Factors impacting Next Generation Firewall (NGFW) performance
Every well-meaning organization strives to achieve higher security while having minimum impact to their regular business. This is also true of the NGFW vendors who always aspire to provide higher performance with greater security.
Unfortunately, any device intending to provide added security will almost certainly add some delays. Security vendors and customers are seeking ways to minimize such delays potentially impacting their business operations. In my years of involvement with network and security solutions, I have found a few common factors that affect the performance of NGFW. NetSecOPEN, the network security performance standards group, is coming closer to defining a common methodology to test NGFWs. The goal being to outline some of the key performance factors to help optimize configurations and maximize security effectiveness.
- Average packet size: Diverse applications behave differently as they fulfill distinct objectives. They also impact packet size. If a network carries a higher percentage of applications that work with bulk packets – for instance heavy downloads or video streaming – they generally require higher bandwidth than if there is a larger number of small packet high transaction applications – for instance voice calls, chats, or other control plane heavy apps.
- Concurrency/Memory: Some applications open multiple concurrent sessions per application transaction. Most security devices need to allocate additional resources for each active session. Unfortunately, a significant spike in concurrent sessions can severely drain resources from NGFWs.
By monitoring application behaviors, organizations can identify applications that show affinity to either throughput or memory, and based on their business value, help optimize network security for these applications.
Rules: Every security device has a set of rules or access control lists that are iterated sequentially. Almost all traffic that’s received by an NGFW is iterated through the rules until a match is found. A high number of non-matching complex rules running at the top of these lists may significantly slowdown the application. Proper arrangement of rules in order of priority can significantly improve performance.
Security Features: Every individual feature typically requires extra processing time from a security device. Many next generation security appliances come with a variety of features such as deep packet inspection (DPI), proxy, anti-virus, anti-malware, spam, sandbox, URL filtering, application ID. Enabling all of them may result in additional delays in packet processing. It is therefore recommended to distribute features across multiple tools. One best practice is to offload the encryption/decryption processing-heavy burden to a visibility device such as a network packet broker.
DPI: Let’s analyze the performance impact of DPI in more detail. To implement several features, the security device needs to dig deeper and look into the application packets for interesting patterns and signatures. This is a highly resource intensive exercise, especially when the packets are encrypted. DPI often needs to have complete application flow before it can start inspecting. This means the application segments are stored and not forwarded until all segments of that flow are received, introducing additional jitter and latency. Strategic use of DPI, enabled only for select applications while letting the others go freely, can significantly optimize security devices performance.
Subscribers: This straight forward phenomenon where more subscribers result in more concurrency, more throughput, and more endpoints to monitor, can eventually drain the security tools’ resources. Over-subscribing is a serious issue that can drive devices to perform unpredictably, and possibly end up in crashes. This is the reason DDoS attacks intentionally oversubscribe network security tools to reach the same outcome. Rightsizing the NGFWs, load balancing multiple NGFWs with a network packet broker, and optimizing configurations can help scale up and seamlessly handle subscriber spikes.
Files and attachments: Most NGFWs perform additional services on files and attachments like extraction, creating hashes, or executing them in local or remote sandboxes. These are processor-intensive operations and sharing too many large-sized attachments may slow down NGFWs. Proper attachment policies that block certain types of attachments or limit the maximum size of each attachment can improve performance.
This blog post is in no way comprehensive as there are several other factors affecting security devices, as well as additional tips and tricks to optimize their performance.
It is heartening to see an industry organization like NetSecOPEN - with a wide range of tool vendors, test labs and security product vendors as members – take on this formidable, yet vital effort.
Keep an eye on this section for upcoming related topics and discussions.