Security Performance

Overview

This section provides detailed performance characteristics for Aviatrix security features, including firewall throughput, VPN performance, encryption overhead, and inspection service capacity across different deployment configurations.

Firewall Performance

Distributed Firewall Throughput

Stateful Inspection
Rule Processing
Performance by Traffic Type

Gateway Size	Rules Capacity	Throughput (Clear)	Throughput (Encrypted)	Connections/sec	Concurrent Sessions
Small	1,000	1.5 Gbps	1.2 Gbps	5,000	50,000
Medium	2,500	3.5 Gbps	2.8 Gbps	12,500	125,000
Large	5,000	7 Gbps	5.6 Gbps	25,000	250,000
XLarge	10,000	14 Gbps	11.2 Gbps	50,000	500,000
XXLarge	20,000	28 Gbps	22.4 Gbps	100,000	1,000,000

Performance Notes:

Throughput measured with 1518-byte packets
Encrypted performance assumes AES-256 encryption
Connection rates sustained for 60+ seconds
Session limits based on available memory

Rule Complexity	Processing Time	Throughput Impact	Memory Usage	Optimization
Simple (IP/Port)	< 0.1 ms	< 5%	1 KB/rule	Hardware assist
Complex (Regex)	0.5-2.0 ms	10-25%	5-20 KB/rule	Software processing
GeoIP Rules	0.2-0.5 ms	5-15%	2-10 KB/rule	Database lookup
Application ID	1.0-5.0 ms	15-40%	10-50 KB/rule	Deep inspection
User-based	0.3-1.0 ms	8-20%	3-15 KB/rule	Identity lookup

Rule Optimization Guidelines:

Place most frequently matched rules first
Use simple criteria when possible
Implement rule consolidation for similar policies
Regular rule cleanup and optimization

Traffic Type	Inspection Overhead	Logging Overhead	Total Impact	Recommended Config
Web (HTTP/S)	5-15%	2-5%	7-20%	Standard inspection
Email (SMTP)	10-25%	3-8%	13-33%	Content scanning
Database	2-8%	1-3%	3-11%	Connection monitoring
File Transfer	3-12%	2-6%	5-18%	Bandwidth limiting
Real-time	1-5%	1-2%	2-7%	Low-latency mode
P2P Traffic	15-35%	5-15%	20-50%	Deep inspection

Traffic-Specific Optimizations:

Enable application-specific processing modes
Configure appropriate inspection depths
Implement intelligent bypass for trusted traffic
Use quality of service for critical applications

VPN Performance

IPSec VPN Throughput

Site-to-Site VPN Performance

Encryption Algorithm	Key Size	Small Gateway	Medium Gateway	Large Gateway	XLarge Gateway
AES-128-CBC	128-bit	800 Mbps	1.8 Gbps	3.6 Gbps	7.2 Gbps
AES-256-CBC	256-bit	600 Mbps	1.4 Gbps	2.8 Gbps	5.6 Gbps
AES-128-GCM	128-bit	1.0 Gbps	2.2 Gbps	4.4 Gbps	8.8 Gbps
AES-256-GCM	256-bit	750 Mbps	1.6 Gbps	3.2 Gbps	6.4 Gbps
ChaCha20-Poly1305	256-bit	900 Mbps	2.0 Gbps	4.0 Gbps	8.0 Gbps

Encryption Performance Notes:

GCM modes provide better performance due to hardware acceleration
Performance measured with 1500-byte packets
Includes authentication and integrity checking overhead
Hardware AES-NI acceleration enabled where available

SSL/TLS VPN Performance

VPN Protocol	Encryption	Authentication	Throughput per User	Max Concurrent Users	CPU Overhead
OpenVPN	AES-256	RSA-2048	50 Mbps	100-2,000	High
IKEv2	AES-256	RSA-2048	80 Mbps	100-2,000	Medium
SSL VPN	AES-256	Certificate	60 Mbps	100-2,000	Medium-High
WireGuard	ChaCha20	Curve25519	100 Mbps	100-2,000	Low

User VPN Characteristics:

Per-user bandwidth varies based on gateway size and total users
CPU overhead scales with number of concurrent users
Memory usage approximately 1-5 MB per active user session
Modern protocols like WireGuard offer better performance

VPN Optimization Techniques

Optimization Method	Performance Gain	Implementation	Trade-offs
Hardware Acceleration	20-50%	AES-NI, cryptographic engines	Platform dependent
Compression	10-30%	LZ4, LZO algorithms	CPU overhead
Packet Batching	5-15%	Driver optimizations	Slight latency increase
MSS Clamping	10-25%	MTU optimization	Protocol specific
Connection Pooling	15-30%	Session reuse	Memory overhead

