NetScaler 2048-bit SSL Performance



Similar documents
Features of a comprehensive application security solution

2048-bit SSL. Best practices for implementing.

Best practices for implementing

Overview. SSL Cryptography Overview CHAPTER 1

Desktop Virtualization Made Easy Execution Plan

White paper. Keys to SAP application acceleration: advances in delivery systems.

WHITE PAPER Citrix XenDesktop XenDesktop Planning Guide: Load Balancing Web Interface with NetScaler

ByteMobile Adaptive Traffic Management Product Family

NetScaler VPX FAQ. Table of Contents

PERFORMANCE REPORT Version Application Delivery Controller Performance Report

Secure SSL, Fast SSL

Citrix XenApp and XenDesktop 7.6 FIPS Sample Deployments

Application Template Deployment Guide

Basic & Advanced Administration for Citrix NetScaler 9.2

SharePoint Performance Optimization

Citrix StoreFront 2.0

How To Use Netscaler As An Afs Proxy

Cloud Networking Services

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

Summary of Results. NGINX SSL Performance

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Configuring Citrix NetScaler for IBM WebSphere Application Services

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

Is your load balancer cloud ready? How NetScaler helps enterprises achieve cloud computing benefits.

2014 IBM Corporation

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

CNS-208 Citrix NetScaler 10.5 Essentials for ACE Migration

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Success Accelerator. Citrix Worldwide Consulting Solutions. Planning and Executing a Successful Go Live

Citrix Lab Manager 3.6 SP 2 Quick Start Guide

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Building a better branch office.

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

Citrix NetScaler 10 Essentials and Networking

Advanced Memory and Storage Considerations for Provisioning Services

Executive summary. Introduction Trade off between user experience and TCO payoff

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Disaster Recovery

F5 PERFORMANCE REPORT APPLICATION DELIVERY CONTROLLER PERFORMANCE REPORT

Deployment Guide for Citrix XenDesktop

How To Manage A Netscaler On A Pc Or Mac Or Mac With A Net Scaler On An Ipad Or Ipad With A Goslade On A Ggoslode On A Laptop Or Ipa On A Network With

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Customer Satisfaction with Application Delivery Controller Vendors

High Availability for Desktop Virtualization

Single Sign On for ShareFile with NetScaler. Deployment Guide

NetScaler SQL Intelligent Load Balancing. Scaling the Data Tier with.

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

Product Overview. UNIFIED COMPUTING Managed Load Balancing Data Sheet

High Availability for Citrix XenApp

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led

White Paper. Enhancing Website Security with Algorithm Agility

Using etoken for SSL Web Authentication. SSL V3.0 Overview

The Critical Role of an Application Delivery Controller

CNS-205 Citrix NetScaler 10 Essentials and Networking

Chapter 7 Transport-Level Security

HDX 3D Version 1.0 Release Notes

CNS-208 CITRIX NETSCALER 10.5 ESSENTIALS FOR ACE MIGRATION

Consulting Solutions WHITE PAPER Citrix XenDesktop Citrix Personal vdisk Technology Planning Guide

Cisco Integrated Services Routers Performance Overview

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. Pay-as-You-Grow Licensing. Pay-as-You-Grow: Flexible Capacity in the Datacenter with On-Demand Licensing.

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Deployment Guide for Microsoft Lync 2010

ERserver. iseries. Securing applications with SSL

Securing Virtualization with Check Point and Consolidation with Virtualized Security

SKU Services Citrix Consulting

Advanced application delivery over software defined networks

Best Practices for Upgrading the Virtual Desktop Agent

TLS/SSL in distributed systems. Eugen Babinciuc

Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Integrated Services Router with the "AIM-VPN/SSL" Module

Citrix XenServer: VM Protection and Recovery Quick Start Guide

CNS-208 Citrix NetScaler 10 Essentials for ACE Migration

Comparative Performance Report Application Delivery Controllers Document Version: 2013

HTTPS is Fast and Hassle-free with CloudFlare

McAfee Firewall Enterprise 8.2.1

Using BroadSAFE TM Technology 07/18/05

Load Balancing Security Gateways WHITE PAPER

CNS-301-3I ~ Citrix NetScaler 11 Advanced Implementation

ISM/ISC Middleware Module

Complying with PCI Data Security

Centralized Orchestration and Performance Monitoring

NEFSIS DEDICATED SERVER

SSL BEST PRACTICES OVERVIEW

Citrix NetScaler VPX 9.2 for Microsoft Hyper-V Detailed Lab Report

Citrix XenDesktop Modular Reference Architecture Version 2.0. Prepared by: Worldwide Consulting Solutions

Understanding Slow Start

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Integrated Services Router with the "AIM-VPN/SSL" Module

CNS-200-1I Basic Administration for Citrix NetScaler 9.0

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

NetScaler Cloud Bridge

Desktop virtualization and the branch office. Optimizing virtual desktops and applications to the branch office VDI.

Flexible Routing and Load Control on Back-End Servers. Controlling the Request Load and Quality of Service

Transcription:

WHITE PAPER NetScaler Performance NetScaler 2048-bit SSL Performance July 2010 www.citrix.com/netscaler

Overview NetScaler 9.2 boosts SSL performance with 2048-bit keys 5X to meet the needs of customers as they transition to 2048-bit key sizes. Extending NetScaler s ncore architecture to better utilize the SSL hardware on device along with other enhancements enable this boost in performance. This paper details the SSL performance on current shipping MPX platforms. SSL is a core technology to secure transactions on the Internet. The most widespread deployment model uses RSA public key cryptography with 1024-bit keys to negotiate a secure, symmetric session key between the client and server. Current security research has demonstrated the distinct, near term possibility of breaking 1024-bit RSA keys using significant computing resources. The U.S. National Institute of Standards and Technology (NIST) issued Special Publication 800-57 in March 2007 recommending the use of 2048-bit RSA keys starting Jan. 1, 2011. With current technology and research, doubling the key length from 1024-bit to 2048-bit increases the computational complexity of breaking a key by close to a billion times. 2048-bit keys are expected to be secure till 2030. Following this recommendation and Microsoft Windows security guidelines, Certificate Authorities (CAs) are migrating to 2048-bit SSL certificates for end users. Extended Validation (EV) certificates (in use at major ecommerce and financial sites) are already at 2048-bit strength. Starting the later half of 2010, CAs will enforce this requirement by issuing only 2048-bit certificates. How 2048-bit keys impact SSL performance In recent years, the SSL transactions per second (TPS) performance on NetScaler has improved tremendously for 1024-bit keys. For instance, the NetScaler MPX 21500 (released 2010) can perform 220,000 TPS with 1024-bit keys compared with 25,000 TPS on the NetScaler 12000 (released 2007). Doubling the key lengths from 1024-bit to 2048-bit significantly increases the computational requirements and has a major impact on the TPS supported by the device. To support the same TPS with 2048-bit keys, the SSL infrastructure will need a significant upgrade (30x increase in some cases). ncore architecture delivers exceptional SSL performance NetScaler 9.1 introduced the ncore architecture to take advantage of multiple processor cores available on the MPX hardware platforms. In NetScaler 9.2, the ncore architecture was extended to the SSL acceleration processors. This includes: Intelligent load balancing of SSL chips: Each MPX platform contains multiple SSL chips. The ncore architecture allows the packet engines to intelligently load balance the SSL operations among the chips available. Multiple queues per SSL chip: To better utilize the chip hardware capabilities, multiple SSL operations can be queued per chip. SSL card optimization: Citrix has worked with Cavium Networks to optimize the performance of SSL hardware to process larger RSA keys (2048-bit and 4096-bit). Page 2

SSL Performance with 2048-bit keys The SSL performance of NetScaler platforms with 2048-bit RSA keys is listed in the table below. All the tests were performed on NS 9.2nc B46.3 ncore. This version shows significant improvement in SSL TPS numbers with 2048-bit keys compared to previous releases. Platform NS9.2 Performance (SSL TPS) NS9.1 Performance (SSL TPS) MPX 5500 1000 350 MPX 7500 5,000* 2000 MPX 9500 11,000 2000 MPX 10500 18,000 4500 MPX 12500 22,000 4500 MPX 15500 22,000 4500 MPX 17000 22,000 4500 MPX 17500 22,000 4500 MPX 19500 33,000 6000 MPX 21500 45,000 7000 * Numbers have been rounded / normalized. Raw test data is available in the appendix. Notes All MPX platforms have license imposed TPS and throughput limits that may be lower from the actual numbers achieved in this test. Refer to the official datasheet for supported SSL throughput by platform. Page 3

