SSL Performance Problems · ANALYST'BRIEF' SSL#Performance#Problems# SIGNIFICANT#SSL#PERFORMANCE#LOSS#LEAVES#MUCH#ROOM#FOR#IMPROVEMENT#! Author#–#John#W.#Pirc# Overview! In!early!2013,!NSS!Labs!released!the!results!of!its!“Next!Generation!Firewall!Comparative!Analysis!Reports”!(NGFW!

!

ANALYST'BRIEF'

SSL#Performance#Problems#SIGNIFICANT#SSL#PERFORMANCE#LOSS#LEAVES#MUCH#ROOM#FOR#IMPROVEMENT#

!

Author#–#John#W.#Pirc#

Overview!In!early!2013,!NSS!Labs!released!the!results!of!its!“Next!Generation!Firewall!Comparative!Analysis!Reports”!(NGFW!CARs).!As!part!of!the!analysis,!NSS!assessed!the!performance!of!clientLside!secure!sockets!layer!(SSL)!decryption!in!seven!of!the!eight!NGFWs!that!were!included!in!that!voluntary!group!test.!The!resulting!impacts!on!performance!of!SSL!decryption!when!included!as!a!feature!within!the!NGFW,!or!when!offloaded!to!a!separate!SSL!appliance,!were!significant.!!

NSS!research!showed!that!25%!–!35%!of!enterprise!traffic!is!SSL!and,!depending!on!the!industry!vertical,!the!percentage!of!SSL!traffic!can!reach!as!high!as!70%.!NSS!research!also!found!that!2048b!ciphers!caused!a!mean!average!of!81%!in!performance!loss!across!all!vendors!tested.!Certificate!authorities!are!intending!to!cease!issue!of!1024!bit!ciphers!and!will!move!to!2048!bit!ciphers!by!December!31,!2013.!!

Although!the!performance!numbers!are!cause!for!concern,!the!presence!of!malware!within!encrypted!channels!is!a!real,!albeit!relatively!small,!threat!in!enterprise!environments!that!warrants!decryption!and!scanning!as!a!best!practice.!Figure!1!displays!the!aggregated!results!from!the!vendor!tests.!

!!

Figure#1#–#SSL#Performance#Impacts#on#Bandwidth#and#Transaction#per#Second#Loss#

NSS!Labs! SSL!Performance!Problems:!Significant!SSL!Performance!Loss!Leaves!Much!Room!for!Improvement!

!

! ! 2! ! !

NSS!Labs!Findings!• The!average!proportion!of!SSL!traffic!within!a!typical!enterprise!is!25%!–!35%.!• The!NSS!threat!database1!has!uncovered!a!small!percentage!(~1%)!of!malware!using!SSL.!• NSS!research!indicates!that!the!majority!of!threats!that!are!using!SSL!as!a!transport!fall!under!the!targeted!

persistent!attack!(TPA)!category.!!• The!mean!average!of!performance!loss!across!7!NGFW’s:!

~74%!with!512b!and!1024b!ciphers!~81%!with!2048b!ciphers.!

• The!mean!average!of!transactions!per!second!(TPS)!loss!across!7!NGFW’s:!~86.80%!with!a!512b!cipher!~87.79%!with!a!1024!cipher!~92.28%!with!a!2048!cipher!

• The!Sourcefire!NGFW!had!the!highest!rated!TPS!performance.!However,!Sourcefire!was!the!only!vendor!that!used!a!dedicated!SSL!appliance.!

• The!Dell!SonicWALL!SuperMassive!E10800!NGFW!had!the!highest!rated!TPS!performance!with!onboard!SSL!decryption.!

• Juniper!was!rated!the!best!with!regards!to!performance!loss!and!reduction!in!TPS.!• All!vendors!had!significant!performance!issues!and!TPS!loss!with!2048b!ciphers.!• NSS!has!concerns!for!the!viability!of!SSL!inspection!in!enterprise!networks!without!the!use!of!dedicated!SSL!

decryption!devices.!

! !

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

1!Our!database!is!a!collection!of!malware!samples!that!are!collected!in!realLtime!from!around!the!world.!


!

! ! 3! ! !

NSS!Labs!Recommendations!• Enterprises!are!advised!to!review!the!performance!ratings!of!SSL,!in!order!to!decide!which!platform!meets!

their!performance!requirements.!!Additionally,!NSS!recommends!that!a!platform!be!tested!before!a!purchasing!decision!is!made.!!

