Solving IT’s SSL/TLS Traffic Dilemma

May 26, 2021

As the volume of data traffic continues to explode on today’s enterprise networks, IT is working harder than ever to balance the often competing priorities of performance, availability, and security. One relatively new phenomenon has emerged that presents a new wrinkle for IT to consider as new networks are architected; the new “normal” that is encrypted traffic.

Specifically, SSL/TLS traffic has come to dominate the majority of network traffic. The current percentage of encrypted traffic is 80 percent versus 20 percent non-encrypted traffic as of 2018 and the percentage of encrypted traffic is likely to grow. The problem for IT arises when bad actors incorporate malware as a means of bypassing security measures. For any enterprise that is using software-defined or “virtual” security appliances like Web-Application Firewalls (WAFs), Next-Gen Firewalls (NGFWs), Intrusion Detection and Prevention Systems (IDS/IPS) or other functionality to inspect this traffic, the network can face serious performance and availability issues.

This is because these security appliances need to decrypt the SSL/TLS traffic in order to inspect it and apply policy before re-encrypting it and sending the traffic on its way to the application server. Furthermore, advances in cryptography, key sophistication, and new emerging protocols like ECC are continuing to raise the bar in terms of the compute resources necessary to handle this traffic load. The end result is the process essentially makes the security devices almost unusable or, worse, allows uninspected traffic to pass through uninspected into the heart of the network; neither option is acceptable for any reasonable organization.

While we’re sure this makes sense logically, the next question is “How much of an issue is this performance hit really?” We had a good idea that it was indeed a big deal and have heard many anecdotes from our customers, but we needed hard numbers. We decided to enlist the help of third-party testing leader The Tolly Group to help us discover not only how big of an impact this issue has on performance and scale, but also how our own network functions platform, the AVX series, could help enterprises overcome this issue without resorting to costly network brokers or additional dedicated security appliances.

The Tolly Group has put together a report on the quite dramatic results that can be had here. https://www.arraynetworks.com/search-offers/Tolly-SSL.php. We’ll provide some of the details of this report today, but please download the complete report for the true granular results.

In summary, The Tolly Group conducted tests using the AVX in three separate scenarios and with two different popular security appliances. The first appliance was a well-known WAF and other a very popular NGFW. The first scenario included clear unencrypted traffic running through the virtual appliance loaded onto the AVX. The second tested encrypted traffic running through the same virtual security appliance on the AVX but without using SSL/TLS offload, a function that accelerates the decryption and re-encryption of SSL/TLS traffic. The third and final testing scenario measured encrypted traffic across the VA on the AVX with SSL/TLS offload engaged.

In brief, when forced to cope with encrypted traffic without SSL offload, the performance of both the WAF and the NGFW slowed to a glacial pace – as few as 117 transactions per second, a whopping 90 percent degradation. This would either essentially kill access to the application or, worse, engage the bypass function that would allow uninspected and potentially dangerous traffic into the network core. By contrast, with SSL offload engaged on the AVX9800 platform, WAF transactions increased by 67 times more than without this functionality. WAF data throughput increased by 46 times compared to the scenario without SSL offload. Similar results were seen with NGFW traffic, with transactions per second increasing five times over the alternative.

So why were the results so dramatically different? Array’s SSL offloading, acting as a proxy, decrypts SSL traffic to allow 3rd-party security appliances to perform inspection, then re-encrypts the traffic before forwarding it to its final destination. The AVX incorporates a purpose-built SSL/TLS stack that engages onboard hardware SSL/TLS accelerators to offload compute-intensive SSL/TLS processing, allowing security appliances to operate at their peak performance level.

In the SSL/TLS offloading process, the Array appliance plays the role of an ingress node to intercept and decrypt SSL traffic, and the role of an egress node to forward inspected traffic to the data center servers. When there are two or more security devices deployed, the Array appliance supports load balancing of decrypted traffic to the security devices. SSL offloading supports a variety of deployment combinations based on the security device’s distribution mode, deployment layer and network topology.

There is little doubt this will remain a critical issue for IT in the months and years ahead. We’re happy that we at Array are able to provide a cost-effective and high-performance solution that doesn’t require more dedicated security appliances or expensive network brokers. In addition to The Tolly Group’s report (which you can download here https://www.arraynetworks.com/search-offers/Tolly-SSL.php), you can also find out more about SSL offloading on our own website here (https://www.arraynetworks.com/functions-ssl-intercept.html).

Milind Kulkarni