Professional Documents
Culture Documents
BRIEF
Author
John
W.
Pirc
Overview
In
early
2013,
NSS
Labs
released
the
results
of
its
Next
Generation
Firewall
Comparative
Analysis
Reports
(NGFW
CARs).
As
part
of
the
analysis,
NSS
assessed
the
performance
of
client-side
secure
sockets
layer
(SSL)
decryption
in
seven
of
the
eight
NGFWs
that
were
included
in
that
voluntary
group
test.
The
resulting
impacts
on
performance
of
SSL
decryption
when
included
as
a
feature
within
the
NGFW,
or
when
offloaded
to
a
separate
SSL
appliance,
were
significant.
NSS
research
showed
that
25%
35%
of
enterprise
traffic
is
SSL
and,
depending
on
the
industry
vertical,
the
percentage
of
SSL
traffic
can
reach
as
high
as
70%.
NSS
research
also
found
that
2048b
ciphers
caused
a
mean
average
of
81%
in
performance
loss
across
all
vendors
tested.
Certificate
authorities
are
intending
to
cease
issue
of
1024
bit
ciphers
and
will
move
to
2048
bit
ciphers
by
December
31,
2013.
Although
the
performance
numbers
are
cause
for
concern,
the
presence
of
malware
within
encrypted
channels
is
a
real,
albeit
relatively
small,
threat
in
enterprise
environments
that
warrants
decryption
and
scanning
as
a
best
practice.
Figure
1
displays
the
aggregated
results
from
the
vendor
tests.
Figure
1
SSL
Performance
Impacts
on
Bandwidth
and
Transaction
per
Second
Loss
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
The
average
proportion
of
SSL
traffic
within
a
typical
enterprise
is
25%
35%.
1
The
NSS
threat
database
has
uncovered
a
small
percentage
(~1%)
of
malware
using
SSL.
NSS
research
indicates
that
the
majority
of
threats
that
are
using
SSL
as
a
transport
fall
under
the
targeted
persistent
attack
(TPA)
category.
The
mean
average
of
performance
loss
across
7
NGFWs:
~74%
with
512b
and
1024b
ciphers
~81%
with
2048b
ciphers.
The
mean
average
of
transactions
per
second
(TPS)
loss
across
7
NGFWs:
~86.80%
with
a
512b
cipher
~87.79%
with
a
1024
cipher
~92.28%
with
a
2048
cipher
The
Sourcefire
NGFW
had
the
highest
rated
TPS
performance.
However,
Sourcefire
was
the
only
vendor
that
used
a
dedicated
SSL
appliance.
The
Dell
SonicWALL
SuperMassive
E10800
NGFW
had
the
highest
rated
TPS
performance
with
onboard
SSL
decryption.
Juniper
was
rated
the
best
with
regards
to
performance
loss
and
reduction
in
TPS.
All
vendors
had
significant
performance
issues
and
TPS
loss
with
2048b
ciphers.
NSS
has
concerns
for
the
viability
of
SSL
inspection
in
enterprise
networks
without
the
use
of
dedicated
SSL
decryption
devices.
Our database is a collection of malware samples that are collected in real-time from around the world.
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Enterprises
are
advised
to
review
the
performance
ratings
of
SSL,
in
order
to
decide
which
platform
meets
their
performance
requirements.
Additionally,
NSS
recommends
that
a
platform
be
tested
before
a
purchasing
decision
is
made.
Enterprises
should
measure
the
SSL
traffic
in
their
current
network
environment
in
order
to
allow
for
future
2
capacity
planning.
An
average
yearly
increase
of
~20%
in
SSL
traffic
should
be
expected.
Consideration
should
only
be
given
to
products
that
support
the
creation
of
rules
for
bypassing
SSL
decryption
based
on
URL
categories,
such
as
healthcare,
banking,
and
mobile
apps
that
contain
sensitive
and
personal
information.
Depending
on
an
organizations
network
traffic,
this
could
substantially
reduce
performance
loss
and
assist
with
an
organizations
compliance
with
national
privacy
laws.
Enterprises
should
seek
to
offset
the
SSL
risk
by
deploying
endpoint
security
solutions
and
breach
detection
solutions
that
are
behavior-based,
and
that
are
able
to
detect
command
and
control
(C&C)
and
malware
callbacks
via
SSL.
Enterprises
should
educate
users
about
the
dangers
of
accepting
a
self-signed
and
non-valid
certificate,
in
the
same
way
they
would
educate
about
SPAM
and
phishing.
http://www.bluecoat.com/sites/default/files/documents/files/How_to_Gain_Visibility_and_Control_of_Encrypted_SSL_Web_Sessions.a.pdf
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Table
of
Contents
Overview
................................................................................................................................
