SSL decryption performance

adrian.grigorof · ‎06-16-2016

Hello,

I am working on a DMZ design for a public website and I'm trying to find some information on the performance of the SSL decryption on both FirePOWER devices (such as the 7000/8000 series) and for the FirePOWER service on the firewall itself (an ASA 5585-X with SSP10). This would be for the incoming SSL traffic. Without SSL decryption, an IDS would hardly be worth the trouble. I see comments such as "abysmal performance", 80% decrease in firewall throughput if enabled, etc, but no official information from Cisco.

Any thoughts on this?

yogdhanu · ‎06-16-2016

Hi

You are right. From design point of view, design network based on assumption that the throughput will decrease upto 80%.

If its a public website with heavy traffic, consider hardware firepower.

Rate if helps.

Yogesh

adrian.grigorof · ‎06-16-2016

Thanks, indeed, I am excluding the option where the firewall is doing the decryption. Still I cannot find details on how the FirePOWER appliances perform in regards to SSL decryption (throughput, sessions, etc).

yogdhanu · ‎06-16-2016

All the data in terms of throughput would be same. Only thing is firepower appliance are better equipped in terms of capability.

Marvin Rhoads · ‎06-16-2016

The 80% number is a worst case where all traffic via the firewall is SSL encrypted and the decryption policy causes it all to be decrypted.

An incoming policy to protect a given site or set of sites would normally be looking only at a small subset of the firewall's total traffic load and thus affect overall performance much less.

However there are so many variables and different implementation choices, Cisco doesn't like to just put out a blanket number.

As yogesh mentioned, the hardware appliance will have SSL offload in dedicated hardware (Cavium ASICs if I recall correctly) and perform better for this sort of use case.

adrian.grigorof · ‎06-16-2016

Without an option to evaluate the real impact of real traffic, I have to assume the worst case scenario. I know it can be less, maybe 50% but when asked to offer a guarantee you cannot take chances. Cisco puts numbers for many things, just not for the SSL decryption on IDS appliances and that worries me. They do provide SSL decryption throughput for the dedicated SSL appliances. I will probably coerce our Cisco sales engineers to come with some figures. At this point I'm considering F5's for SSL offloading as they do provide the numbers and our implementation timeline is quite aggressive (so not time for guessing).

Almost 100% of the firewall traffic will be incoming SSL, with potentially 100k connections per day. It is all just estimates but that's what we have and failure is not an option :(

jaime.pedraza · ‎07-12-2017

Does anyone have performance numbers about SSL decryption of the new Firepower appliances? Do these appliances already have SSL Offload in hardware?

Thanks in advance!

Marvin Rhoads · ‎07-12-2017

Cisco has not pulblished those numbers at this point.

As far as I know, none of the Cisco appliances (other than the dedicated legacy SSL appliance) have the software that activates the ability to do hardware decryption offload. They have the ASICs inside but the operating system is not yet capable of taking advantage of them.