SSL Performance Problems

Similar documents
2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

DATA CENTER IPS COMPARATIVE ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Internet Advertising: Is Your Browser Putting You at Risk?

Evolutions in Browser Security

DATA CENTER IPS COMPARATIVE ANALYSIS

Is the Security Industry Ready for SSL Decryption?

Breach Found. Did It Hurt?

ENTERPRISE EPP COMPARATIVE REPORT

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

Achieve Deeper Network Security and Application Control

How To Sell Security Products To A Network Security Company

How To Create A Firewall Security Value Map (Svm) 2013 Nss Labs, Inc.

Achieve Deeper Network Security

An Old Dog Had Better Learn Some New Tricks

Mobile App Containers: Product Or Feature?

BROWSER SECURITY COMPARATIVE ANALYSIS

CORPORATE AV / EPP COMPARATIVE ANALYSIS

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Multiple Drivers For Cyber Security Insurance

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

Why Is DDoS Prevention a Challenge?

Next-Generation Firewalls: Critical to SMB Network Security

Firewall Sandwich. Aleksander Kijewski Presales Engineer Dell Software Group. Dell Security Peak Performance

High Performance NGFW Extended

The Benefits of SSL Content Inspection ABSTRACT

Streamlining Web and Security

What to Look for When Evaluating Next-Generation Firewalls

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

Networking for Caribbean Development

Why it's time to upgrade to a Next Generation Firewall. Dickens Lee Technical Manager

Next-Generation Firewalls: CEO, Miercom

How To Get A Fortinet Security System For Free

How to Build a Massively Scalable Next-Generation Firewall

The CISO s Guide to the Importance of Testing Security Devices

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

How to Protect against the Threat of Spearphishing Attacks

Stallion SIA Seminar PREVENTION FIRST. Introducing the Enterprise Security Platform. Sami Walle Regional Sales Manager

Unified Security, ATP and more

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

WHITE PAPER. Understanding How File Size Affects Malware Detection

TEST METHODOLOGY. Web Application Firewall. v6.2

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Inspection of Encrypted HTTPS Traffic

4 Delivers over 20,000 SSL connections per second (cps), which

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

The Evolving Threat Landscape and New Best Practices for SSL

10 easy steps to secure your retail network

Blind as a Bat? Supporting Packet Decryption for Security Scanning

TEST METHODOLOGY. Network Firewall Data Center. v1.0

5 ½ Things That Make a Firewall Next Gen WHITE PAPER

ELECTRONIC RECORDS DISCLOSURE AND AGREEMENT READ AND SCROLL DOWN PLEASE READ THIS AGREEMENT CAREFULLY AND KEEP A COPY FOR YOUR RECORDS.

SPEAR PHISHING AN ENTRY POINT FOR APTS

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Types of cyber-attacks. And how to prevent them

Beyond the Hype: Advanced Persistent Threats

Securing Amazon It s a Jungle Out There

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Voya Financial Advisors, Inc. Registered Representative s Website Terms of Use

The Evolution of the Enterprise And Enterprise Security

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Load Balancing Security Gateways WHITE PAPER

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Web Security Firewall Setup. Administrator Guide

DOCUMENT REFERENCE: SQ EN. SAMKNOWS TEST METHODOLOGY Web-based Broadband Performance White Paper. July 2015

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

Network Security Solution. Arktos Lam

IBM Advanced Threat Protection Solution

Compatibility Matrix. VPN Authentication by BlackBerry. Version 1.7.1

Content-ID. Content-ID URLS THREATS DATA

HTTPS Inspection with Cisco CWS

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

43% Figure 1: Targeted Attack Campaign Diagram

Zscaler Internet Security Frequently Asked Questions

Portal Administration. Administrator Guide

McAfee Network Security Platform

Lab Testing Summary Report

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Transcription:

ANALYST BRIEF SSL Performance Problems SIGNIFICANT SSL PERFORMANCE LOSS LEAVES MUCH ROOM FOR IMPROVEMENT Author John W. Pirc Overview In early 2013, NSS Labs released the results of its Next Generation Firewall Comparative Analysis Reports (NGFW CARs). As part of the analysis, NSS assessed the performance of client- side secure sockets layer (SSL) decryption in seven of the eight NGFWs that were included in that voluntary group test. The resulting impacts on performance of SSL decryption when included as a feature within the NGFW, or when offloaded to a separate SSL appliance, were significant. NSS research showed that 25% 35% of enterprise traffic is SSL and, depending on the industry vertical, the percentage of SSL traffic can reach as high as 70%. NSS research also found that 2048b ciphers caused a mean average of 81% in performance loss across all vendors tested. Certificate authorities are intending to cease issue of 1024 bit ciphers and will move to 2048 bit ciphers by December 31, 2013. Although the performance numbers are cause for concern, the presence of malware within encrypted channels is a real, albeit relatively small, threat in enterprise environments that warrants decryption and scanning as a best practice. Figure 1 displays the aggregated results from the vendor tests. Figure 1 SSL Performance Impacts on Bandwidth and Transaction per Second Loss