1
NSS
Labs
Findings
....................................................................................................................
2
NSS
Labs
Recommendations
...................................................................................................
3
Analysis
..................................................................................................................................
5
SSL
and
the
Enterprise
..................................................................................................................................
5
SSL
and
the
Adversary
..................................................................................................................................
7
2013
NGFW
SSL
Performance
CAR
...............................................................................................................
7
Vendor
Performance
Numbers
....................................................................................................................
9
Check
Point
12600
....................................................................................................................................
9
Dell
SonicWALL
SuperMassive
E10800
.....................................................................................................
9
Fortinet
Fortigate-3600C
........................................................................................................................
10
Juniper
SRX3600
......................................................................................................................................
10
Palo
Alto
Networks
PA-5020
...................................................................................................................
11
Sourcefire
8250
&
Sourcefire
8290
.........................................................................................................
11
Stonesoft
3202
........................................................................................................................................
12
Reading
List
..........................................................................................................................
13
Contact
Information
..............................................................................................................
14
Table
Of
Figures
Figure
1
SSL
Performance
Impacts
on
Bandwidth
and
Transaction
per
Second
Loss
................................................
1
Figure
2
Key
Strength
Distribution
.............................................................................................................................
6
Figure
3
Decryption
Times
of
512
4096
Ciphers
on
2GHz
Pentium
........................................................................
6
Figure
4
SSL
Performance
Impacts
on
Bandwidth
....................................................................................................
8
Figure
5
SSL
Transaction
per
Second
Loss
..................................................................................................................
8
Figure
6
Check
Point
12600
......................................................................................................................................
9
Figure
7
Dell
SonicWALL
SuperMassive
E10800
.......................................................................................................
9
Figure
8
Fortinet
Fortigate-3600C
...........................................................................................................................
10
Figure
9
Juniper
SRX3600
........................................................................................................................................
10
Figure
10
Palo
Alto
Networks
PA-5020
...................................................................................................................
11
Figure
11
Sourcefire
8250
.......................................................................................................................................
11
Figure
12
Sourcefire
8290
.......................................................................................................................................
12
Figure
13
Stonesoft
3202
........................................................................................................................................
12
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Analysis
During
a
recent
analysis
of
NGFWs,
NSS
verified
the
performance
impacts
of
client-side
SSL
inspection,
and
the
results
showed
considerable
room
for
improvement.
This
raises
concerns
for
the
viability
of
SSL
inspection
in
enterprise
networks
without
the
use
of
dedicated
SSL
decryption
devices.
NSS
research
has
found
that
the
use
of
HTTPS
has
risen
significantly
over
the
past
few
years;
web
browser-based
3
applications
such
as
Facebook
and
Twitter,
and
search
engines
such
as
Google
are
enabling
SSL
by
default
as
a
result
of
privacy
and
security
concerns.
Additionally,
users
increasingly
have
the
ability
to
install
browser
add-ons
that
can
force
the
use
of
HTTPS
within
popular
web
browsers
such
as
Safari,
Chrome,
Internet
Explorer
and
Firefox.
These
extensions
force
the
browser
to
only
access
HTTPS
first.
It
is
the
ultimate
irony
that
the
increasing
use
of
SSL
in
an
attempt
to
make
our
on-line
lives
more
secure
actually
reduces
security
on
the
corporate
network
by
creating
blind
spots
for
corporate
security
infrastructures.
HTTPS
has
been
used
for
secure
web
communications
on
the
Internet
for
almost
two
decades,
but
it
is
only
recently
that
network
security
vendors
have
begun
including
HTTPS
as
a
feature.
This
is
in
response
to
client
requirements
regarding
regulatory
compliance,
search
engines
and
web/mobile
applications
that
are
utilizing
SSL
by
default
and,
most
importantly,
in
response
to
malware
that
is
using
SSL
as
a
transport
to
evade
network
detection
devices.
http://www.zdnet.com/blog/networking/twitter-adds-ssl-security/1374
http://www.alexa.com
https://www.trustworthyinternet.org/ssl-pulse/
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Figure
2
Key
Strength
Distribution
Performing
HTTPS
decryption
inline
on
a
NGFW
device,
or
on
any
security
device
that
is
performing
deep
packet
inspection
is
a
significant
undertaking.
Figure
3
shows
the
performance
impacts
(in
milliseconds)
that
the
various
ciphers
have
on
a
2GHz
Pentium
processor.
