Heiko,

Great write-up! Thank you.

Do you happen to know if AES-NI is working in VSX?

If it does, is it a global setting for the parent host or is it working on per-VS basis?

Hi ,

Hi Sandro,

Yes, according to SK and my tests, AES256 with AES-NI should be more effective.

More see here: Relative speeds of algorithms for IPsec and SSL 

Regards

Heiko

Hi Vladimir.

I can't say that 100% because the R&D guys should say something. But I think so, because this is actually on the operating system level. Here the linux crypto API is provided or the openssl crypto library.

Regards

Heiko

Note: Tim wrote on page 44 of his Security Gateway Performance Optimization presentation that large amounts of IPSec VPN traffic using algorithms SHA-384, AES-GCM-128 or AES-GCM-256 can cause an elevated percentage of traffic to be handled by SecureXL in F2F (Slow path).

Hi,

I am really shocked and worried that you are still talking and comparing Speed with DES and 3DES. No matter what Speed DES and 3DES has it is insecure and should never be used anymore - independent if it is faster or not. My opinion!

You can check OpenSSH version and you will be surprised ... 😉

Hi Alexander,

The statement I find great.

Point 1:
I totally agree with you. DES, 3DES, SHA1, RC4,…  should not be used anymore. That is also a clear recommendation in all my concepts. Now reality is catching up with us. Many firewall environments still use 3DES because the administrators have work with the change to AES-256. I think about 40% of the firewalls I see are still using 3DES. Secure Client connection is also used 3DES as default for phase 2 (see picture) in R80.20. I think it's a security issue.

Point 2:

Performance and security is a difficult issue in firewall tuning. There is a fine line between more security and high performance. This article is about performance and in this case the more powerful AES-256 encryption is also the safer one. It couldn't be better:-)

Point 3:

Please have a look at what Check Point offers with IPSec VPN in phase 1 and phase 2 in R80.20. Here DES and 3DES are still provided.

From my point of view, DES and 3DES will continue to exist for a long time. Why? Many other manufacturers do not manage to implement high encryption standards. These are often seen in medical sector or in industry sector. It's even worse for industrial systems. Often no encryption is used here.

And I agree with you, away with DES, 3DES, SHA1, RC4.

Regards

Heiko

Hello Heiko, Alexander,

Thank you for your notices, I have talked with RnD owners about these questions.

The OpenSSH and OpenSSL libraries are being patched with every relevant CVE. Open source packages on Check Point are being hardened and modified to answer our strict security standards. We also port many features from newer versions.

In other words, for example, the "OpenSSH 4.3p2" version in the R80.20 isn't equal to the OpenSSH 4.3p2, which we can download from the openssh.com. This is "OpenSSH 4.3p2 Checkpoint Edition".

I was explaining to a customer the AES-NI thing and bumped on this interesting thread. It is in my understanding that there is a consensus that AES-GCM is preferable to AES-CBC because of built-in authentication and better general performance. Also, on 64-bit systems a subset of SHA-512 like SHA-384 is supposed to be more CPU efficient than SHA-256.

However Timothy Hall's presentation seems to show that using GCM and SHA-384 is actually worse than CBC and SHA256 on Checkpoint. Is it correct?

"Worse" is a relative term.  VPN traffic that uses any form of GCM or SHA-384 cannot be handled by SecureXL in R80.10 and earlier and will be forced F2F which is a much less efficient processing path.  This assumes of course that there is not some other "Deep Inspection" blade such as APCL or Threat Prevention needing to inspect the traffic coming out of the VPN and forcing it into a higher path anyway.  So in a situation where only the most basic blades are enabled on a gateway (Firewall, IPSec VPN, and IPS w/ profile Default_Protection/Optimized) the vast majority of traffic can typically be handled in the most efficient SXL path at ludicrous speed, even if it is encrypting/decrypting to/from a VPN.  However use of GCM or SHA-384 on a VPN tunnel will force all of that tunnel's traffic F2F in R80.10 and earlier regardless of what blades are enabled.  

However on most modern firewalls, at least one "Deep Inspection" blade is enabled so most traffic won't be able to be handled in the SXL path anyway, and will end up in the Medium Path (PXL) or F2F.  An entire 16-page chapter of the second edition of my book (chapter 😎 was dedicated to this topic of VPN optimization.

However this limitation can be turned to your advantage.  If you suspect SecureXL acceleration is mishandling a certain VPN, simply enable a GCM-based algorithm or SHA-384 for that VPN which will keep SecureXL from trying to handle it and make it all go F2F in R80.10 or earlier.  This technique is much more efficient than disabling SecureXL completely, or alternatively switching off all SecureXL VPN acceleration with sim vpn off.

