Array Networks Inc. announced a new report by The Tolly Group on the testing and analysis of the performance of Web Application Firewall (WAF) and Next-Gen Firewall (NGFW) virtual appliances performing SSL/TLS decryption and re-encryption both unassisted and with the Array AVX Series Network Functions Platform and SSL offload capability.
Tests showed large improvements across multiple metrics when SSL processing was offloaded to the AVX Series. This is particularly important for IT administrators concerned with application security and performance. These tests demonstrate that without some kind of SSL processing assistance, virtual security appliances cannot cope with the volume of encrypted traffic on today's networks.
"Our testing of 'virtual' or software-defined WAFs and next-generation firewalls clearly shows serious performance issues in dealing with pervasive SSL-based traffic," said Kevin Tolly, founder of The Tolly Group. "Due to significant degradation of WAF, NGFW and IPS performance under real-word traffic, data center admin users must either accept poor user experience or spend significant money to buy additional equipment to scale up. Array's AVX network functions platform provides a cost-effective solution to assure performance without sacrificing the agility of virtual appliances."
SSL-encrypted traffic comprises more than 80 percent of all internet traffic today, and is expected to increase. In addition, it has been shown in numerous reports that bad actors are increasingly concealing malware within SSL/TLS traffic. In order to fully inspect SSL-encrypted traffic, security appliances like WAFs, next-gen firewalls, IDS/IPS and deep packet inspection must first decrypt the traffic, inspect it, and then re-encrypt before forwarding to its final destination. The newer 4096-bit SSL encryption standard is much more compute-intensive than the previous standard. In addition, as IT teams increasingly move security functions to virtual environments, SSL handling robs processing cycles from the core functions of virtual security appliances and thus impacts overall performance.
"In addition to compute, memory and I/O resources, the AVX Series Network Functions Platforms include high-performance cryptography resources and provide guaranteed resources per virtual appliance," said Milind Kulkarni, Senior Director ofProduct Management for Array Networks. "The Tolly Group testing clearly shows both the impact of SSL processing on WAF and next-gen firewall virtual appliances, as well as the performance benefits gained by leveraging the AVX Series' on-board SSL processing resources."
The testing was performed by Tolly Group personnel using market-leading WAF and NFGW products. Performance was benchmarked by processing HTTP (unsecured) traffic, then HTTPS (secured) traffic, both without utilizing the AVX Series SSL processing resources. A third set of tests was run for HTTPS traffic with the AVX Series performing SSL offloading, i.e. decrypting the traffic, passing it to the security VA for processing, then re-encrypting the payload before forwarding it on to the final destination.
With SSL offload in place, researchers found that the virtual WAF appliance's performance improved dramatically for transactions per second, data throughput and URL response time, which is closely correlated with user experience. Similarly for the virtual NGFW appliance, there was a marked improvement across those metrics.