ExtraHop Addresses 2,048-bit SSL Decryption Performance Penalty

It's still early days for 2,048-bit SSL (Secure Sockets Layer) encryption/decryption, but privately held ExtraHop Networks, a specialist in network-based application performance management (APM) solutions, is betting it won't take long for the significantly more secure standard to be adopted, with major implications for application monitoring. The next step up from 1,024-bit encryption is approximately 4.3 billion times more secure, requiring 4 to 8 times more computation for each decryption. According to Jesse Rothstein, ExtraHop CEO and co-founder, that can result in a 20% to 50% drop in performance without hardware offloading. However, the new capability eliminates a growing blind spot in security and application monitoring capabilities caused by the increased use of SSL encryption.

Organizations can't monitor the health of their applications if they can't see their network traffic, he says, and the increased use of SSL encryption makes monitoring that much harder. Formerly a lead architect at F5, Rothstein says just about anybody doing a significant amount of SSL is either in the middle of transition or planning to move to 2,048-bit SSL encryption.

With the new update, ExtraHop Application Delivery Assurance's hardware-driven 10-Gbps analysis capabilities support real-time decryption and analysis of SSL traffic, including SSLv3, TLSI 1.0, SSLv2 handshakes, RSA key exchanges, and RC4, AES and 3DES symmetric ciphers. The real-time, passive network appliance monitors and analyzes every business-critical transaction from L2 to L7 across network, Web, database and storage tiers, spanning physical and virtual environments. It also supports SSL envelope analysis to determine which SSL certificates are being used and are up to date according to the latest National Institute of Standards and Technology recommendations.

This is a pretty significant announcement, says Jim Frey, senior analyst, Enterprise Management Associates (EMA). “More and more traffic is being encrypted ... [and] moving to 2,048 is a big step up in terms of processing.” He calls it a necessary step but one that will be challenging for some of the tools to accommodate.

ExtraHop is taking a highly optimized and hardware-based approach in dealing with moving to 2,048 bit. “Nobody else is doing this kind of solution,” says Frey.

Earlier this year ExtraHop partnered with Keynote Systems to offer a more complete view of how an application is performing as it traverses from the Web front end to the back end. And a month ago, the company secured $14 million in financing to help fund its growth, says Rothstein.

See more on this topic by subscribing to Network Computing Pro Reports Research: 2011 Strategic Security Survey (subscription required).