• Enterprises!should!measure!the!SSL!traffic!in!their!current!network!environment!in!order!to!allow!for!future!capacity!planning.!An!average!yearly!increase!of!~20%!in!SSL!traffic!should!be!expected.2!

• Consideration!should!only!be!given!to!products!that!support!the!creation!of!rules!for!bypassing!SSL!decryption!based!on!URL!categories,!such!as!healthcare,!banking,!and!mobile!apps!that!contain!sensitive!and!personal!information.!Depending!on!an!organization’s!network!traffic,!this!could!substantially!reduce!performance!loss!and!assist!with!an!organization’s!compliance!with!national!privacy!laws.!

• Enterprises!should!seek!to!offset!the!SSL!risk!by!deploying!endpoint!security!solutions!and!breach!detection!solutions!that!are!behaviorLbased,!and!that!are!able!to!detect!command!and!control!(C&C)!and!malware!callbacks!via!SSL.!

• Enterprises!should!educate!users!about!the!dangers!of!accepting!a!selfLsigned!and!nonLvalid!certificate,!in!the!same!way!they!would!educate!about!SPAM!and!phishing.!

! !

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2!http://www.bluecoat.com/sites/default/files/documents/files/How_to_Gain_Visibility_and_Control_of_Encrypted_SSL_Web_Sessions.a.pdf!


!

! ! 4! ! !

Table#of#Contents#

Overview#................................................................................................................................#1!

NSS#Labs#Findings#....................................................................................................................#2!

NSS#Labs#Recommendations#...................................................................................................#3!

Analysis#..................................................................................................................................#5!SSL!and!the!Enterprise!..................................................................................................................................!5!SSL!and!the!Adversary!..................................................................................................................................!7!2013!NGFW!SSL!Performance!CAR!...............................................................................................................!7!Vendor!Performance!Numbers!....................................................................................................................!9!Check!Point!12600!....................................................................................................................................!9!Dell!SonicWALL!SuperMassive!E10800!.....................................................................................................!9!Fortinet!FortigateC3600C!........................................................................................................................!10!Juniper!SRX3600!......................................................................................................................................!10!Palo!Alto!Networks!PAC5020!...................................................................................................................!11!Sourcefire!8250!&!Sourcefire!8290!.........................................................................................................!11!Stonesoft!3202!........................................................................................................................................!12!

Reading#List#..........................................................................................................................#13!

Contact#Information#..............................................................................................................#14!

Table#Of#Figures#Figure!1!–!SSL!Performance!Impacts!on!Bandwidth!and!Transaction!per!Second!Loss!................................................!1!Figure!2!–!Key!Strength!Distribution!.............................................................................................................................!6!Figure!3!–!Decryption!Times!of!512!–!4096!Ciphers!on!2GHz!Pentium!........................................................................!6!!Figure!4!–!SSL!Performance!Impacts!on!Bandwidth!....................................................................................................!8!Figure!5!–!SSL!Transaction!per!Second!Loss!..................................................................................................................!8!!Figure!6!–!Check!Point!12600!......................................................................................................................................!9!!Figure!7!–!Dell!SonicWALL!SuperMassive!E10800!.......................................................................................................!9!!Figure!8!–!Fortinet!FortigateL3600C!...........................................................................................................................!10!!Figure!9!–!Juniper!SRX3600!........................................................................................................................................!10!!Figure!10!–!Palo!Alto!Networks!PAL5020!...................................................................................................................!11!!Figure!11!–!Sourcefire!8250!.......................................................................................................................................!11!!Figure!12!–!Sourcefire!8290!.......................................................................................................................................!12!!Figure!13!–!Stonesoft!3202!........................................................................................................................................!12!


!

! ! 5! ! !

Analysis!During!a!recent!analysis!of!NGFWs,!NSS!verified!the!performance!impacts!of!clientLside!SSL!inspection,!and!the!results!showed!considerable!room!for!improvement.!This!raises!concerns!for!the!viability!of!SSL!inspection!in!enterprise!networks!without!the!use!of!dedicated!SSL!decryption!devices.!

NSS!research!has!found!that!the!use!of!HTTPS!has!risen!significantly!over!the!past!few!years;!web!browserLbased!applications!such!as!Facebook!and!Twitter,3!and!search!engines!such!as!Google!are!enabling!SSL!by!default!as!a!result!of!privacy!and!security!concerns.!

