Jul 07, 2011

Test SSL Performance: Inbound and Outbound

by Scott Register

Performance of SSL-processing devices is a major concern for online retailers, banks, and other enterprises. These organizations have found it crucial to understand the exact performance and security impact that SSL processing will have on business. The challenge of testing SSL performance is also twofold, because companies must be concerned with handling network traffic in two directions – inbound and outbound.

For those who own sensitive information and need to publish it over secure connections, understanding the throughput, concurrent session capacity, and connection setup rate is critical to validating the performance of their business-critical gear. And for those concerned about data leakage or the transmission of malware over SSL connections, the ability to intercept, decrypt, process, and re-encrypt data with minimal additional latency or connection drop is essential to understanding both the performance of their security devices and the impact on user traffic. Increasingly, enterprises are forced to inspect even encrypted outbound user traffic to mitigate business risk. For example, Google Gmail shifted to all-SSL connections in 2010, and in an earlier post I discussed the implications of Facebook’s rollout of secure connections.

Today I will review some of the ways companies can test the performance and security of SSL devices and systems effectively and at massive scale. Additionally, I’ll be looking at some of the very latest SSL enhancements we have made in our product, which was delivered over our past few firmware releases. As usual, we’ve made these enhancements via routine updates, without requiring any new purchases from our customers.

Simulate TCP-based protocols in SSL

Recently, we introduced a new flexible architecture and shifted our SSL handshake processing into our onboard cryptographic processor. This update, which accommodates essentially any TCP protocol inside SSL with ease, dramatically improves SSL performance without increasing user effort.

For example, if you want to generate secure SMTP messages, just add a “Start TLS” action to an existing SMTP Super Flow (BreakingPoint’s automated container for individual traffic flows and the specifications for these flows):

ssl test performance

SSL bulk encryption at unprecedented speeds

Additionally, we’ve added radical enhancements in throughput, which allows organizations with large networks to test their SSL delivery infrastructure at speeds never before possible. We are able to provide this through hardware support for bulk encryption. This means that the heavy lifting of encrypting and decrypting user data is now done using specialized, highly efficient cryptographic accelerators. Let’s look at a direct example of what that means for users.

In the past, our software-based encryption module could deliver about 150 megabits per second (Mbps) of traffic using the 3DES cipher or 560 Mbps of traffic running the AES128 cipher. Those numbers were good, but now we’ve blown the doors off of them. After our latest release, we can deliver 3.72 gigabits per second (Gbps) on either the 3DES cipher or the AES128 cipher – improvements of 2,349% and 564%, respectively!

Those numbers are calculated using our BreakingPoint Storm CTM blade, but for even better performance, you can upgrade to our new FireStorm blade, which delivers over 8 Gbps of any cipher. The chart below lets you see the SSL performance comparisons:

SSL performance

A note about these performance numbers: they represent the total amount of cryptographic processing of the blade, combining encryption plus decryption. If all you’re doing is encrypting – for example in a one-armed test directed at an SSL server – you would expect to see this entire amount as outgoing encrypted traffic on the wire. If you’re running a two-armed test that both encrypts and decrypts traffic – for example, to validate the SSL handling of a security device – then you would see about half this amount.

Choose your SSL testing approach: “discard” or “decrypt”

To further improve our cryptographic performance, we’ve added special intelligence to our decryption capabilities. In some scenarios you may want to test the SSL forwarding capabilities of a network device such as a standard firewall or router, which doesn’t alter SSL-encrypted traffic in any way. You need to ensure that the traffic was received correctly at the other end, but if it’s unchanged, then there’s no reason to actually decrypt the data. We’ve added a new “discard” mode that accounts for the received traffic but doesn’t actually decrypt it, which yields further performance increases (up to 40%).

This complements our existing “decrypt” mode, which actually decrypts every received byte and can perform actions such as conditional responses based on the decrypted data. The decrypt mode is especially important if you are testing a device such as an intermediate SSL proxy, which might alter the data in some way. When configuring a test, the best choice is to select “Auto” for the decryption mode in the Super Flow setup, which lets your BreakingPoint CTM intelligently decide which mode to use based on your test:

SSL bulk encryption

Below are some common testing scenarios that use the different modes. “Decrypt” is represented by the detective icon, while “Discard” is represented by the trash can.

Common SSL Testing

If you’re setting up an SSL test on your own BreakingPoint CTM, here are a few helpful notes:

  • We’ve added a number of Presets (see screenshot below) that you can select for best performance without having to do any tweaking. We update these Presets in our regular ATI updates or firmware releases to account for any changes or enhancements we make.
  • Our encryption processors are multicore, so you’ll get the best performance with 2,000-10,000 concurrent flows, which makes sure that all the cores are engaged. A small number of flows won’t keep them all busy.
  • We allocate system resources based on the number of ports reserved for a test, so reserving all the ports on a blade will give you all the computing resources for your test.

The screenshots below show you how easy it is to select Presets:

ssl https bulk encryption performance

ssl bulk encryption test

 

If SSL performance is important to your business, you know how hard it can be to test it effectively. But our SSL testing capabilities make it much easier, allowing you to validate SSL devices and systems under real-world conditions and on a massive scale before you deploy them into your production environment.

Related Content:

Facebook Rolls Out HTTPS: What It Means for Enterprises and Equipment Manufacturers

Accelerating Development: What We Mean

Tags:
blog comments powered by Disqus