cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

VPN Performance Question

Jump to solution

We are working on a new firewall concept for our company. Now the question has arisen, which encryption is the most effective and at the same time offers a high level of protection? 

Are there any experiences or recommendations here?

 

1 Solution

Accepted Solutions
Highlighted

Re: VPN Performance Question

Jump to solution

Hi @tniop_kcehc
(nice community name:-)

Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:

  •       Site-to-Site VPN
  •       Remote Access VPN
  •       Mobile Access
  •       HTTPS Interception

With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration. 

Warning notice: If you execute this command you have 100% CPU usage for a long time!

# cpopenssl speed

a111.png

This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.

I had published an article about this that might help you:

R80.x - Performance Tuning Tip - AES-NI

 

 

 

View solution in original post

Tags (1)
7 Replies
Highlighted

Re: VPN Performance Question

Jump to solution

Hi @tniop_kcehc
(nice community name:-)

Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:

  •       Site-to-Site VPN
  •       Remote Access VPN
  •       Mobile Access
  •       HTTPS Interception

With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration. 

Warning notice: If you execute this command you have 100% CPU usage for a long time!

# cpopenssl speed

a111.png

This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.

I had published an article about this that might help you:

R80.x - Performance Tuning Tip - AES-NI

 

 

 

View solution in original post

Tags (1)
Highlighted

Re: VPN Performance Question

Jump to solution

Hi @HeikoAnkenbrand 

I'm going to test this command "cpopenssl speed"  in a maintenance window on our current firewall.

Thank you.

0 Kudos
Highlighted

Re: VPN Performance Question

Jump to solution

Hi @tniop_kcehc,

I like to use the following for phase 1 and phase 2:
AES256
SHA256

This is a middle way between performance and security.

Regards

Heiko

Tags (1)
Highlighted

Re: VPN Performance Question

Jump to solution

THX👍

0 Kudos
Highlighted

Re: VPN Performance Question

Jump to solution

Isn't it better to use a higher encryption standard.

 

test.JPG

0 Kudos
Highlighted
Ivory

Re: VPN Performance Question

Jump to solution

I think higher encryption is better.

0 Kudos
Highlighted

Re: VPN Performance Question

Jump to solution

I get this question a lot, so I decided to include my opinion on it in the third edition of my book.  My recommended settings from the book are below and are primarily geared to improve performance with a reasonable level of security for most organizations.  This is most certainly a matter of opinion and I would be surprised if the following does not generate any debate:

 

Spoiler

 

Recommended IPSec VPN Settings

The following sections detail which VPN algorithm settings should be used to provide a reasonable level of IPSec VPN performance without sacrificing security. Please note that these recommendations are made primarily to improve performance, and also provide what I feel is a reasonable level of VPN security for most organizations.

 

 bang.jpgDo not just blindly follow these recommendations; please perform a thorough risk analysis that includes any regulatory, legal, life safety, and privacy considerations that are relevant to your organization’s mission, and adjust these recommendations as needed for your specific situation.

 

  • IKE Protocol: V2 (Check Point Firewalls), IKE Protocol V1 for third-party VPNs

  • IKE Phase 1 Encryption: AES-256

  • IKE Phase 1 Data Integrity: SHA-256

  • IKE Phase 1 DH Group: 20 (384-bit ECP)

  • IKE Phase 1 SA Lifetime (minutes): 720

  • IKE Phase 2 Encryption: AES-GCM-128 (AES-NI present, otherwise AES-128)

  • IKE Phase 2 Data Integrity: SHA-256

  • IKE Phase 2 SA Lifetime (seconds): 3600

  • PFS: Disabled (Use DH Group 19 if PFS is required)

  • Use Aggressive Mode: Disabled

  • Support IP Compression: Disabled

  • VPN Tunnel Sharing (Domain-based VPN): “One VPN tunnel per subnet pair”

  • VPN Tunnel Sharing (Route-based VPN): “One VPN tunnel per Gateway pair”

  • Permanent Tunnels: (Check Point Firewalls Only) “On all tunnels in the community”

  • Permanent Tunnels in DPD Mode: Enabled for third-party peers, see sk108600: VPN Site-to-Site with 3rd party

 

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos