Size the Decryption Firewall Deployment
Decryption consumes firewall CPU resources, so it’s important
to evaluate the amount of SSL decryption your firewall deployment
can support and decide what to do if you need more power to support
your desired decryption deployment.
Decrypting encrypted traffic consumes firewall CPU resources
and can affect throughput. In general, the tighter the security
(the more SSL traffic you decrypt combined with the more stringent
your protocol settings), the more firewall resources decryption
consumes. Work with your Palo Alto Networks SE/CE to size your firewall
deployment and avoid sizing mistakes. Factors that affect decryption
resource consumption and therefore how much traffic the firewall
can decrypt include:
- The amount of SSL traffic you want to decrypt. This varies
from network to network. For example, some applications must be
decrypted to prevent the injection of malware or exploits into the
network or unauthorized data transfers, some applications can’t be
decrypted due to local laws and regulations or business reasons,
and other applications are cleartext (unencrypted) and don’t need
to be decrypted. The more traffic you want to decrypt, the more
resources you need.
- The TLS protocol version. Higher versions are more secure but
consume more resources. Use the highest TLS protocol version you
can to maximize security.
- The key size. The larger the key size, the better the security,
but also the more resources the key processing consumes.
- The key exchange algorithm. Perfect Forward Secrecy (PFS) ephemeral
key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve
Diffie-Hellman Exchange (ECDHE) consume more processing resources
than Rivest-Shamir-Adleman (RSA) algorithms. PFS key exchange algorithms
provide greater security than RSA key exchange algorithms because
the firewall has to generate a new cipher key for each session—but
generating the new key consumes more firewall resources. However,
if an attacker compromises a session key, PFS prevents the attacker
from using it to decrypt any other sessions between the same client
and server and RSA does not.
- The encryption algorithm. The key exchange algorithm determines
whether the encryption algorithm is PFS or RSA.
- The certificate authentication method. RSA (not the RSA key
exchange algorithm) consumes less resources than Elliptic Curve
Digital Signature Algorithm (ECDSA) but ECDSA is more secure.
The
combination of the key exchange algorithm and the certificate authentication
method affect throughput performance as shown in RSA and ECDSA
benchmark tests. The performance cost
of PFS trades off against the higher security that PFS achieves,
but PFS may not be needed for all types of traffic. You can save
firewall CPU cycles by using RSA for traffic that you want to decrypt
and inspect for threats but that isn’t sensitive.
- Average transaction sizes. For example, small average transaction
sizes consume more processing power to decrypt. Measure the average
transaction size of all traffic, then measure the average transaction
size of traffic on port 443 (the default port for HTTPS encrypted
traffic) to understand the proportion of encrypted traffic going
to the firewall in relation to your total traffic and the average
transaction sizes. Eliminate anomalous outliers such as unusually
large transactions to get a truer measurement of average transaction
size.
- The firewall model and resources. Newer firewall models have
more processing power than older models.
The combination of these factors determines how decryption consumes
firewall processing resources. To best utilize the firewall’s resources,
understand the risks of the data you’re protecting. If firewall
resources are an issue, use stronger decryption for higher-priority
traffic and use less processor-intensive decryption to decrypt and
inspect lower-priority traffic until you can increase the available
resources. For example, you could use RSA instead of ECDHE and ECDSA
for traffic that isn’t sensitive or high-priority to preserve firewall
resources for using PFS-based decryption for higher priority, sensitive
traffic. (You’re still decrypting and inspecting the lower-priority
traffic, but trading off consuming fewer computational resources
with using algorithms that aren’t as secure as PFS.) The key is
to understand the risks of different traffic types and treat them
accordingly.
Measure firewall performance so that you understand the currently
available resources, which helps you understand whether you need
more firewall resources to decrypt the traffic you want to decrypt.
Measuring firewall performance also sets a baseline for performance
comparisons after deploying decryption.
When you size the firewall deployment, base it not only on your
current needs, but also on your future needs. Include headroom for
the growth of decryption traffic because Gartner predicts that through
2019, more than 80 percent of enterprise web traffic will be encrypted,
and more than 50 percent of new malware campaigns will use various
forms of encryption. Work with your Palo Alto Networks representatives
and take advantage of their experience in sizing firewalls to help
you size your firewall decryption deployment.