Additionally,!users!increasingly!have!the!ability!to!install!browser!addLons!that!can!force!the!use!of!HTTPS!within!popular!web!browsers!such!as!Safari,!Chrome,!Internet!Explorer!and!Firefox.!These!extensions!force!the!browser!to!only!access!HTTPS!first.!It!is!the!ultimate!irony!that!the!increasing!use!of!SSL!in!an!attempt!to!make!our!onLline!lives!more!secure!actually!reduces!security!on!the!corporate!network!by!creating!blind!spots!for!corporate!security!infrastructures.!

HTTPS!has!been!used!for!secure!web!communications!on!the!Internet!for!almost!two!decades,!but!it!is!only!recently!that!network!security!vendors!have!begun!including!HTTPS!as!a!feature.!This!is!in!response!to!client!requirements!regarding!regulatory!compliance,!search!engines!and!web/mobile!applications!that!are!utilizing!SSL!by!default!and,!most!importantly,!in!response!to!malware!that!is!using!SSL!as!a!transport!to!evade!network!detection!devices.!

SSL#and#the#Enterprise#NSS!research!on!the!use!of!HTTPS!reveals!that!within!any!given!enterprise!the!current!percentage!of!outbound!network!traffic!that!is!SSL/TLS!encrypted!is!about!25%!–!35%.!Performance!issues!relating!to!SSL!can!be!attributed!to!several!factors,!but!the!most!significant!is!the!length!of!the!certificate!key.!The!larger!the!key,!the!more!computing!power!is!required!to!decrypt!it.!

Trustworthyinternet.org!has!a!global!dashboard!known!as!SSL!Pulse!that!extracts!close!to!200,000!well!known!SSL!websites!from!Alexa,4!a!company!which!provides!analytics!on!~1.5!million!websites.!The!most!recent!report!from!SSL!Pulse!shows!that!out!of!172,537!SSL!websites!surveyed,!91.1%!were!using!2048!bit!ciphers5.!This!information,!when!viewed!alongside!the!significant!declines!in!performance!and!transaction!rates!that!were!observed!during!testing,!questions!the!wisdom!of!enabling!SSL.!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!http://www.zdnet.com/blog/networking/twitterLaddsLsslLsecurity/1374!4!http://www.alexa.com!

5!https://www.trustworthyinternet.org/sslLpulse/!


!

! ! 6! ! !

!

Figure#2#–#Key#Strength#Distribution#

Performing!HTTPS!decryption!inline!on!a!NGFW!device,!or!on!any!security!device!that!is!performing!deep!packet!inspection!is!a!significant!undertaking.!Figure!3!shows!the!performance!impacts!(in!milliseconds)!that!the!various!ciphers!have!on!a!2GHz!Pentium!processor.!

!

Figure#3#–#Decryption#Times#of#512#–#4096#Ciphers#on#2GHz#Pentium6#

NSS!predicts!that!the!default!ciphers!will!increase!in!length,!which!will!require!more!computing!power.!!The!standard!default!cipher!that!is!acceptable!today!is!1024b!and,!according!to!“NIST!Special!Publication!800C5,”!the!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6!http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml!


!

! ! 7! ! !

standard!default!cipher!of!2048b!will!be!required!by!December!31,!2013.!Anything!below!2048b!should!be!transitioned!to!the!new!standard7.!NSS!testing!results!indicate!that!this!will!be!an!issue!for!most!network!security!vendors.!!

SSL#and#the#Adversary##Many!attack!vectors!may!be!used!to!compromise!an!asset,!and!blind!spots!within!an!infrastructure!help!attackers!to!evade!detection.!The!following!methods!may!be!used:!

• DriveLby!malware!sites!using!HTTPS!• C&C’s!that!communicate!via!SSL!• Malware!with!SSL!callbacks!

Recent!research!on!the!NSS!threat!database!found!that!while!it!is!only!a!small!percentage!(~1%)!of!malware!that!is!using!SSL,!this!malware!is!highly!sophisticated.!These!methods!of!attack!pose!real!risks!to!an!organization’s!infrastructure.!Additionally,!network!security!devices!that!lack!the!ability!to!inspect!SSL!traffic!allow!attackers!to!remain!undetected!by!network!monitoring.!

