Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 656 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XStream SSL decryption vs. Proxy: Performance

cryptochrome

Hi,

we bought our current firewall before SFOS 18 and hence before the new Xstream DPI / SSL decryption was released. The spec sheet for the firewall (a XG135) didn't specify SSL decryption performance in particular, or it wasn't of concern, back in the day. Now I checked the specs on the website again, and to my surprise, XStream SSL decryption performance is now highlighted for each model, and the XG135 only does 210 mbit/s. 

On a 7 gbit/s firewall. 

So what's the deal with this? Wasn't XStream announced as this new top-tier feature that would blow the old SSL decryption engine (proxy) out of the water when it comes to performance?

Should we switch back to proxy-based decryption? Which one is actually faster?



This thread was automatically locked due to age.
Parents
  • 0

    I can't comment directly on the XG135, but the TLS Decryption performance depends heavily on what traffic is being decrypted, such as: If It's TLS 1.2 or TLS 1.3, what cipher It's using and so on.

    cryptochrome said:
    On a 7 gbit/s firewall. 

    ***7Gbit/s L4 SPI Firewall with large packets - Then It goes down to 4.3Gbits on L4 SPI Firewall with IMIX traffic. And last, at 600Mbit/s with Threat Prevention.

    Also, you should do your own performance testing, since the 210Mbit/s number sounds low - Just a reminder, the Xstream numbers include both TLS Decryption and Threat Prevention, which includes AV + Sandstorm + NGFW Traffic (IPS/App Ctrl).

Reply
  • 0

    I can't comment directly on the XG135, but the TLS Decryption performance depends heavily on what traffic is being decrypted, such as: If It's TLS 1.2 or TLS 1.3, what cipher It's using and so on.

    cryptochrome said:
    On a 7 gbit/s firewall. 

    ***7Gbit/s L4 SPI Firewall with large packets - Then It goes down to 4.3Gbits on L4 SPI Firewall with IMIX traffic. And last, at 600Mbit/s with Threat Prevention.

    Also, you should do your own performance testing, since the 210Mbit/s number sounds low - Just a reminder, the Xstream numbers include both TLS Decryption and Threat Prevention, which includes AV + Sandstorm + NGFW Traffic (IPS/App Ctrl).

Children
  • 0 in reply to Prism
    Prism said:
    Also, you should do your own performance testing, since the 210Mbit/s number sounds low - Just a reminder, the Xstream numbers include both TLS Decryption and Threat Prevention, which includes AV + Sandstorm + NGFW Traffic (IPS/App Ctrl).

    Are you sure about that? Because the website specifically mentions "Xstream SSL Decryption performance" as 210 mbit, not Xstream DPI (which would contain AV etc.). 

    As you said, the 210 mbit appears to be very low, and I wonder why Sophos gives such small numbers. Even the higher end machines have comparatively low XS SSL Decrypt performance. 

    Question remains: With regards to the marketing material, Xstream is supposed to be providing "extreme levels of protection and performance" (Quoted from here). 210 mbit is hardly "extreme" and from the datasheet, proxy SSL decrypt is a hell of a lot faster. At least on paper. So marketing and data sheets are contradicting each other. 

  • 0 in reply to cryptochrome
    cryptochrome said:
    Are you sure about that? Because the website specifically mentions "Xstream SSL Decryption performance" as 210 mbit, not Xstream DPI (which would contain AV etc.). 

    Yes,

    cryptochrome said:
    So marketing and data sheets are contradicting each other. 

    That's just the marketing team doing It's own job, nothing unusual.