NSS
predicts
that
the
default
ciphers
will
increase
in
length,
which
will
require
more
computing
power.
The
standard
default
cipher
that
is
acceptable
today
is
1024b
and,
according
to
NIST
Special
Publication
800-5,
the
6
http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
standard
default
cipher
of
2048b
will
be
required
by
December
31,
2013.
Anything
below
2048b
should
be
7
transitioned
to
the
new
standard.
NSS
testing
results
indicate
that
this
will
be
an
issue
for
most
network
security
vendors.
Recent
research
on
the
NSS
threat
database
found
that
while
it
is
only
a
small
percentage
(~1%)
of
malware
that
is
using
SSL,
this
malware
is
highly
sophisticated.
These
methods
of
attack
pose
real
risks
to
an
organizations
infrastructure.
Additionally,
network
security
devices
that
lack
the
ability
to
inspect
SSL
traffic
allow
attackers
to
remain
undetected
by
network
monitoring.
Some
of
the
attack
methods
listed
above
would
require
the
end
user
to
accept
a
SSL
certificate.
It
can
certainly
be
argued
that
sophisticated
users
will
not
click
and
accept
a
SSL
certificate,
and
that
seasoned
security
professionals
will
not
accept
either
a
self-signed
certificate
or
one
that
is
accompanied
by
a
warning
banner
stating
that
the
web
browser
can
not
verify
the
identity
of
a
website.
However,
most
users
will
not
realize
the
real
risk
and
will
click
and
accept.
8
To
illustrate
this
point,
a
recent
infographic
on
Get
Cyber
Safe,
a
web
site
dedicated
to
educating
users
on
Internet
security,
showed
that
16
million
emails
per
day
pass
undetected
through
spam
filters,
8
million
of
these
are
9
opened,
and
more
than
800,000
users
will
click
on
the
malicious
links
contained
within
these
emails.
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf
http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-eng.aspx
http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-eng.aspx
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Each
transaction
consists
of
a
SSL
handshake
followed
by
a
single
HTTP(S)
GET
request,
and
there
are
no
transaction
delays
(the
Web
server
responds
immediately
to
all
requests).
All
packets
contain
valid
payload
(a
mix
of
binary
and
ASCII
objects)
and
address
data,
and
the
test
represents
a
live
network
(albeit
one
that
is
biased
towards
HTTPS
traffic)
at
various
network
loads.
Figure
4
and
Figure
5
provide
a
consolidated
view
of
the
vendor
results.
Figure
5
SSL
Transaction
per
Second
Loss
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
84%
w/512b
85%
w/1024b
94%
w/2048b
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Fortinet
Fortigate-3600C
The
Fortinet
Fortigate-3600C
NGFW
is
currently
performance
rated
by
the
vendor
at
60Gbps.
During
NSS
testing,
the
actual
performance
was
rated
at
7,580Mbps.
The
expectation
of
a
linear
drop
in
TPS
versus
Mbps
was
constant
as
the
cipher
strengths
increased.
The
performance
decreases
across
all
ciphers
were
marginal,
but
the
overall
performance
impact
was
the
greatest
across
all
vendors.
Impact
on
performance
for
tested
ciphers:
92.995%
w/512b
93.497%
w/1024b
94.077%
w/2048b
Juniper
SRX3600
The
Juniper
SRX3600
NGFW
is
currently
performance
rated
by
the
vendor
at
11Gbps.
During
NSS
testing,
the
actual
performance
was
rated
at
3.3Gbps.
Juniper
performed
the
best
out
of
all
the
vendors
with
the
lowest
performance
degradation.
Additionally,
Juniper
demonstrated
the
highest
throughput
with
1024b
and
2048b
ciphers
with
onboard
SSL.
The
TPS
versus
Mbps
did
not
follow
the
anticipated
linear
reduction
that
was
common
with
other
products.
Impact
on
performance
for
tested
ciphers:
34%
w/512b
13%
w/1024b
36%
w/2048b
10
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Palo
Alto
Networks
PA-5020
The
Palo
Alto
Networks
PA-5020
NGFW
is
currently
performance
rated
by
the
vendor
at
2Gbps.
During
NSS
testing,
the
actual
performance
was
rated
at
2.3Gbps.
The
TPS
versus
Mbps
followed
a
linear
reduction
with
marginal
performance
degradation
between
1024b
and
2048b
ciphers.
Impact
on
performance
for
tested
ciphers:
66%
w/512b
78%
w/1024b
79%
w/2048b
77.13%
w/512b
77.52%
w/1024b
82.95%
w/2048b
11
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
The
Sourcefire
8290
NGFW
is
currently
performance
rated
by
the
vendor
at
40Gbps.
