What’s new in Sophos UTM Accelerated (9.2): #6 – Faster IPS scanning for improved performance

UTM-9.2-Accelerated-faster-performanceThis blog post in our series on UTM 9.2 covers a much discussed topic in the network security world: performance. It’s one of those things that customers either don’t care about at all, or it’s at the top of their list of buying criteria. Unfortunately, it’s also an area where there are many misconceptions. So does performance really matter? And if yes, why?

To answer the first question; yes, performance matters. But some throughput numbers matter more than others, and if taken out of context, they matter much less. You need to look at your individual environment to fully understand your requirements.

A few things will influence the throughput you actually get out of your security gateway — type of users, how they connect, your server infrastructure, etc. Obviously, when sizing a solution to meet your performance requirements, the underlying hardware will be one of the first things to consider.

Both Sophos and Cyberoam offer appliances based upon standard Intel technology. We leverage Intel’s multi-core technology to get the optimal use of resources and at the same time offer a platform that is flexible to upgrade. But the software inside also has a major influence on performance.

Firewall throughput

If firewall throughput is the only number you look for on a datasheet, you will definitely be misled. It’s a number often promoted in third-party tests. But even under those artificial testing circumstances, firewall speed can be influenced both by the physical factors of the appliance — e.g., the number of ports — and the test methodology used.

The only hint I’d like to give you here is, beware of round numbers — they generally represent line speed which means that a device has been tested in such a way that it has reached its physical maximum throughput (due to, for example, the number of ports). Firewall throughput alone will tell you nothing about how a solution will fulfill your security needs.

IPS performance

The second number you’ll probably look at is IPS. An Intrusion Prevention System is an integral part of any network security gateway. For many a necessary evil, it will unavoidably influence the throughput numbers you measure in your particular usage scenario. But IPS is very effective in protecting the network perimeter.

Deep-packet inspection goes above and beyond what any traditional firewall can do. The influence IPS has on performance has been a much discussed topic for our customers too, and that’s why we’ve taken a number of measures to greatly accelerate our IPS performance in UTM 9.2.

Other than changes to the underlying engine, we’ve worked at making our IPS smarter. An optimized default rule set brings many advantages and as long as you set up the system to only scan the systems you actually have in use (why would you want to scan for Linux vulnerabilities, if you have no Linux machines?). You will already see improvements.

We now also offer the possibility to tailor what you scan with time-based rules. Many IPS rules shield against short-term system vulnerabilities. When vulnerable systems are patched, the costly IPS rules are often no longer needed. Now, customers can set IPS policies based on vulnerability age to intelligently maximize the balance of protection and performance.

Our initial testing shows that customers using Sophos UTM today will see anything up to a threefold improvement in IPS performance in real-life scenarios if they upgrade to UTM 9.2 (depending on their deployment and numerous other factors). That’s quite a boost.

Antivirus throughput

Antivirus throughput is another area which offers room for confusion. You may think that you can just compare the number on one vendor’s datasheet with that of another. Unfortunately, it’s not that simple.

Different vendors use different AV scanning mechanisms in their network products. The majority use flow or stream-based scanning. That method checks the first few bytes of a package and if it doesn’t find anything it knows to be malicious, passes it through. The second disadvantage with stream-based scanning is that there are many documents, packed files and archives that it won’t be able to check. That’s leaving quite substantial holes in your security.

The most secure method of AV scanning is proxy-based. It scans the complete file, can look into numerous compressed file types and offers you much better security that the stream-based method does. Because the complete file is cached and scanned, it will be slightly slower. But are you really willing to compromise on security? It almost goes without saying that Sophos UTM uses proxy-based AV scanning. In fact, we’re one of the few vendors who offer two AV scanning engines in our product for even better protection.

So performance is not quite as black and white as many would have us think. And it’s not likely to get easier any time soon. But hopefully, the next time a vendor claims to be the fastest, you’ll know what to ask them to find out if they really are.

Come back to our blog over the next few days to learn about more of the great new features in UTM Accelerated 9.2. Until then, should you have any questions, we’re only an email or a phone call away.