The rows are grouped (shading) by hardware platform. For instance, the MPX 10500, 12500 and 15,500 share the same platform. Upgrade between the models in a group is possible through NetScaler s Pay-As-You-Grow model. The 2048-bit performance improvements are available on the MPX platforms only. The 2048-bit key SSL TPS number is significantly lower than the TPS with 1024-bit key size. For instance, the MPX21500 can do 220,000 1024-bit SSL negotiations per second versus 45,000 with 2048-bit keys. This is expected as doubling the key length exponentially increases the computation required (roughly 4-8 times). NetScaler 9.2 Security highlights NS9.2 also contains significant security highlights related to SSL and other security modules in the NetScaler system. These include: OCSP support: Dynamically check for Certificate revocation by connecting to an OCSP responder. This is in addition to the standard Certificate Revocation List (CRL) mechanism. Subject Name Indicator (SNI) support: extension to TLS1.1 that allows the modern browsers to indicate the server name to which it is trying to establish a secure channel. This is very useful in Virtual hosting scenarios. Application Firewall CSRF support: The Application Firewall module added new defense against Cross-Site Request Forgery attacks. AAA Form-based SSO: The AAA module now supports auto-submission of credentials to backend web applications that use a HTML form to request user credentials. More information Follow us on twitter at http://twitter.com/netscaler NetScaler Product datasheets and other information are available at http://www.citrix.com/netscaler Join the Citrix NetScaler community at http://community.citrix.com/p/cdn-networks References NIST Special Publication 800-57 Recommendation for Key Management: http://csrc.nist.gov/publications/pubssps.html NIST Special Publication 800-131 Draft Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes: http://csrc.nist.gov/publications/pubssps.html Verisign - https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=so6989 Page 4

Appendix: Test description Tests were performed with an internally developed test harness consisting of a client / server setup. Traffic is directed to an SSL VIP that is bound to HTTP servers on the backend (that is, NetScaler Server communication is in the clear). Two separate tests were run on each platform to benchmark performance. Each test measures a single entry on each row, for instance SSL TPS. You can either maximize the TPS (column 1) or the bulk throughput (column 2). SSL TPS This test measures the number of SSL Transactions per Second (TPS). The NetScaler is loaded with a 2048-bit key. The client harness opens a new TCP connection, does a SSL negotiation, sends a single HTTP request and receives the full response. The transaction is terminated using a SSL CLOSE_NOTIFY after end of the response. Cipher suite used is RC4-SHA. The HTTP request and response are 64 bytes long. SSL Throughput This test measures the bulk throughput through the NetScaler. The client harness opens as many SSL sessions as necessary to measure the bulk throughput. Once the SSL session is established, the client maintains a persistent connection and sends requests to a 100KB page. Cipher suite used is RC4-SHA. All connections are terminated gracefully at end of test. RSA key length does not impact the bulk throughput significantly. This testing focused on the SSL TPS performance, so the bulk throughput numbers are not tuned for maximum performance. I: Raw test data Platform SSL TPS SSL Throughput (mbps) NS12000 (9.2cl) 2023 3140 MPX5500 1228 537 MPX7500 11,258 1074 MPX9500 11,258 3281 Page 5

MPX10500 18,861 5239 MPX12500 22,753 8482 MPX15500 22,687 8516 MPX17000 22,362 7040 MPX17500 22,763 7509 MPX19500 33,885 11327 MPX21500 45,422 11410 II. SSL Performance with 1024-bit keys Platform SSL TPS SSL Throughput (mbps) MPX5500 5000 500 MPX7500 10,000 1000 MPX9500 20,000 3000 MPX10500 30,000 5000 MPX12500 60,000 6000 MPX15500 87,000 6500 MPX17000 100,000 6500 Page 6

MPX17500 110,000 8000 MPX19500 165,000 10,000 MPX21500 220,000 11500 III SSL 2048-bit performance on 9.1 (B104.5) Platform SSL TPS SSL Throughput (mbps) NS12000 (classic) 2034 3002 MPX5500 366 536 MPX7500 2045 1099 MPX9500 2029 3321 MPX10500 4667 5367 MPX12500 4565 8412 MPX15500 4557 8374 MPX17000 4658 6976 MPX17500 4698 8168 MPX19500 6357 11969 MPX21500 7390 11682 Page 7

About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on- demand service to any user, in any location on any device. Citrix customers include the world s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 billion. 2009 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler and Citrix Application Firewall are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information