Benefits of Security and Acceleration
November 1, 2012 No CommentsFeatured article by Don MacVittie, F5 Networks
The performance of web applications defines an organization. Whether external applications that drive customer research and purchasing or internal applications that keep the entire organization moving forward, performance is critical. Slowdowns in web application performance can have a profound and long-term impact on the perceptions of users. But security is essential too. Both customers and employees want to know that the information they provide and access through web apps is safe with the organization. This creates one of the great conundrums of 21st century information technology. Security generally slows the delivery of web applications, but the performance of web applications is important.
SSL has a massive impact on performance of applications, whether web applications encrypting outgoing data to traverse the Internet, or a VPN connection encrypting the entire stream to traverse the Internet, the cost in performance is high, and often leads to otherwise unnecessary upgrades and/or addition of new servers to handle load that would be fine if it did not require encryption.
Web application firewalls (WAF) can also consume response time, through checking requests for attack signatures and the latency introduced in this manner. By slowing the speed of requests and responses, the WAF can create the impression that “the web site is slow”, when reality is the WAF is busy. As an in-line service, if the WAF doesn’t scale well, it can slow all web applications routed through it. While a high performance, scalable WAF can minimize the impact, there will still be some amount of performance hit.
SSL VPNs are the standard for employee and partner access to internal systems, but both utilize encryption, which suffers the same issues as above, just the level of encryption is different. In an SSL VPN the entire connection is encrypted after a handshake, while in a web application that requires encryption the connection is generally encrypted as-needed. Web page X may require encryption while web page Y does not. On an SSL VPN, all the data is encrypted on the way out to the Internet, in https, only the pages that contain sensitive data need be encrypted. Both cause performance degradation, and both use encryption, it is merely the volume and point of encryption that is different.
IDS and IPS impose serious performance degradation if they are deployed in-line. For the reason, they are normally implemented in a manner that doesn’t seriously impact performance – IDS is configured on a mirrored port the vast majority of the time, and IPS is generally transparently introduced to the server connections, making it a pass-through. If you suspect either of these devices of slowing performance, check your configuration. There are several ways to deploy both, and they can interfere, though if configured correctly should not under normal operations. When they do introduce performance problems is when an IPS is actively blocking connections. A high volume of connection resets from positive results can cause an IPS to slow connections, but the trick is to stop those attacks before they reach the IPS utilizing a WAF or some high-volume attack detection mechanism like a DDoS protection device.
The key to maximizing performance without negatively impacting security is utilizing tools in the web application optimization or application delivery optimization space to minimize the amount of data being sent across the wire and the number of round trips required. Using an SSL proxy that terminates SSL before it reaches the servers is also a good idea if you do not have an “encryption everywhere” policy.
The possible industry-standard optimizations that can be used to improve performance of secured websites fall into the following categories:
– SSL Offload. Utilizing specialized hardware to handle encryption and decryption saves a massive amount of CPU time and leaves servers to serve up applications.
– Connection pooling. By using a proxy (any of several devices from traditional firewalls to application delivery controllers (ADCs) to keep connections to the backend servers open and reuse them across connections, the setup and teardown times of TCP connections is reduced.
– TCP optimizations – reducing the overhead of TCP while increasing reliability is the purpose of TCP optimizations. From cutting down the round trips to establish the base TCP connection to modifying how resends are handled, this category improves performance at the protocol level.
– Compression – making certain your servers are configured to use compression if the client is able to support it can make a large difference as it reduces the number of round trips required to transfer the data from server to client, improving performance.
– SPDY support – there are a growing number of SPDY gateways available, and they improve performance without requiring changes to applications by providing SPDY support to browsers that request it. SPDY streamlines communications by compacting and ordering them – much like tar “reduces” the disk space used by concatenating all the files together.
– Image optimization – “right-sizing” images for the target’s screen size is a relatively new technique that shows huge improvements in modern web page delivery by reducing image resolution to match the capabilities of the client. In use long enough to be mature, many IT shops have not yet implemented it, but the benefits are massive and the negatives few. Some implementations decrease file size by eliminating unnecessary elements instead of (or in addition to) right-sizing.
– Caching of web content – allows a proxy to serve up frequently accessed files directly without imposing a burden on the server. The most obvious example of this saving time is an organizations’ corporate logo. It seldom changes, is served frequently, and as an image takes up more bandwidth than the accompanying HTML. If the server doesn’t need to send that file, because it is sent from a proxy, the servers’ network connections are less busy, meaning they can serve more connections or respond to requests in a timely manner.
Consider tools that offer the above optimizations as routes to reduce the impact of security on web application performance. Security is expensive in terms of processing power and performance, but there are options out there to help recover some of that lost performance by making it up elsewhere.
Merged together, application delivery optimization and security can improve an organizations’ security posture while maintaining web application performance – the best of both worlds.
Don MacVittie is a Technical Marketing Manager at F5 Networks. In this role, he supports outbound marketing, education, and evangelism efforts around development, storage, and IT management topics related to F5 solutions. His role includes authoring technical materials, participating in social and community-based forums, and providing guidance for the development of marketing resources. As an industry veteran, MacVittie has extensive programming experience along with project management, IT management, and systems/network administration expertise.
Prior to joining F5, MacVittie was a Senior Technology Editor at Network Computing, where he conducted product research and evaluated storage and server systems, as well as development and outsourcing solutions. He has authored numerous articles on a variety of topics aimed at IT professionals. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.