NSS Labs Findings The average proportion of SSL traffic within a typical enterprise is 25% 35%. The NSS threat database 1 has uncovered a small percentage (~1%) of malware using SSL. NSS research indicates that the majority of threats that are using SSL as a transport fall under the targeted persistent attack (TPA) category. The mean average of performance loss across 7 NGFW s: ~74% with 512b and 1024b ciphers ~81% with 2048b ciphers. The mean average of transactions per second (TPS) loss across 7 NGFW s: ~86.80% with a 512b cipher ~87.79% with a 1024 cipher ~92.28% with a 2048 cipher The Sourcefire NGFW had the highest rated TPS performance. However, Sourcefire was the only vendor that used a dedicated SSL appliance. The Dell SonicWALL SuperMassive E10800 NGFW had the highest rated TPS performance with onboard SSL decryption. Juniper was rated the best with regards to performance loss and reduction in TPS. All vendors had significant performance issues and TPS loss with 2048b ciphers. NSS has concerns for the viability of SSL inspection in enterprise networks without the use of dedicated SSL decryption devices. 1 Our database is a collection of malware samples that are collected in real- time from around the world. 2

NSS Labs Recommendations Enterprises are advised to review the performance ratings of SSL, in order to decide which platform meets their performance requirements. Additionally, NSS recommends that a platform be tested before a purchasing decision is made. Enterprises should measure the SSL traffic in their current network environment in order to allow for future capacity planning. An average yearly increase of ~20% in SSL traffic should be expected. 2 Consideration should only be given to products that support the creation of rules for bypassing SSL decryption based on URL categories, such as healthcare, banking, and mobile apps that contain sensitive and personal information. Depending on an organization s network traffic, this could substantially reduce performance loss and assist with an organization s compliance with national privacy laws. Enterprises should seek to offset the SSL risk by deploying endpoint security solutions and breach detection solutions that are behavior- based, and that are able to detect command and control (C&C) and malware callbacks via SSL. Enterprises should educate users about the dangers of accepting a self- signed and non- valid certificate, in the same way they would educate about SPAM and phishing. 2 http://www.bluecoat.com/sites/default/files/documents/files/how_to_gain_visibility_and_control_of_encrypted_ssl_web_sessions.a.pdf 3

Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 3 Analysis... 5 SSL and the Enterprise... 5 SSL and the Adversary... 7 2013 NGFW SSL Performance CAR... 7 Vendor Performance Numbers... 9 Check Point 12600... 9 Dell SonicWALL SuperMassive E10800... 9 Fortinet Fortigate- 3600C... 10 Juniper SRX3600... 10 Palo Alto Networks PA- 5020... 11 Sourcefire 8250 & Sourcefire 8290... 11 Stonesoft 3202... 12 Reading List... 13 Contact Information... 14 Table Of Figures Figure 1 SSL Performance Impacts on Bandwidth and Transaction per Second Loss... 1 Figure 2 Key Strength Distribution... 6 Figure 3 Decryption Times of 512 4096 Ciphers on 2GHz Pentium... 6 Figure 4 SSL Performance Impacts on Bandwidth... 8 Figure 5 SSL Transaction per Second Loss... 8 Figure 6 Check Point 12600... 9 Figure 7 Dell SonicWALL SuperMassive E10800... 9 Figure 8 Fortinet Fortigate- 3600C... 10 Figure 9 Juniper SRX3600... 10 Figure 10 Palo Alto Networks PA- 5020... 11 Figure 11 Sourcefire 8250... 11 Figure 12 Sourcefire 8290... 12 Figure 13 Stonesoft 3202... 12 4

