Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tniop_kcehc
Participant
Jump to solution

VPN Performance Question

We are working on a new firewall concept for our company. Now the question has arisen, which encryption is the most effective and at the same time offers a high level of protection? 

Are there any experiences or recommendations here?

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @tniop_kcehc
(nice community name:-)

Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:

  •       Site-to-Site VPN
  •       Remote Access VPN
  •       Mobile Access
  •       HTTPS Interception

With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration. 

Warning notice: If you execute this command you have 100% CPU usage for a long time!

# cpopenssl speed

a111.png

This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.

I had published an article about this that might help you:

R80.x - Performance Tuning Tip - AES-NI

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

8 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @tniop_kcehc
(nice community name:-)

Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:

  •       Site-to-Site VPN
  •       Remote Access VPN
  •       Mobile Access
  •       HTTPS Interception

With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration. 

Warning notice: If you execute this command you have 100% CPU usage for a long time!

# cpopenssl speed

a111.png

This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.

I had published an article about this that might help you:

R80.x - Performance Tuning Tip - AES-NI

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
tniop_kcehc
Participant

Hi @HeikoAnkenbrand 

I'm going to test this command "cpopenssl speed"  in a maintenance window on our current firewall.

Thank you.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @tniop_kcehc,

I like to use the following for phase 1 and phase 2:
AES256
SHA256

This is a middle way between performance and security.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
tniop_kcehc
Participant

THX👍

0 Kudos
Jan_Elbers
Participant

Isn't it better to use a higher encryption standard.

 

test.JPG

0 Kudos
KelvinB
Explorer

I think higher encryption is better.

0 Kudos
Timothy_Hall
Legend Legend
Legend

I get this question a lot, so I decided to include my opinion on it in the third edition of my book.  My recommended settings from the book are below and are primarily geared to improve performance with a reasonable level of security for most organizations.  This is most certainly a matter of opinion and I would be surprised if the following does not generate any debate:

 

Click to Expand

 

Recommended IPSec VPN Settings

The following sections detail which VPN algorithm settings should be used to provide a reasonable level of IPSec VPN performance without sacrificing security. Please note that these recommendations are made primarily to improve performance, and also provide what I feel is a reasonable level of VPN security for most organizations.

 

 bang.jpgDo not just blindly follow these recommendations; please perform a thorough risk analysis that includes any regulatory, legal, life safety, and privacy considerations that are relevant to your organization’s mission, and adjust these recommendations as needed for your specific situation.

 

  • IKE Protocol: V2 (Check Point Firewalls), IKE Protocol V1 for third-party VPNs

  • IKE Phase 1 Encryption: AES-256

  • IKE Phase 1 Data Integrity: SHA-256

  • IKE Phase 1 DH Group: 20 (384-bit ECP)

  • IKE Phase 1 SA Lifetime (minutes): 720

  • IKE Phase 2 Encryption: AES-GCM-128 (AES-NI present, otherwise AES-128)

  • IKE Phase 2 Data Integrity: SHA-256

  • IKE Phase 2 SA Lifetime (seconds): 3600

  • PFS: Disabled (Use DH Group 19 if PFS is required)

  • Use Aggressive Mode: Disabled

  • Support IP Compression: Disabled

  • VPN Tunnel Sharing (Domain-based VPN): “One VPN tunnel per subnet pair”

  • VPN Tunnel Sharing (Route-based VPN): “One VPN tunnel per Gateway pair”

  • Permanent Tunnels: (Check Point Firewalls Only) “On all tunnels in the community”

  • Permanent Tunnels in DPD Mode: Enabled for third-party peers, see sk108600: VPN Site-to-Site with 3rd party

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Marcus_Smith
Participant

Hi Tim/Heiko,

Thanks for sharing this information.  Very useful.  

I have a couple of questions that I hope you can help with.

My community is the default one called "Remote Access".  This type of community provides no option to configure Encryption settings.  The Encryption options for this community have to be set under Global Properties, Remote Access, VPN - Authentication and the available settings in this area appear to be limited (I only see limited Diffie-Hellman groups).

If I do start to create a new mesh community I notice many more Encryption options available within the community settings for example Group 19 and 20. 

If I want my VPN community to use these more secure methods do I need to migrate to a new commnutiy or am I missing something?

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events