The availability of performance studies and simple models for firewalls able to deal with industrial application-layer communication protocols, such as Modbus/TCP, is crucial when the impact of these devices has to be estimated, even roughly, before their actual deployment in industrial networks. Unfortunately, most manufacturers do not provide this kind of information for commercial off-the-shelf available products. Thus, a viable solution is the development and experimental validation of simple models that can be used by designers to predict those firewall characteristics not explicitly related to their security capabilities. As an example, latency introduced on message forwarding is an aspect of significant interest in many industrial control systems, where delays and jitters in data delivery can severely impact on the effectiveness of the control actions. This paper reports on our experience in developing a performance model for a commercial device able to perform advanced application-layer filtering, in particular of Modbus/TCP traffic. A set of ad hoc designed experiments, performed by means of a purposely developed laboratory testbed, enabled both model development and validation, confirming a good correspondence of the estimated performance with the device actual behavior.

中文翻译：

---

工业应用层防火墙的性能评估和建模

当必须估算这些设备的影响（甚至是在工业网络中实际部署之前）的影响时，性能研究和适用于能够处理诸如Modbus / TCP之类的工业应用层通信协议的防火墙的简单模型的可用性至关重要。 。不幸的是，大多数制造商没有为商用现货产品提供此类信息。因此，可行的解决方案是对简单模型的开发和实验验证，设计者可以使用这些简单模型来预测那些与它们的安全能力没有明确关系的防火墙特征。例如，消息转发中引入的延迟是许多工业控制系统中非常感兴趣的一个方面，数据传输中的延迟和抖动会严重影响控制措施的有效性。本文报告了我们在开发能够执行高级应用程序层过滤（特别是Modbus / TCP流量）的商用设备性能模型方面的经验。借助专门开发的实验室测试平台进行的一组临时设计的实验，可以进行模型开发和验证，从而确认估计性能与设备实际行为之间的良好对应关系。