F5 data center firewall aces performance test

By David Newman, Network World |  Security

The most plausible explanation for the difference is that, like all BIG-IP appliances, the 10200v is a load balancer. By performing web server health checks and distributing requests accordingly, the F5 firewall is able to distribute workloads more efficiently than clients and servers can do on their own.

In the mixed-object tests, the BIG-IP 10200v moved plaintext traffic at 37.486Gbps. That's almost 99.5% the capacity of the Spirent Avalanche traffic generator when running the same test in a back-to-back configuration.

When running the same test with SSL traffic, the F5 firewall moved traffic at 12.874Gbps, about 99.8% the capacity of the Avalanche test tool running back to back. Thus, in both tests, the 10200v moved traffic almost as fast as it was offered.

TAKING A PEEK AT SSL

With all the recent news about government wiretaps and corporate espionage, it's easy to assume that decrypting SSL traffic is automatically a bad thing. That assumption would be false.

Organizations have several good reasons for wanting to decrypt SSL traffic. Some industries have regulations that require traffic inspection. Others may want to obfuscate certain strings in traffic (for example, credit card or Social Security numbers). Others may simply want to break down application percentages, or troubleshoot server or network problems. Whatever the reason, there are legitimate reasons for organizations to terminate SSL connections; decrypt the traffic and pass it along to external devices for further analysis; and then re-encrypt it and send it on its way.

The problem, as past test results have shown, is that SSL decryption can introduce a big performance hit. In past tests, we've seen rates nosedive from tens of gigabits well down into the megabit range when decryption is enabled. Given the computationally intense nature of decryption and encryption, those concerns about performance only increase as traffic rates rise.

In the case of the F5 firewall, there is a performance cost to SSL decryption, but it's nowhere near as steep as we've seen in past tests. For example, the 10-kbyte Web object test ran at a tad over 17Gbps with SSL traffic; with decryption, that rate fell to 11.188Gbps. So, there's certainly a performance hit with SSL decryption, but it's hardly the nosedive into megabit territory we've seen in previous tests.

HOW HIGH?

Another key measure of firewall performance is scalability, which in turn has two dimensions: capacity and rate. We tested the F5 firewall both in terms of maximum concurrent TCP connections and maximum connection setup rate.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness