Rakesh Kumar
Senior QA Engineer II
Blog

A Balancing Act: Security Devices in Proxy Mode Vs. Impact on Network Performance

July 12, 2017 by Rakesh Kumar

An almost exponential rise of cyber attacks in the past decade over different types of generic applications has reinforced the need for enhanced network perimeter security infrastructure that can inspect and block any type of traffic. Next-generation security device vendors understand the need of deep inspections and have moved beyond transport-layer firewalling to the application layer for web, email, file transfer, and the like.

The next big challenge that such security devices face is to continue their vigil over the increased volume of encrypted traffic. To ensure that the security devices catch all traffic, including the encrypted ones, they must be deployed in proxy mode while performing intrusion prevention tasks. Proxy implementation for security purposes generally introduces performance reductions and latencies.

The security effectiveness of inspection of encrypted traffic is unquestionable. However, history has shown that any inline security device that introduces significant delays over a business path is either made redundant or moved out-of-band over a period of time. In this blog, we will discuss implementation of proxies, the overhead they introduce on the network path, test scenarios that can help detect such performance impacts, and tips and tricks for better implementation of proxies.

What is Proxy?

Simply put, a proxy is a computer or a device that acts as an intermediary between two systems like:

  • Hosts on a protected network and the Internet
  • Internet clients and servers on a private network

A proxy terminates any connection initiated by a Client and reopen a corresponding fresh connection between itself and the server. This helps the proxy achieve several objectives as an intermediary, like authenticating a client, load balancing across multiple servers, faster responses through caching mechanisms, and most importantly, security through traffic inspections.

1

In this blog, we concentrate on the security devices and impact of enabling proxies on them.

Proxy Operations for Security

To achieve security goals, a network security device needs to keep track of all the sessions, analyze every downloaded file, detect any malicious activities, and prevent threats from reaching the protected destinations. With most of the world’s Internet traffic now encrypted, it necessitates that security devices be deployed only in proxy mode to effectively inspect active encrypted traffic. This introduces performance penalties; listed below are few major performance-impeding operations that proxy-enabled security devices have to perform to achieve the security goals.

  1. Open two separate connections for each incoming connection, one from the connection initiator to the proxy and the other from the proxy to the destination
  2. Intercept the encrypted SSL traffic and decrypt all the payloads, inspect all traffic, re-encrypt, and send to the destination
  3. Based on inspections, block/report any suspicious traffic, while ensuring seamless flow of legitimate traffic

Impact of Enabling Proxy on Performance

The deep inspection functionality makes proxy-enabled security devices the prime bottleneck and may lead to performance degradation of the entire network.

With strong SSL ciphers and large key sizes, the proxy can impact performance even when the network is operating at as low as 10 percent of its maximum capacity.

Performance reductions are most times also accompanied with errors caused by packet reordering, session-delay, session-failure (TCP Retries and Timeouts) and transaction failures (Packet Drop).

Tests Showcasing the Performance Impacts of Enabling Proxy

To make the proxy-FW more robust and efficient in handling these bottlenecks, it is necessary to test and validate them before deploying to the production environment. The below data demonstrates the intensive delays introduced when a proxy is enabled on security devices.

Scenario 1: Non-SSL proxy. An HTTP GET with a response of 200OK with a 44KB page size. For the test, we are using Ixia’s BreakingPoint to simulate the HTTP Clients and Servers with a security device in the middle. The test objective is to achieve the max number of unique TCP/HTTP sessions per seconds. To understand the impact of proxy performance, we enable proxy and inspection while the test is running.

Observation 1: Average TCP response time when the device is running without proxy and with proxy, note that more than ~22-fold increase in the response time.

2

Observation 2: Average TCP Session duration when the device is running without proxy and with proxy, note that ~225-fold increase in the session duration.

3

Scenario 2: Similar to the above scenario except the HTTP 44KB GET page is now encrypted through a TLS1.1 session

Observation 1: With encrypted traffic, there is a ~20-fold increase in the TCP response time with proxy. [Note: In general, the TCP response time is higher for encrypted traffic due to the higher processing involved with encrypted traffic and proxy is adding up to the latencies]

4

Observation 2: Average TCP Session duration however increases by a staggering ~400-fold

5

Tips on Implementation of Efficient Proxies

  1. Selecting the right vendor

Hardware and software are consistently being optimized to better handle proxies. Offloading and dedicated resource provisioning techniques have increased proxy efficiencies in some security devices. Customers need to be aware of this and compare security vendor’s proxy performances as one of the vendor selection criteria.

  1. Selecting the right ciphers and encryption strategies when possible

The choice of ciphers that the client or server uses may not always be controlled by the security team, however, wherever possible they should ensure the encrypted traffic uses the most efficient ciphers that provide higher performance without compromising the security (ex. ECDHE-ECDSA with 256 curve for public key exchange).

  1. Use different levels of encryption at protected and unprotected sides

Proxies by design need to operate with two separate connections. The protected-side connection that is usually opened between the proxy and the terminating endpoint can afford a lower TLS encryption as it is behind the security devices. The user can choose to have lower encryption or no encryption at the protected side. This will increase the efficiency of one of the two connection and hence improve overall proxy performance.

6

Conclusion

The two tests outlined in this blog demonstrate the extreme performance impacts of proxies in security devices. On the other hand, the overwhelming security efficacy of inline proxies means avoiding them would lead to increased security risks. Organization are no longer choosing to elevate security risk, even if it means better business performance, thus we see a greater adaption of proxies in security devices. As we embrace proxies in our security infrastructures, effective and efficient deployment and better security device performances will help reduce the impact of proxies on business performance.

Author’s Note: This blog is co-written with my colleague Amritam Putatunda.