During
NSS
testing,
the
actual
performance
was
rated
at
52.3Gbps.
The
TPS
and
Mbps
remained
the
same
as
the
8250.
This
is
not
a
reflection
of
the
performance
capabilities
of
the
8250
and
8290,
but
rather
of
the
processing
limitation
of
the
dedicated
SSL
appliance.
Impact
on
performance
for
tested
ciphers:
94.359%
w/512b
94.456%
w/1024b
95.794%
w/2048b
Stonesoft
3202
The
Stonesoft
3202
NGFW
is
currently
performance
rated
by
the
vendor
at
3Gbps.
During
NSS
testing,
the
actual
performance
was
rated
at
2.7Gbps.
The
TPS
and
the
Mbps
followed
the
predictive
linear
reduction
as
the
cipher
strength
increased.
Impact
on
performance
for
tested
ciphers:
54%
w/512b
60%
w/1024b
76%
w/2048b
12
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Reading
List
The
Targeted
Persistent
Attack
(TPA)
The
Misunderstood
Security
Threat
Every
Enterprise
Faces.
NSS
Labs
https://www.nsslabs.com/reports/analysis-brief-targeted-persistent-attack-tpa-misunderstood-security-threat-
every-enterprise
2013
Next
Generation
Firewall
Comparative
Analysis.
NSS
Labs
https://www.nsslabs.com/reports/2013-next-generation-firewall-comparative-analysis
13
NSS Labs
SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement
Contact
Information
NSS
Labs,
Inc.
206
Wild
Basin
Rd
Building
A,
Suite
200
Austin,
TX
78746
USA
+1
(512)
961-5300
info@nsslabs.com
www.nsslabs.com
This
analyst
brief
was
produced
as
part
of
NSS
Labs
independent
testing
information
services.
Leading
products
were
tested
at
no
cost
to
the
vendor,
and
NSS
Labs
received
no
vendor
funding
to
produce
this
analyst
brief.
2013
NSS
Labs,
Inc.
All
rights
reserved.
No
part
of
this
publication
may
be
reproduced,
photocopied,
stored
on
a
retrieval
system,
or
transmitted
without
the
express
written
consent
of
the
authors.
Please
note
that
access
to
or
use
of
this
report
is
conditioned
on
the
following:
The
information
in
this
report
is
subject
to
change
by
NSS
Labs
without
notice.
1.
2.
The
information
in
this
report
is
believed
by
NSS
Labs
to
be
accurate
and
reliable
at
the
time
of
publication,
but
is
not
guaranteed.
All
use
of
and
reliance
on
this
report
are
at
the
readers
sole
risk.
NSS
Labs
is
not
liable
or
responsible
for
any
damages,
losses,
or
expenses
arising
from
any
error
or
omission
in
this
report.
3.
NO
WARRANTIES,
EXPRESS
OR
IMPLIED
ARE
GIVEN
BY
NSS
LABS.
ALL
IMPLIED
WARRANTIES,
INCLUDING
IMPLIED
WARRANTIES
OF
MERCHANTABILITY,
FITNESS
FOR
A
PARTICULAR
PURPOSE,
AND
NON-INFRINGEMENT
ARE
DISCLAIMED
AND
EXCLUDED
BY
NSS
LABS.
IN
NO
EVENT
SHALL
NSS
LABS
BE
LIABLE
FOR
ANY
CONSEQUENTIAL,
INCIDENTAL
OR
INDIRECT
DAMAGES,
OR
FOR
ANY
LOSS
OF
PROFIT,
REVENUE,
DATA,
COMPUTER
PROGRAMS,
OR
OTHER
ASSETS,
EVEN
IF
ADVISED
OF
THE
POSSIBILITY
THEREOF.
4.
This
report
does
not
constitute
an
endorsement,
recommendation,
or
guarantee
of
any
of
the
products
(hardware
or
software)
tested
or
the
hardware
and
software
used
in
testing
the
products.
The
testing
does
not
guarantee
that
there
are
no
errors
or
defects
in
the
products
or
that
the
products
will
meet
the
readers
expectations,
requirements,
needs,
or
specifications,
or
that
they
will
operate
without
interruption.
5.
This
report
does
not
imply
any
endorsement,
sponsorship,
affiliation,
or
verification
by
or
with
any
organizations
mentioned
in
this
report.
6.
All
trademarks,
service
marks,
and
trade
names
used
in
this
report
are
the
trademarks,
service
marks,
and
trade
names
of
their
respective
owners.
14