Some!of!the!attack!methods!listed!above!would!require!the!end!user!to!accept!a!SSL!certificate.!It!can!certainly!be!argued!that!sophisticated!users!will!not!click!and!accept!a!SSL!certificate,!and!that!seasoned!security!professionals!will!not!accept!either!a!selfLsigned!certificate!or!one!that!is!accompanied!by!a!warning!banner!stating!that!the!web!browser!can!not!verify!the!identity!of!a!website.!However,!most!users!will!not!realize!the!real!risk!and!will!click!and!accept.!

To!illustrate!this!point,!a!recent!infographic8!on!Get!Cyber!Safe,!a!web!site!dedicated!to!educating!users!on!Internet!security,!showed!that!16!million!emails!per!day!pass!undetected!through!spam!filters,!8!million!of!these!are!opened,!and!more!than!800,000!users!will!click!on!the!malicious!links!contained!within!these!emails.!9!

2013#NGFW#SSL#Performance#CAR#

Earlier!this!year,!NSS!released!a!NGFW!comparative!analysis!report!that!detailed!the!results!of!SSL!performance!testing!of!Check!Point,!Dell!SonicWALL,!Fortinet,!Juniper,!Palo!Alto!Networks,!SourceFire!and!Stonesoft.!The!following!analysis!examines!the!vendor’s!ability!to!intercept,!decrypt,!process,!and!reLencrypt!HTTPS!traffic!at!network!loads!of!varying!size!and!varying!connections!per!second,!with!SSL!inspection!enabled.!

Through!the!creation!of!genuine,!sessionLbased!HTTPS!traffic!with!varying!session!lengths,!the!vendor!is!forced!to!track!valid!TCP!sessions,!thus!ensuring!a!higher!workload!than!for!simple!packetLbased!background!traffic.!This!provides!a!test!environment!that!is!as!close!to!“real!world”!as!it!is!possible!to!achieve!in!a!lab!environment,!while!still!ensuring!accuracy!and!repeatability.!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!7!http://csrc.nist.gov/publications/nistpubs/800L57/sp800L57_PART3_keyLmanagement_Dec2009.pdf!8!http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcsL2012L10L11Leng.aspx!9!http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcsL2012L10L11Leng.aspx!


!

! ! 8! ! !

Each!transaction!consists!of!a!SSL!handshake!followed!by!a!single!HTTP(S)!GET!request,!and!there!are!no!transaction!delays!(the!Web!server!responds!immediately!to!all!requests).!All!packets!contain!valid!payload!(a!mix!of!binary!and!ASCII!objects)!and!address!data,!and!the!test!represents!a!live!network!(albeit!one!that!is!biased!towards!HTTPS!traffic)!at!various!network!loads.!Figure!4!and!Figure!5!provide!a!consolidated!view!of!the!vendor!results.!

!

#Figure#4#–#SSL#Performance#Impacts#on#Bandwidth#

!

!

Figure#5#–#SSL#Transaction#per#Second#Loss#

! !


!

! ! 9! ! !

Vendor#Performance#Numbers#

Check#Point#12600#

The!Check!Point!12600!NGFW!is!currently!performance!rated!at!5Gbps!by!Check!Point.!During!SSL!performance!testing,!the!actual!performance!was!rated!at!4.22Gbps.!It!was!also!noted!that!the!TPS!versus!the!megabits!per!second!(Mbps)!remained!relatively!consistent!with!the!512b!and!1024b!ciphers.!NSS!anticipated!a!linear!drop!in!performance!and!TPS!as!the!ciphers!doubled!in!size,!but!this!was!not!the!case.!The!2048b!cipher!caused!a!decrease!in!TPS!of!300,!but!performance!was!maintained!at!550!Mbps.!This!is!an!87!percent!reduction!from!the!vendor!advertised!performance.!!!

#Figure#6#–#Check#Point#12600#

Dell#SonicWALL#SuperMassive#E10800#

The!Dell!SonicWALL!SuperMassive!E10800!NGFW!is!currently!performance!rated!by!the!vendor!at!12Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!16.6Gbps.!There!was!an!expected!linear!reduction!in!TPS!versus!Mbps.!The!performance!decrease!between!512b!and!1024b!was!marginal,!but!there!was!a!significant!performance!loss!at!2048b.!!

Impact!on!performance!for!tested!ciphers:!

• 84%!w/512b!• 85%!w/1024b!• 94%!w/2048b!

#Figure#7#–#Dell#SonicWALL#SuperMassive#E10800#


!

! ! 10! ! !

Fortinet#Fortigate[3600C#

The!Fortinet!FortigateL3600C!NGFW!is!currently!performance!rated!by!the!vendor!at!60Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!7,580Mbps.!The!expectation!of!a!linear!drop!in!TPS!versus!Mbps!was!constant!as!the!cipher!strengths!increased.!The!performance!decreases!across!all!ciphers!were!marginal,!but!the!overall!performance!impact!was!the!greatest!across!all!vendors.!


• 92.995%!w/512b!• 93.497%!w/1024b!• 94.077%!w/2048b!

#Figure#8#–#Fortinet#Fortigate[3600C#

Juniper#SRX3600#

The!Juniper!SRX3600!NGFW!is!currently!performance!rated!by!the!vendor!at!11Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!3.3Gbps.!Juniper!performed!the!best!out!of!all!the!vendors!with!the!lowest!performance!degradation.!Additionally,!Juniper!demonstrated!the!highest!throughput!with!1024b!and!2048b!ciphers!with!onboard!SSL.!The!TPS!versus!Mbps!did!not!follow!the!anticipated!linear!reduction!that!was!common!with!other!products.!!


• 34%!w/512b!• 13%!w/1024b!• 36%!w/2048b!!!

#Figure#9#–#Juniper#SRX3600#


!

! ! 11! ! !

Palo#Alto#Networks#PA[5020#

The!Palo!Alto!Networks!PAL5020!NGFW!is!currently!performance!rated!by!the!vendor!at!2Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!2.3Gbps.!The!TPS!versus!Mbps!followed!a!linear!reduction!with!marginal!performance!degradation!between!1024b!and!2048b!ciphers.!

Impact!on!performance!for!tested!ciphers:!!!

• 66%!w/512b!• 78%!w/1024b!• 79%!w/2048b!

#Figure#10#–#Palo#Alto#Networks#PA[5020#

Sourcefire#8250#&#Sourcefire#8290#

The!Sourcefire!8250!NGFW!is!currently!performance!rated!by!the!vendor!at!10Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!12.9Gbps.!The!Sourcefire!8250!was!the!only!vendor!that!utilized!a!dedicated!SSL!appliance!during!testing.!The!TPS!achieved!were!the!highest!of!all!the!devices!tested.!


• 77.13%!w/512b!• 77.52%!w/1024b!• 82.95%!w/2048b!!

!

#Figure#11#–#Sourcefire#8250#

! !


!

! ! 12! ! !

The!Sourcefire!8290!NGFW!is!currently!performance!rated!by!the!vendor!at!40Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!52.3Gbps.!The!TPS!and!Mbps!remained!the!same!as!the!8250.!This!is!not!a!reflection!of!the!performance!capabilities!of!the!8250!and!8290,!but!rather!of!the!processing!limitation!of!the!dedicated!SSL!appliance.!

!Impact!on!performance!for!tested!ciphers:!!

• 94.359%!w/512b!• 94.456%!w/1024b!• 95.794%!w/2048b!

#Figure#12#–#Sourcefire#8290#

Stonesoft#3202#

The!Stonesoft!3202!NGFW!is!currently!performance!rated!by!the!vendor!at!3Gbps.!During!NSS!testing,!the!actual!performance!was!rated!at!2.7Gbps.!The!TPS!and!the!Mbps!followed!the!predictive!linear!reduction!as!the!cipher!strength!increased.!

Impact!on!performance!for!tested!ciphers:!!

• 54%!w/512b!• 60%!w/1024b!• 76%!w/2048b!

#Figure#13#–#Stonesoft#3202#

! !


!

! ! 13! ! !

Reading!List!The!Targeted!Persistent!Attack!(TPA)!The!Misunderstood!Security!Threat!Every!Enterprise!Faces.!NSS!Labs!https://www.nsslabs.com/reports/analysisLbriefLtargetedLpersistentLattackLtpaLmisunderstoodLsecurityLthreatLeveryLenterprise!

2013!Next!Generation!Firewall!Comparative!Analysis.!NSS!Labs!https://www.nsslabs.com/reports/2013LnextLgenerationLfirewallLcomparativeLanalysis!

