on 25-Feb-2014 03:00
#sdas #infosec #ssl #DDoS #webperf
SSL, like all cryptographic-based systems (and much to our chagrin, many security solutions) consumes a lot of resources. The longer the key lengths, the most complicated the key exchange, the more resources must be allocated to accomplishing both the handshake that establishes a secure connection and the ensuing bulk encryption of data traversing the wire. While PFS (Perfect Forward Secrecy) is a good response to concerns on the privacy of web-based conversations, the need to generate a new ephemeral key on a per message basis is going to cost some CPU cycles. Even dropping back to not-so-perfect Forward Secrecy, where new ephemeral keys are generated on a per-conversation basis, will net you some extra latency.
If you're interested in getting a picture of SSL and TLS as well as key length and cipher preferences across the top sites on the Internet, I'd encourage a read of researcher Julien Vehent's analysis posted in "SSL/TLS analysis of the Internet's top 1,000,000 websites". Julien's thorough analysis also includes adoption/preferences of PFS including cipher selection and key lengths.
Likewise, protecting users (and corporate resources) by leveraging a secure web gateway (forward proxy) that performs URL inspection against known phishing, malware hosting, or other unseemly sites, is going to cost you.
And, in case you weren't keeping track of how many security services can take up time, full time DDoS detection also consumes cycles on multiple data center devices. The need to inspect every packet, every session and sometimes every message means a lot of inspection, which requires active participation in the data path.
Basically, thorough security requires resources.
While much of the focus of application performance ends up on protocols and practical content-level tweaks, security is a contributing factor to the overall speed (and ultimately, availability) with which both inbound and outbound content is delivered to users. Improving the speed with which these necessary security services execute is important to maintaining acceptable application performance. If you aren't convinced, consider that application performance directly impacts a variety of the metrics used to measure business health and success such as employee productivity, customer satisfaction, and workflow efficiency.
One of the ways in which F5 Synthesis addresses the need for speedy security is to continually improve upon the execution efficiency of its services. This is not just a nice to have, this is an imperative. You may recall a 2011 survey in which "81 percent of respondents admit to shutting off security functionality to improve network performance, despite acknowledging that security is more important."  It is exactly such choices we're trying to avoid forcing customers to make. You shouldn't have to choose one or the other.
That's why we take advantage of hardware acceleration whenever possible, such as is the case with DDoS detection. A variety of DDoS threat vectors can be effectively "hard coded" into hardware and execute with greater speed and efficiency than that of the same inspection when executed in software alone. With the release of Synthesis v1.5, we've added 15 more DDoS vectors to our existing list of hardware-accelerated DDoS services. That means 54 hardware-accelerated vectors to improve the speed with which we can detect and mitigate DDoS attacks. Combined with enough connection capacity to serve every Internet-user on the planet, we can minimize (and sometimes obviate) the negative impacts of both load (operational axiom #2) and the extra cycles needed for security.
We've also paid attention to performance while bringing to Synthesis PFS (Perfect Forward Secrecy) for SSL services. In addition to hardware acceleration to improve DHE and RSA for PFS, our services can take advantage of new Intel-based hardware cryptographic acceleration chips that assist with ECC (Elliptical Curve Cryptography) based cipher suites. We've also added some magic under the hood on our own to ensure that despite the increased consumption of resources required by PFS to generate new ephemeral keys much more often we can keep the latency induced by the cryptographic routines to a minimum, ensuring fast - and secure - communications.
In addition to souping up security performance on the inbound side, we've also ensured Synthesis' new Secure Web Gateway service is able to keep up with user expectations. Internet access isn't just a perk anymore, in most cases it's a necessary part of the job. And yet the danger to the business is clear:
Enterprises will spend $114bn dealing with malware-related cyber attacks this year, according to a recent report by Microsoft and the IDC.
According to the study, losses caused by data breaches can add up to as much as $350bn. Causes behind enterprise system infections included a lack of software updates by IT admins and the use of counterfeited software by end users, says Redmond's report.
The need to scan and secure outbound-initiated web access is critical to minimizing not just potential damage from malware but the often subsequent data losses that follow. Just as network DDoS attacks are often used to mask more malevolent activity at higher layers of the stack, malware is not always the primary attack but merely the forward scouts, setting up for an attack much more damaging.
Secure Web Gateway services can be used to scan and secure outbound access to applications and sites that, despite the best effects of employees, may still house malware or other unsafe content. And yet it is unacceptable to impose a high performance penalty for security lest organizations be forced - like inbound security - into a security versus performance decision. That's why we've made sure that the performance of our Secure Web Gateway service is optimized.
Whether you're trying to secure inbound or outbound - or both - traffic, F5 Synthesis Software Defined Application Services (SDAS) are designed with performance in mind. As part of our latest release of F5 Synthesis, we've increased performance of security services to ensure you don't have to choose between fast or secure; you - and your users - can have both.
 Survey: IT Security Managers Favoring Performance Over Security, SecurityWeek, July 2011