With SSL traffic growing exponentially within enterprises, NGFW vendors and enterprises must confront growing security and business implications
AUSTIN, Texas – June 12, 2013 − NSS Labs today released new research analyzing the negative impact that client-side secure sockets layer (SSL) decryption has on the performance of leading next-generation firewall (NGFW) devices. With the rapid increase in SSL traffic, the ability of security devices to inspect SSL traffic effectively will continue to be a key challenge and consideration for enterprises making purchasing decisions and NSS’ current testing reveals there is considerable room for performance improvement from most leading vendors.
NSS research found the following key conclusions:
- Inspecting SSL traffic impacts both overall throughput and the average number of transactions per second for NGFWs: On average, the 7 NGFW devices tested by NSS Labs experienced a performance loss of ~74% with 512b and 1024b (current industry standard) ciphers and ~81% loss with 2048b ciphers, which will become the industry standard by the end of 2013. The average number of transactions per second also decreased significantly – on average ~86.8% with 512b ciphers, ~87.79% with 1024b, and ~92.28% with 2048b. Although all vendors had decreases in performance, Sourcefire (the only vendor using a dedicated SSL appliance) had the highest rated TPS performance; Dell SonicWALL had the highest TPS performance with onboard SSL decryption; and Juniper had the least impact to throughput performance.
- SSL traffic on enterprise networks is growing rapidly & creating security blind spots: Currently, SSL traffic will comprise ~25 – 35% of a typical enterprise’s network traffic. With the rise in use of HTTPS and with applications (such as Twitter and Facebook) and search engines enabling SSL by default, most enterprises should expect an average yearly increase of ~20% in SSL traffic. Ironically, increased use of SSL in attempt to make our online lives more secure can create “blind spots” that can actually reduce security on corporate networks because network security products and other defenses may not be able to monitor SSL traffic effectively or efficiently.
- Exploits using SSL may be few, but usually involve highly sophisticated malware: Although NSS’ research notes that today only a small percentage of malware are designed to attack using SSL, these types of threats typically fall under the Targeted Persistent Attack (TPA) category and pose significant risks to an organization’s infrastructure. As long as SSL provides attractive cover, more attackers will presumably employ it for exploits.
Commentary: NSS Labs Research Vice President John Pirc
“I knew that onboard vs. offboard SSL/TLS decryption likely wouldn't yield favorable results, but I was blown away with the increased performance loss created by moving from 1024 bit certificates to 2048 bit certificates,” said John Pirc, Research Vice President at NSS Labs. “Because industry standards are moving towards 2048b and SSL/TLS traffic is rapidly increasing, the ability to effectively support SSL/TLS decryption can no longer be swept under the rug. If this thought process continues I foresee a huge issue in the future for enterprises trying to keep targeted persistent attacks at bay.”
“Today, the percentage of malware using SSL/TLS is very small, however, as more decide to use SSL/TLS for both delivering malware and as a call back to a command and control server, we are going to be blind to the attacks. I think we still have time for vendors to improve their capabilities… but until then, we may have to accept that operating an additional piece of hardware in the network dedicated to SSL decryption is probably our best strategy,” adds Pirc. “The adversaries out there have an incredible imagination for creating methods of exploitation that go against how traditional communication protocols are supposed to be used, such as email and web, and with this SSL/TLS issue… it’s likely to get interesting.”