When running the same test with SSL traffic, the F5 firewall moved traffic at 12.874Gbps, about 99.8% the capacity of the Avalanche test tool running back to back. Thus, in both tests, the 10200v moved traffic almost as fast as it was offered.
TAKING A PEEK AT SSL
With all the recent news about government wiretaps and corporate espionage, it's easy to assume that decrypting SSL traffic is automatically a bad thing. That assumption would be false.
Organizations have several good reasons for wanting to decrypt SSL traffic. Some industries have regulations that require traffic inspection. Others may want to obfuscate certain strings in traffic (for example, credit card or Social Security numbers). Others may simply want to break down application percentages, or troubleshoot server or network problems. Whatever the reason, there are legitimate reasons for organizations to terminate SSL connections; decrypt the traffic and pass it along to external devices for further analysis; and then re-encrypt it and send it on its way.
The problem, as past test results have shown, is that SSL decryption can introduce a big performance hit. In past tests, we've seen rates nosedive from tens of gigabits well down into the megabit range when decryption is enabled. Given the computationally intense nature of decryption and encryption, those concerns about performance only increase as traffic rates rise.
In the case of the F5 firewall, there is a performance cost to SSL decryption, but it's nowhere near as steep as we've seen in past tests. For example, the 10-kbyte Web object test ran at a tad over 17Gbps with SSL traffic; with decryption, that rate fell to 11.188Gbps. So, there's certainly a performance hit with SSL decryption, but it's hardly the nosedive into megabit territory we've seen in previous tests.
Another key measure of firewall performance is scalability, which in turn has two dimensions: capacity and rate. We tested the F5 firewall both in terms of maximum concurrent TCP connections and maximum connection setup rate.
Connection capacity is important because a single user request can involve many TCP connections. For example, a single request for the home page of many news sites can involve 100 or more TCP connections due to web design trends, ad servers, streaming media servers, and other factors.
Connection rate matters because web sites may be hit with huge bursts of traffic. One common example is flash mobs, where some event (e.g., availability of a new product or concert tickets) causes a huge spike in connection request rates. Another common use case is disaster recovery, where the loss of one set of servers causes traffic to be migrated to a new set of servers.
Sign up for Computerworld eNewsletters.