. 

After this process is complete, the count of received pings is compared to the count of transmitted pings. Up to two pings not received are 

allowed with no penalty. A third missed ping results in one point being subtracted from the overall score. Four pings dropped result in a 

10-points deduction, and ve or more dropped pings result in a failing Resiliency Score. 

H) IETF 791 IP Stack Stability 

H = Dropped Pings 

= pass 

UDP Stability 

The IP stability process is followed by an identical UDP stability evaluation. For this process, however, the target stack is set to UDP. 

I) IETF 768 UDP Stack Stability 

I = Dropped Pings 

= pass 

TCP Stability 

For the nal robustness assessment, the same process is used to target the TCP stack. This assessment is also scored the same way. 

J) IETF 793 TCP Stack Stability 

J = Dropped Pings 

= pass 

9

Phase 4: Security 





The Security Phase measures the device’s response to attack using the BreakingPoint Strike Set repeatedly under dierent network 

background conditions. For a full Resiliency Score, the strike set “Resiliency—All CVE Strikes” is used. This Strike Set includes all Strikes that 

are documented as exploits in the CVE database. A “Quick” resiliency assessment uses the Strike set “Backdoor Strikes.” 

Each Security Phase assessment includes a BreakingPoint Stack Scrambler component targeting the TCP layer. This produces diagnostic 

pings used to measure security capabilities in the same way that robustness is scored: Up to two pings not received are allowed with no 

penalty; a third missed ping subtracts one point from the overall score; four pings dropped result in 10 points o; and ve or more dropped 

lead to a failing Resiliency Score. 

Independent Security 

This measurement is initially conducted using only the BreakingPoint Security component with the BreakingPoint Stack Scrambler in active 

mode; in other words, there is no background trac. 

K) CVE Security Fault Injection, Independent 

K = Dropped Pings 

= pass 

Benign Trac Security 

Next, the same process is executed with the addition of BreakingPoint Application Simulator and the BreakingPoint Enterprise application 

prole. Maximum attempted sessions per second, maximum number of concurrent sessions, and throughput are all congured to a value 

that is half of the maximum measured in the “Real Bandwidth” / “Real Sessions per Second” process. 

L) CVE Security Fault Injection, Benign 

L = Dropped Pings 

= pass 

Concurrent Sessions Security 

The previous process is run again, but this time with BreakingPoint Security and Stack Scrambler components, as well as BreakingPoint 

Application Simulator with the maximum attempted sessions per second and the throughput both congured to a value half of the 

maximum measured in the “Real Bandwidth” / “Real Sessions per Second” process. The number of concurrent sessions for Application 

Simulator is set to 10,000,000. 

M) CVE Security Fault Injection, Concurrent Sessions Stress 

M = Dropped Pings 

= pass 

Session Open Rate Security 

Finally, the process is executed once more with BreakingPoint Security and Stack Scrambler components, as well as BreakingPoint 

Application Simulator with the maximum number of concurrent sessions and the throughput both congured to a value half of the 

maximum measured in the “Real Bandwidth” / “Real Sessions per Second” process. The maximum session open rate is congured to 750,000 

sessions per second. 

N) CVE Security Fault Injection, Session Rate Stress 

N = Dropped Pings 

= pass 

10

Resiliency Score Setup 

Physical Connection 





The device under evaluation should be connected via two of its interfaces to the BreakingPoint Storm CTM. These connections will be 

referred to as Physical Interface 1 and Physical Interface 2, based on the interface reservation on the BreakingPoint Storm CTM. 

Network Conguration 

Figure 1 - Physical Connection to the BreakingPoint Storm CTM 

In preparation for the Resiliency Score process, the device that will be evaluated must be congured to support the following network 

conguration. 

Switch 

The network conguration used to evaluate a device classied as a switch will be made up of two separate IP ranges within the same 

subnet, both directly attached to the device’s network, as illustrated below: 

Figure 2 - Logical Network, Switch 

11

Router 





The network conguration used to evaluate a device that is classied as a Router is made up of two ranges of hosts in nonlocal networks. 

Each will arrive at the device via a router attached to a separate local subnet of the device. Trac should be routed through gateway IPs on 

the device, as follows: 

Load Balancer 

Figure 3 – Logical Network, Router 

The network conguration used to evaluate a device that is classied as a Load Balancer includes: 

• Trac that originates from a network of client addresses in a nonlocal subnet. 

• Client addresses that reach the device being scored via a router on a local subnet of interface 1. 

• Trac from the clients addressed to a single public IP address on interface 1 of the device being assessed. 

• A device being assessed that is expected to translate the destination address to one from a pool of addresses within a local subnet on 

interface 2 of the device being assessed. 

• Requests within the destination address that are handled by a set of hosts that are simulated as a multi-homed host. That is, the set of 

IP addresses all originate from a single MAC address, avoiding the possibility of overowing MAC tables on the device. 

Figure 4 - Logical Network, Load Balancer 

12

Proxy 

The network conguration used to evaluate a device that is classied as a Proxy includes: 

• Trac that originates from a network of client addresses in a local subnet. 





• Client requests that are handled by a set of hosts simulated as a multi-homed host. The set of IP addresses will all originate from a 

single MAC address, avoiding the possibility of overowing MAC tables on the device. 

• Server hosts listening on a set of hosts on a nonlocal subnet. 

• Server addresses that are reachable by the device being assessed via a router on a local subnet of interface 2. 

• A device being scored that is expected to translate the source address to one from an unspecied pool, which must be reachable by 

Firewall 

the server hosts. The specic client addresses are learned as they are observed. 

Figure 5 – Logical Network, Proxy 

The network conguration used to measure the resiliency of a device classied as a Firewall includes: 

• Trac that originates from a network of client addresses in a local subnet 

• Client requests that are handled by a set of hosts that are simulated as a multi-homed host. The set of IP addresses all originate from a 

single MAC address, avoiding the possibility of overowing MAC tables on the device. 

• Server hosts that will be listening on a set of hosts on a nonlocal subnet. 

• Server addresses that are reachable by the device being assessed via a router on a local subnet of interface 2. 

• A device being assessed that is expected to translate the source address to one from an unspecied pool, which must be reachable by 

the server hosts. The specic client addresses are learned as they are observed. 

Figure 6 – Logical Network, Firewall 

13

Intrusion Prevention System 





The network conguration used to measure the resiliency of an Intrusion Prevention System includes two separate IP ranges within the 

same subnet, both directly attached to the device’s network as illustrated below: 

Unied Threat Manager 

Figure 7 - Logical Network, Intrusion Prevention System 

The network conguration used to evaluate a device classied as a Unied Threat Manager will be made up of two ranges of hosts in 

nonlocal networks. Each will arrive at the device being assessed via a router attached to a separate local subnet of the device being 

assessed. Trac should be routed through gateway IPs on the device, as follows: 

Summary 

Figure 8 – Logical Network, Unied Threat Manager 

Based on insights into global network trac proles and using standards from US–CERT, IEEE, and the IETF, the BreakingPoint Resiliency 

Score provides an easy-to-produce and defensible measurement of the resiliency of networks and network devices and servers. A 

Resiliency Score can be produced only with the BreakingPoint Storm CTM, as it is the only product capable of producing the blended mix 

of application trac, malicious attacks, user load, and application fuzzing required to understand how devices will perform in today’s global 

networks. 

14

About BreakingPoint Storm CTM 

BreakingPoint has pioneered the rst Cyber Tomography Machine with 

the introduction of the BreakingPoint Storm CTM. This innovative product 

enables users to see for the rst time the virtual stress fractures lurking 

within their cyber infrastructure through the simulation of crippling attacks, 

high-stress trac load, and millions of users. The BreakingPoint Storm 

CTM exposes previously impossible-to-detect vulnerabilities within cyber 

infrastructure components before they are exploited to destroy what is most 

important to you—your customer data, your assets, your reputation, and 

even national security. BreakingPoint Storm CTM is delivered in a three-slot 

chassis that provides the equivalent performance and simulation of hundreds 

of racks of servers: 

• 40 Gigabits per second of blended stateful application trac 

• 30 million concurrent TCP sessions 

• 1.5 million TCP sessions per second 

• 600,000+ complete TCP sessions per second 

• 80,000+ SSL sessions per second 

• 130+ stateful applications 

• 4,500+ live security strikes 




Contact BreakingPoint 


Learn more about BreakingPoint 

products and services by contacting a 

representative in your area. 

1.866.352.6691 U.S. Toll Free 


BreakingPoint Global Headquarters 

3900 North Capital of Texas Highway 

Austin, TX 78746 

email: salesinfo@breakingpoint.com 

tel: 512.821.6000 

toll-free: 866.352.6691 

BreakingPoint EMEA Sales Oce 

Paris, France 

email: emeasales@breakingpoint.com 

tel: + 33 6 08 40 43 93 

BreakingPoint APAC Sales Oce 

Suite 2901, Building #5, Wanda Plaza 

No. 93 Jianguo Road 

Chaoyang District, Beijing, 100022, China 

email: asiasales@breakingpoint.com 

tel: + 86 10 5960 3162 

15

The BreakingPoint Resiliency Score - Fortinet

Create successful ePaper yourself

Delete template?

Save as template?