AUSTIN, Texas – July 24, 2018 – NSS Labs, a global leader and trusted source for independent, fact-based cybersecurity guidance, today announced the release of its secure sockets layer (SSL)/transport layer security (TLS) performance test reports. The SSL performance testing was conducted during the 2018 Next Generation Firewall Group Test, announced earlier this month. With the increased use of SSL/TLS in the traffic traversing the modern network, an NGFW must be able to inspect encrypted content.

SSL and TLS protocols are the foundation of e-commerce security, encrypting the transfer of sensitive data, verifying the authenticity of websites, and ensuring the integrity of exchanged information. Threat actors are increasingly using SSL/TLS to deliver malicious attacks. Gartner estimates that in 2017 more than half of the network attacks targeting enterprises used encrypted traffic to bypass security controls.1

According to NSS Labs research, 41.7% of enterprises deploy dedicated SSL/TLS appliances.2 Use of the SSL protocol and its current iteration, TLS is rising dramatically in response to an increasing need for online privacy. In 2016, NSS Labs found that HTTPS (SSL/TLS-encrypted) traffic grew 90% year over year and 50% of enterprise traffic was encrypted.3

With this increase in SSL/TLS traffic, enterprises are finding that the performance of their NGFWs is being impacted. The NSS Labs’ 2018 SSL/TLS Performance Tests determined how 10 of the industry’s leading NGFW products performed in the following key areas:

    • Cipher Functionality – Confirm and validate the device under test is correctly decrypting and (if applicable) inspecting SSL/TLS traffic.
    • Performance – A performance baseline using various types of HTTP traffic is established for the device. The device is then measured with HTTPS-based real-world performance in order to establish comparative metrics for the device (with or without SSL decryption/inspection). This ensures the device is not bypassing the decryption/inspection process to demonstrate better performance.

Key Findings

      • Although results are not directly comparable, the following was observed when measuring product performance with SSL/TLS turned off versus with SSL/TLS turned on:
        • There was a 92% drop in the average connection rate of the tested products, connection degradation ranged from 84% to 99%.
        • Latency in the average application response time of the tested products increased by 672%; latency ranged from 99% to 2,910%.
        • There was a 60% drop in the average throughput of the tested products, throughput degradation ranged from 13% to 95%.
      • Not all tested products support the top 30 cipher suites from the Alexa Top 1 Million, as of 12/31/2017
      • Some tested products support emergent ciphers

“Encryption does not protect us from all threats and in fact can make it easier for the adversary. Enterprises must be aware of and concerned if they are not decrypting and inspecting SSL traffic from untrusted sources,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “The NSS Labs SSL/TLS Test Reports provide valuable insights to help enterprises plan accordingly as they upgrade and refresh their architectures to expand visibility across encrypted traffic.”

1 Gartner “Protecting from a Growing Attack Vector, Encrypted Attacks” March 2016
2 NSS Labs “Security Controls in the US Enterprise: SSL/TLS Appliances” September 2017
3 NSS Labs “NSS Labs Predicts 75% of Web Traffic Will Be Encrypted by 2019” November 2016

The following products were tested:

      • Barracuda Networks CloudGen Firewall F800.CCE v7.2.0
      • Check Point 15600 Next Generation Threat Prevention (NGTP) Appliance vR80.20
      • Cisco Firepower 4120 Security Appliance v6.2.2
      • Forcepoint NGFW 2105 Appliance v6.3.3 build 19153 (Update Package: 1056)
      • Fortinet FortiGate 500E V5.6.3GA build 7858
      • Palo Alto Networks PA-5220 PAN-OS 8.1.1
      • SonicWall NSa 2650 SonicOS Enhanced
      • Sophos XG Firewall 750 SFO v17 MR7
      • Versa Networks FlexVNF 16.1R1-S6
      • WatchGuard M670 v12.0.1.B562953

NSS Labs is committed to providing empirical data and objective group test results that enable organizations to make educated decisions about purchasing and optimizing security infrastructure products and services. As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results.