It is true that SSL/TLS decryption is the enemy of performance. There is no way around it. However, this doesn’t have to be the end of the world if you spend a bit of time optimizing the firewall. It is not uncommon for a customer to require a firewall that can keep up with their Internet circuit, plus a little room to grow. From there they try to match the circuit to the SSL/TLS decryption throughput and find themselves purchasing a firewall that is WAY too big for their environment.
As it turns out, Firepower is not the 1st security product in the history of the world that doesn’t need to be optimized. It’s very easy to get Firepower up and running, add three rules “permit 443, etc.…” and call your job done. Anyone with YouTube access can pull this off in an afternoon. Of course, the business will be stuck with poor performance, a huge Cisco bill, and will probably end up needing an Internet circuit upgrade too. All of this can be avoided with a knowledgeable engineer that puts in the time to optimize. Sorry about the rant, but I see this shoddy work way too often.
TLS Performance Hit
For example, let’s look at a Cisco 2110.
Figure 1: https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html
Bad times! We took a firewall with 2.6Gbps of inspected throughput and now it’s down to 365MB. Ugly. However, “How much throughput?” is probably not the right question to ask. Instead, here are a few questions that make a bit more sense:
How much throughput? Ha!
- This is of course something you would have to know. There is a huge difference between a 1Gbps and a 10Gbps circuit.
What are your top 10 bandwidth hogs?
- That’s virtually always an interesting list. Most customers “pre-firepower” don’t know the answer to this question. However, to size properly, this is mandatory. Your list will vary a bit, but you will notice the usual suspects:
YouTube: Do we need to decrypt YouTube? I think not.
Netflix: Will this even be allowed after the project? If so, do we need to decrypt it?
What about the other video streaming platforms?
Streaming Music: Same drill?
Which traffic MUST not be decrypted?
- Finance?
- Health?
- HR Portals?
- Etc.…
Are ads allowed on the existing Internet circuit?
- How much bandwidth is saved if ads are blocked?
How much bandwidth is being used by websites/applications that will be blocked after the project is put in place?
After you remove all the above services from the TLS policy, how much bandwidth do you really need? The answer, 99-out-of-100 times, is very little.
SSL/TLS Decryption Push Back
Every customer I spoke to about this had the same response…Decrypt everything. Really, the good news is the Cybersecurity Managers aren’t the Airport Security Managers. The strip-search line would be problematic.
Paying an expert to deep dive into the company Internet usage is often the difference of hundreds of thousands of dollars in hardware/maintenance costs. Once all the data is gathered, the pro can provide a report on exactly where your bandwidth cost lives, exactly how to fix it, and last-but-not-lease, exactly which size is required.
It can even get worse. Frequently the cost of doing “full decryption” is the difference between moving forward with a project or not. That is the real cost of a bad or lazy engineer. Not only do you not get decryption, but you also don’t get any security at all!
So, how can CDA help you improve your network security?
Members of our team are Cisco Certified Internetwork Expert (CCIE) certified and can help at any stage of the process: proof of concept, design, architecture, implementation, testing, & issue resolution. Want to learn more?