Analysis During a recent analysis of NGFWs, NSS verified the performance impacts of client- side SSL inspection, and the results showed considerable room for improvement. This raises concerns for the viability of SSL inspection in enterprise networks without the use of dedicated SSL decryption devices. NSS research has found that the use of HTTPS has risen significantly over the past few years; web browser- based applications such as Facebook and Twitter, 3 and search engines such as Google are enabling SSL by default as a result of privacy and security concerns. Additionally, users increasingly have the ability to install browser add- ons that can force the use of HTTPS within popular web browsers such as Safari, Chrome, Internet Explorer and Firefox. These extensions force the browser to only access HTTPS first. It is the ultimate irony that the increasing use of SSL in an attempt to make our on- line lives more secure actually reduces security on the corporate network by creating blind spots for corporate security infrastructures. HTTPS has been used for secure web communications on the Internet for almost two decades, but it is only recently that network security vendors have begun including HTTPS as a feature. This is in response to client requirements regarding regulatory compliance, search engines and web/mobile applications that are utilizing SSL by default and, most importantly, in response to malware that is using SSL as a transport to evade network detection devices. SSL and the Enterprise NSS research on the use of HTTPS reveals that within any given enterprise the current percentage of outbound network traffic that is SSL/TLS encrypted is about 25% 35%. Performance issues relating to SSL can be attributed to several factors, but the most significant is the length of the certificate key. The larger the key, the more computing power is required to decrypt it. Trustworthyinternet.org has a global dashboard known as SSL Pulse that extracts close to 200,000 well known SSL websites from Alexa, 4 a company which provides analytics on ~1.5 million websites. The most recent report from SSL Pulse shows that out of 172,537 SSL websites surveyed, 91.1% were using 2048 bit ciphers 5. This information, when viewed alongside the significant declines in performance and transaction rates that were observed during testing, questions the wisdom of enabling SSL. 3 http://www.zdnet.com/blog/networking/twitter- adds- ssl- security/1374 4 http://www.alexa.com 5 https://www.trustworthyinternet.org/ssl- pulse/ 5

Figure 2 Key Strength Distribution Performing HTTPS decryption inline on a NGFW device, or on any security device that is performing deep packet inspection is a significant undertaking. Figure 3 shows the performance impacts (in milliseconds) that the various ciphers have on a 2GHz Pentium processor. Figure 3 Decryption Times of 512 4096 Ciphers on 2GHz Pentium 6 NSS predicts that the default ciphers will increase in length, which will require more computing power. The standard default cipher that is acceptable today is 1024b and, according to NIST Special Publication 800-5, the 6 http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml 6

standard default cipher of 2048b will be required by December 31, 2013. Anything below 2048b should be transitioned to the new standard. 7 NSS testing results indicate that this will be an issue for most network security vendors. SSL and the Adversary Many attack vectors may be used to compromise an asset, and blind spots within an infrastructure help attackers to evade detection. The following methods may be used: Drive- by malware sites using HTTPS C&C s that communicate via SSL Malware with SSL callbacks Recent research on the NSS threat database found that while it is only a small percentage (~1%) of malware that is using SSL, this malware is highly sophisticated. These methods of attack pose real risks to an organization s infrastructure. Additionally, network security devices that lack the ability to inspect SSL traffic allow attackers to remain undetected by network monitoring. Some of the attack methods listed above would require the end user to accept a SSL certificate. It can certainly be argued that sophisticated users will not click and accept a SSL certificate, and that seasoned security professionals will not accept either a self- signed certificate or one that is accompanied by a warning banner stating that the web browser can not verify the identity of a website. However, most users will not realize the real risk and will click and accept. To illustrate this point, a recent infographic 8 on Get Cyber Safe, a web site dedicated to educating users on Internet security, showed that 16 million emails per day pass undetected through spam filters, 8 million of these are opened, and more than 800,000 users will click on the malicious links contained within these emails. 9 2013 NGFW SSL Performance CAR Earlier this year, NSS released a NGFW comparative analysis report that detailed the results of SSL performance testing of Check Point, Dell SonicWALL, Fortinet, Juniper, Palo Alto Networks, SourceFire and Stonesoft. The following analysis examines the vendor s ability to intercept, decrypt, process, and re- encrypt HTTPS traffic at network loads of varying size and varying connections per second, with SSL inspection enabled. Through the creation of genuine, session- based HTTPS traffic with varying session lengths, the vendor is forced to track valid TCP sessions, thus ensuring a higher workload than for simple packet- based background traffic. This provides a test environment that is as close to real world as it is possible to achieve in a lab environment, while still ensuring accuracy and repeatability. 7 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part3_key- management_dec2009.pdf 8 http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs- 2012-10- 11- eng.aspx 9 http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs- 2012-10- 11- eng.aspx 7

Each transaction consists of a SSL handshake followed by a single HTTP(S) GET request, and there are no transaction delays (the Web server responds immediately to all requests). All packets contain valid payload (a mix of binary and ASCII objects) and address data, and the test represents a live network (albeit one that is biased towards HTTPS traffic) at various network loads. Figure 4 and Figure 5 provide a consolidated view of the vendor results. Figure 4 SSL Performance Impacts on Bandwidth Figure 5 SSL Transaction per Second Loss 8