Netronome!Whitepaper:!Examining!SSLCEncrypted!Communications.!http://www.infosecurityproductsguide.com/technology/2008/Netronome_Examining_SSLLencrypted_Communications.pdf!

NIST!Special!Publication!800C5!http://csrc.nist.gov/publications/nistpubs/800L57/sp800L57_PART3_keyLmanagement_Dec2009.pdf!

!

! !

https://www.nsslabs.com/reports/analysis-brief-targeted-persistent-attack-tpa-misunderstood-security-threat-every-enterprise

https://www.nsslabs.com/reports/2013-next-generation-firewall-comparative-analysis

http://www.infosecurityproductsguide.com/technology/2008/Netronome_Examining_SSL-encrypted_Communications.pdf

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf


!

! ! 14! ! !

©!2013!NSS!Labs,!Inc.!All!rights!reserved.!No!part!of!this!publication!may!be!reproduced,!photocopied,!stored!on!a!retrieval!system,!or!transmitted!without!the!express!written!consent!of!the!authors.!!

Please!note!that!access!to!or!use!of!this!report!is!conditioned!on!the!following:!

1.!!The!information!in!this!report!is!subject!to!change!by!NSS!Labs!without!notice.!

2.!!The!information!in!this!report!is!believed!by!NSS!Labs!to!be!accurate!and!reliable!at!the!time!of!publication,!but!is!not!guaranteed.!All!use!of!and!reliance!on!this!report!are!at!the!reader’s!sole!risk.!NSS!Labs!is!not!liable!or!responsible!for!any!damages,!losses,!or!expenses!arising!from!any!error!or!omission!in!this!report.!

3.!!NO!WARRANTIES,!EXPRESS!OR!IMPLIED!ARE!GIVEN!BY!NSS!LABS.!ALL!IMPLIED!WARRANTIES,!INCLUDING!IMPLIED!WARRANTIES!OF!MERCHANTABILITY,!FITNESS!FOR!A!PARTICULAR!PURPOSE,!AND!NONLINFRINGEMENT!ARE!DISCLAIMED!AND!EXCLUDED!BY!NSS!LABS.!IN!NO!EVENT!SHALL!NSS!LABS!BE!LIABLE!FOR!ANY!CONSEQUENTIAL,!INCIDENTAL!OR!INDIRECT!DAMAGES,!OR!FOR!ANY!LOSS!OF!PROFIT,!REVENUE,!DATA,!COMPUTER!PROGRAMS,!OR!OTHER!ASSETS,!EVEN!IF!ADVISED!OF!THE!POSSIBILITY!THEREOF.!

4.!!This!report!does!not!constitute!an!endorsement,!recommendation,!or!guarantee!of!any!of!the!products!(hardware!or!software)!tested!or!the!hardware!and!software!used!in!testing!the!products.!The!testing!does!not!guarantee!that!there!are!no!errors!or!defects!in!the!products!or!that!the!products!will!meet!the!reader’s!expectations,!requirements,!needs,!or!specifications,!or!that!they!will!operate!without!interruption.!!

5.!!This!report!does!not!imply!any!endorsement,!sponsorship,!affiliation,!or!verification!by!or!with!any!organizations!mentioned!in!this!report.!!

6.!!All!trademarks,!service!marks,!and!trade!names!used!in!this!report!are!the!trademarks,!service!marks,!and!trade!names!of!their!respective!owners.!!

Contact!Information!NSS!Labs,!Inc.!206!Wild!Basin!Rd!Building!A,!Suite!200!Austin,!TX!78746!USA!+1!(512)[email protected]!www.nsslabs.com!!!

This!analyst!brief!was!produced!as!part!of!NSS!Labs’!independent!testing!information!services.!Leading!products!were!tested!at!no!cost!to!the!vendor,!and!NSS!Labs!received!no!vendor!funding!to!produce!this!analyst!brief.!

!

'

!

!

#

Documents

SSL Performance Problems · ANALYST'BRIEF' SSL#Performance#Problems# SIGNIFICANT#SSL#PERFORMANCE#LOSS#LEAVES#MUCH#ROOM#FOR#IMPROVEMENT#! Author#–#John#W.#Pirc# Overview! In!early!2013,!NSS!Labs!released!the!results!of!its!“Next!Generation!Firewall!Comparative!Analysis!Reports”!(NGFW!