Array Networks has announced a new report by The Tolly Group on the testing and analysis of the performance of Web Application Firewall (WAF) and Next-Gen Firewall (NGFW) virtual appliances performing SSL/TLS decryption and re-encryption both unassisted and with the Array AVX Series Network Functions Platform and SSL offload capability.
Tests showed large improvements across multiple metrics when SSL processing was offloaded to the AVX Series. This is particularly important for IT administrators concerned with application security and performance. These tests demonstrate that without some kind of SSL processing assistance, virtual security appliances cannot cope with the volume of encrypted traffic on today’s networks.
“Our testing of ‘virtual’ or software-defined WAFs and next-generation firewalls clearly shows serious performance issues in dealing with pervasive SSL-based traffic. Due to significant degradation of WAF, NGFW and IPS performance under real-word traffic, data centre admin users must either accept poor user experience or spend significant money to buy additional equipment to scale up. Array’s AVX network functions platform provides a cost-effective solution to assure performance without sacrificing the agility of virtual appliances,” said Kevin Tolly, Founder, The Tolly Group.
SSL-encrypted traffic comprises more than 80 per cent of all internet traffic today, and is expected to increase. In addition, it has been shown in numerous reports that bad actors are increasingly concealing malware within SSL/TLS traffic. In order to fully inspect SSL-encrypted traffic, security appliances like WAFs, next-gen firewalls, IDS/IPS and deep packet inspection must first decrypt the traffic, inspect it, and then re-encrypt before forwarding to its final destination. The newer 4096-bit SSL encryption standard is more compute-intensive than the previous standard. In addition, as IT teams increasingly move security functions to virtual environments, SSL handling robs processing cycles from the core functions of virtual security appliances and thus impacts overall performance.
“In addition to compute, memory and I/O resources, the AVX Series Network Functions Platforms include high-performance cryptography resources and provide guaranteed resources per virtual appliance. The Tolly Group testing clearly shows both the impact of SSL processing on WAF and next-gen firewall virtual appliances, as well as the performance benefits gained by leveraging the AVX Series’ on-board SSL processing resources,” said Milind Kulkarni, Senior Director – Product Management, Array Networks.
With SSL offload in place, researchers found that the virtual WAF appliance’s performance improved dramatically for transactions per second, data throughput and URL response time, which is closely correlated with user experience. Similarly for the virtual NGFW appliance, there was a marked improvement across those metrics.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]