Edit: I forgot to mention that AES-NI can be successfully leveraged in all processing paths including SXL and F2F.

Update: AES-GCM-128 or AES-GCM-256 (Galois/Counter Mode algorithms) can be fully handled inside SecureXL/Accelerated Path starting in R80.30.  SHA-384 is still not implemented in SecureXL as of R80.30, so VPN traffic utilizing SHA-384 still cannot be accelerated by SecureXL.

Thank you Timothy Hall‌, very interesting. I will review that chapter of your book.

THX for this info.

Regards

Heiko

I also think that's a better way than disabling SecureXL completely.

I'd rather use:

sim vpn off

Regards

Heiko

nice nice nice

I ran the commands and got the following output:

So, how do you activate AES-NI if it is not turned on? I see the mention of enabling in the BIOS, but is that the case on a 15400 appliance? I haven't found any support posts or instructions in the admin guides on how to activate AES-NI.

Updates: 

AES-NI may not show up as being enabled starting in R80.40 even though it is enabled and the firewall is actively utilizing it, see sk170779: AES-NI commands no longer work in R80.40

VPN traffic utilizing SHA-384 can now be handled by SecureXL and will not always be forced F2F starting in R80.30 Jumbo HFA Take 221+, R80.40 Jumbo HFA 87+, and R81.  sk168336: VPN traffic (after encryption) is not visible via tcpdump and does not arrive at the remot...

Interesting thread. When running R80.40+ with AES-NI supported I normally push for:

Phase 1:

IKEv2
AES-256-CBC
SHA-256
DH-Group 19

Phase 2:

AES-256-GCM
NULL
PFS Group 19


This seems to provide the best combination of secure encryption and good acceleration. There are always issues when going with AES-256-GCM when you are dealing with third parties. A lot of third parties like Microsoft Azure, Palo Alto etc. Allows you to utilise GCM for both Phase-1 and Phase-2. But the RFC for Suite-B which is the one Check Point follows utilises AES-256-CBC + SHA-256 for phase 1 when utilising AES-256-GCM for phase 2. This becomes messy when third parties start utilising GCM for both phase 1 and phase 2. Doesn't seem to be any way to manually override this on Check Point, there exists no option to enforce the use of GCM for phase 1 regardless of selecting Suite-B or doing the settings manually.


Where things become messy is when you add Gaia Embedded / SMB into the mix. There is a lack of information on what Gaia Embedded supports in terms of hardware-accelerated encryption algorithms. The end-of-sales, but not yet end-of-support 700 and 1400 series is still running R77.20.XX so I wouldn't expect them to really support much at all? Considering how this thread shows how you should be running R80.20+ in order for SecureXL to become handy.

For the new 1500, 1600 and 1800 series there isn't much information to be found either. According to the R81.10.00 release notes it mentions:

Supported Hardware Acceleration

Hardware acceleration only supports:

AES-128, AES-256, DES, and 3DES encryption methods
MD5 and SHA1 integrity check types

Does this mean that even the latest SMB appliances running the latest R81.10.00 software are incapable of hardware-accelerated AES-256-CBC and SHA-256? Let alone any AES-GCM at all? This seems rough considering most people would recommend companies to at least opt for SHA-256 as the bare minimum in 2022. Do to the weak CPU in these SMB appliances throughput seems to get really slow once you step outside of accelerated traffic making it best practice to not opt for anything beyond AES-256-CBC + SHA-1?

None of the AES-NI commands works on SMB so there is no way to verify anything regarding AES-NI on these. They don't seem to run an X86-based CPU, to begin with, and when it comes to MIPS or ARM it all depended on the SoC whether it has added AES-NI instruction sets or not. This makes it really hard to wrap one's head around whether it supports AES-NI and if doesn't, what encryption algorithms do is supported to be offloaded to hardware and not.


The same goes for questions such as will VTI affect acceleration on SMB? On regular Gaia, VTI would affect SecureXL when running anything prior to R80.20. But with the rewritten SecureXL engine that came with R80.20, we are now able to fully utilise VTI without any downsides to performance. How does this affect Gaia Embedded / SMB? Feels like guesswork at this point, but I have just concluded based on logic that 700 and 1400 series won't support the use of VTI without issues with SecureXL as it's still on R77.20 code. While 1500, 1600 and 1800 might support it as it's based on R80.20 code?