How the Balance Between Security Devices in Proxy Mode Can Affect Network Performance

How the Balance Between Security Devices in Proxy Mode Can Affect Network Performance

The almost exponential growth over the past decade of cyber attacks on various types of applications has strengthened the need for an improved perimeter network security infrastructure that can monitor and block any kind of traffic. Next-generation security device manufacturers (NGFW) understand the need for deep inspection and have gone beyond the transport-level firewalls to the level of applications for the web, e-mail, file transfer, and so on.

  • The next big problem that such security devices face is the quality of inspection when the amount of encrypted traffic increases. To ensure that security devices catch all traffic, including encrypted traffic, they must be implemented in the proxy mode when performing intrusion prevention tasks. Implementing a proxy for security usually involves reducing performance and delay.
  • The effectiveness of security checks encrypted traffic is undeniable. However, history has shown that any inline security device that introduces significant delays is either reserved or moved out-of-band after a certain time. Here we will discuss the implementation of the proxy, the overhead that they add to the network, test scenarios that can help detect such performance impacts, as well as tips and recommendations for better implementation of the proxy.

What is a proxy?

Simply put, a proxy is a computer or device that mediates between two systems, such as:

  • Hosts in a secure network and the Internet;
  • Internet clients and servers on a private network.

The proxy terminates any connection initiated by the client and opens a new connection between itself and the server. This helps the proxy to achieve several goals as an intermediary, such as client authentication, load balancing between multiple servers, faster responses through caching mechanisms, and most importantly, security through traffic validation.

Example 1

Here we will focus on security devices and the effect of enabling proxy mode on them.

Proxy operation for security

  • To achieve security objectives, the security device needs to monitor all sessions, analyze each downloaded file, detect any malicious activity, and prevent threats from reaching protected targets. Now that most of the Internet traffic is encrypted, it is required that security devices are deployed in proxy mode to effectively inspect all this encrypted traffic.

For this you have to pay with performance – below are listed several operations that affect performance in security devices in proxy mode, but are necessary for security tasks:

  1. Opening two separate connections for each incoming connection: one from the connection initiator to the proxy, and the other from the proxy to the destination;
  2. Interception of encrypted SSL traffic and decoding of all payloads, checking of all traffic, again encrypting and sending to the addressee;
  3. Based on the check – blocking/reporting any suspicious traffic, while ensuring the smooth passage of legitimate traffic.

Effect of Proxy Inclusion on Performance

  • The deep inspection feature makes proxy security devices the main bottleneck (the so-called bottleneck) and can lead to performance degradation throughout the network.
  • Due to strong SSL encryption and large key sizes, a proxy can affect performance, even if the network operates at 10% of the maximum capacity.
  • Performance degradation in most cases is accompanied by errors caused by packet retransmission, session-delay, TCP Retries and Timeouts, and Packet Drop.

Tests demonstrating the impact of proxy activation on performance

  • To make the proxy firewall (FW) more reliable and efficient when processing these bottleneck, it is necessary to test and test them before implementation. Below are the serious delays that occur when the proxy mode is enabled on security devices.

Scenario 1: Proxy without SSL. HTTP GET with a response of 200OK with a page size of 44 KB. IXIA BreakingPoint is used for the test to simulate HTTP clients and servers with a security device in the middle. The purpose of the test is to achieve the maximum number of unique TCP / HTTP sessions per second. To understand the effect of proxy performance, proxy mode and inspection for the testing time were enabled.

Observation 1: The average response time for a TCP response, when the device is running without and with the proxy mode, is more than 22 times different.

Example 2

Observation 2: The average duration of the TCP session is increased by 225 times if you compare the operating mode of the device without and with the proxy.

Example 3

Scenario 2: Similar to the scenario described above, except that now the HTTP-GET 44KB page is encrypted with the TLS1.1 session.

Observation 1: with encrypted traffic, in proxy mode, there is an increase in the TCP response time by 20 times. [Note. In general, the TCP response time is higher for encrypted traffic due to the delay that the proxy makes, which spends more resources to handle this traffic].

Example 4

Observation 2: The average duration of a TCP session increases in a staggering 400 times.

Example 5

Tips for implementing an effective proxy

1. Choosing the right manufacturer

  • The hardware and software are constantly optimized for better proxy processing. The so-called “offloading” and methods for allocating allocated resources increase the effectiveness of the proxy mode in security devices. Customers should be aware of this and compare the characteristics of security devices in proxy mode, as one of the criteria for choosing a manufacturer.

2. Choosing the Right Encryption and Encryption Methods, When Possible

  • The choice of ciphers that the client or server uses can not always be controlled by security professionals, but they must ensure, where possible, that encrypted traffic uses the most efficient ciphers that provide better performance without compromising security (for example, ECDHE-ECDSA 256 -bit for the exchange of public keys).

3. Use different levels of encryption on the protected and unprotected sides

  • Proxy, according to the design, should work with two separate connections. A secure-side connection that normally opens between the proxy server and the destination host can provide lower TLS encryption, as it is behind the perimeter devices/perimeter. The user can choose a lower encryption or no encryption on the protected side. This will improve the efficiency of one of the two connections and, therefore, improve the overall performance of the security device in proxy mode.
Example 6

Conclusions

The two tests described here demonstrate the extreme effect of the proxy mode in security devices. On the other hand, increased security of inline devices in proxy mode reduces security risks. The organizations no longer want to increase security risks, even if this means better performance, so we see a large introduction of the proxy mode in security devices. When we implement a proxy in security infrastructures, efficient and efficient deployment and better characteristics of security devices will help reduce the impact of the proxy on network performance, and thus business efficiency.

Additional resources:

  1. https://www.ixiacom.com/
  2. https://www.ixiacom.com/products/breakingpoint
  3. https://www.ixiacom.com/products/breakingpoint-ve
  4. https://www.ixiacom.com/products/breakingpoint-aws