Vendor Performance Numbers Check Point 12600 The Check Point 12600 NGFW is currently performance rated at 5Gbps by Check Point. During SSL performance testing, the actual performance was rated at 4.22Gbps. It was also noted that the TPS versus the megabits per second (Mbps) remained relatively consistent with the 512b and 1024b ciphers. NSS anticipated a linear drop in performance and TPS as the ciphers doubled in size, but this was not the case. The 2048b cipher caused a decrease in TPS of 300, but performance was maintained at 550 Mbps. This is an 87 percent reduction from the vendor advertised performance. Dell SonicWALL SuperMassive E10800 Figure 6 Check Point 12600 The Dell SonicWALL SuperMassive E10800 NGFW is currently performance rated by the vendor at 12Gbps. During NSS testing, the actual performance was rated at 16.6Gbps. There was an expected linear reduction in TPS versus Mbps. The performance decrease between 512b and 1024b was marginal, but there was a significant performance loss at 2048b. Impact on performance for tested ciphers: 84% w/512b 85% w/1024b 94% w/2048b Figure 7 Dell SonicWALL SuperMassive E10800 9

Fortinet Fortigate- 3600C The Fortinet Fortigate- 3600C NGFW is currently performance rated by the vendor at 60Gbps. During NSS testing, the actual performance was rated at 7,580Mbps. The expectation of a linear drop in TPS versus Mbps was constant as the cipher strengths increased. The performance decreases across all ciphers were marginal, but the overall performance impact was the greatest across all vendors. Impact on performance for tested ciphers: 92.995% w/512b 93.497% w/1024b 94.077% w/2048b Juniper SRX3600 Figure 8 Fortinet Fortigate- 3600C The Juniper SRX3600 NGFW is currently performance rated by the vendor at 11Gbps. During NSS testing, the actual performance was rated at 3.3Gbps. Juniper performed the best out of all the vendors with the lowest performance degradation. Additionally, Juniper demonstrated the highest throughput with 1024b and 2048b ciphers with onboard SSL. The TPS versus Mbps did not follow the anticipated linear reduction that was common with other products. Impact on performance for tested ciphers: 34% w/512b 13% w/1024b 36% w/2048b Figure 9 Juniper SRX3600 10

Palo Alto Networks PA- 5020 The Palo Alto Networks PA- 5020 NGFW is currently performance rated by the vendor at 2Gbps. During NSS testing, the actual performance was rated at 2.3Gbps. The TPS versus Mbps followed a linear reduction with marginal performance degradation between 1024b and 2048b ciphers. Impact on performance for tested ciphers: 66% w/512b 78% w/1024b 79% w/2048b Sourcefire 8250 & Sourcefire 8290 Figure 10 Palo Alto Networks PA- 5020 The Sourcefire 8250 NGFW is currently performance rated by the vendor at 10Gbps. During NSS testing, the actual performance was rated at 12.9Gbps. The Sourcefire 8250 was the only vendor that utilized a dedicated SSL appliance during testing. The TPS achieved were the highest of all the devices tested. Impact on performance for tested ciphers: 77.13% w/512b 77.52% w/1024b 82.95% w/2048b Figure 11 Sourcefire 8250 11

The Sourcefire 8290 NGFW is currently performance rated by the vendor at 40Gbps. During NSS testing, the actual performance was rated at 52.3Gbps. The TPS and Mbps remained the same as the 8250. This is not a reflection of the performance capabilities of the 8250 and 8290, but rather of the processing limitation of the dedicated SSL appliance. Impact on performance for tested ciphers: 94.359% w/512b 94.456% w/1024b 95.794% w/2048b Stonesoft 3202 Figure 12 Sourcefire 8290 The Stonesoft 3202 NGFW is currently performance rated by the vendor at 3Gbps. During NSS testing, the actual performance was rated at 2.7Gbps. The TPS and the Mbps followed the predictive linear reduction as the cipher strength increased. Impact on performance for tested ciphers: 54% w/512b 60% w/1024b 76% w/2048b Figure 13 Stonesoft 3202 12

Reading List The Targeted Persistent Attack (TPA) The Misunderstood Security Threat Every Enterprise Faces. NSS Labs https://www.nsslabs.com/reports/analysis- brief- targeted- persistent- attack- tpa- misunderstood- security- threat- every- enterprise 2013 Next Generation Firewall Comparative Analysis. NSS Labs https://www.nsslabs.com/reports/2013- next- generation- firewall- comparative- analysis 13

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2013 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information