Best Practices:

Enable hardware crypto acceleration when available
Optimize MTU sizes for network conditions
Use modern VPN protocols for better performance
Implement intelligent compression based on content type

Encryption Overhead

Encryption Performance Impact

Algorithm Comparison
Hardware Acceleration
Encryption vs. Compression

Algorithm	Key Size	Throughput	CPU Overhead	Latency Impact	Security Level
AES-128	128-bit	High	Low	< 0.5 ms	High
AES-256	256-bit	High	Medium	< 1.0 ms	Very High
3DES	168-bit	Low	High	2-5 ms	Medium
ChaCha20	256-bit	Very High	Very Low	< 0.3 ms	Very High
Blowfish	448-bit	Medium	Medium	1-2 ms	High

Algorithm Selection Guidelines:

High Performance: ChaCha20 or AES-128 with hardware acceleration
Maximum Security: AES-256 with authenticated encryption
Legacy Support: 3DES for compatibility (not recommended)
Low-Power Devices: ChaCha20 for software-only implementations

Platform	AES-NI Support	Performance Gain	Availability	Notes
AWS	Most instances	300-500%	Widespread	Intel/AMD processors
Azure	Most VMs	300-500%	Widespread	Intel/AMD processors
GCP	Most instances	300-500%	Widespread	Intel/AMD processors
ARM	ARMv8-A	200-400%	Modern ARM	Cryptographic extensions

Hardware Acceleration Benefits:

Dramatically reduced CPU usage for encryption operations
Lower latency for cryptographic operations
Higher throughput with same compute resources
Better performance consistency under load

Implementation Considerations:

Verify hardware support in chosen instance types
Configure software to utilize hardware acceleration
Monitor performance gains after implementation
Plan for fallback to software encryption if needed

Data Type	Compression Ratio	Encryption Overhead	Combined Impact	Recommendation
Text Files	60-80%	5-15%	Net 50-70% gain	Compress first
Images	0-20%	5-15%	Net 5-15% loss	Encrypt only
Video	0-10%	5-15%	Net 5-15% loss	Encrypt only
Database	40-70%	5-15%	Net 30-60% gain	Compress first
Archives	0-10%	5-15%	Net 5-15% loss	Encrypt only

Optimization Strategy:

Apply compression before encryption for compressible data
Skip compression for already compressed data (images, video)
Use streaming compression for real-time applications
Monitor CPU usage to balance compression vs. encryption costs

Deep Packet Inspection (DPI)

Inspection Service Performance

DPI Throughput Characteristics

Inspection Depth	Throughput Impact	CPU Overhead	Memory Usage	Use Cases
Header Only	< 5%	Low	Minimal	Basic filtering
Shallow (L3/L4)	5-15%	Low-Medium	Low	Port-based rules
Application (L7)	15-40%	Medium-High	Medium	App identification
Content Scanning	40-80%	High	High	Malware detection
Full Inspection	60-90%	Very High	Very High	Comprehensive security

Inspection Depth Guidelines:

Use minimum required inspection depth for performance
Implement selective deep inspection for suspicious traffic
Configure bypass rules for trusted applications
Monitor resource usage and adjust policies accordingly

Protocol-Specific Performance

Protocol	Inspection Complexity	Throughput Impact	CPU Usage	Memory per Session
HTTP	Medium	15-25%	Medium	5-15 KB
HTTPS	High (if decrypted)	40-60%	High	20-50 KB
FTP	Medium	10-20%	Low	3-8 KB
SMTP	Medium	20-30%	Medium	10-25 KB
DNS	Low	5-10%	Low	1-3 KB
P2P	Very High	50-80%	Very High	50-200 KB

Protocol Optimization:

Configure protocol-specific inspection policies
Use application signatures for efficient identification
Implement intelligent bypass for encrypted traffic
Optimize rule sets for most common protocols

Threat Detection Performance

Detection Method	Accuracy	Throughput Impact	False Positives	Processing Time
Signature-based	High	20-40%	Low	Low
Behavioral	Medium	40-70%	Medium	Medium
Machine Learning	High	50-80%	Low	High
Sandboxing	Very High	80-95%	Very Low	Very High
Reputation	Medium	10-20%	Medium	Low

Detection Tuning:

Balance detection accuracy with performance requirements
Implement layered detection for comprehensive coverage
Use reputation services for quick threat identification
Configure appropriate action policies for different threat levels

Security Policy Performance

Policy Evaluation Impact

Policy Scale Performance
Rule Complexity Impact
Dynamic Policy Updates

Number of Rules	Lookup Time	Memory Usage	Throughput Impact	Optimization
1-100	< 0.1 ms	< 1 MB	< 5%	Linear search
100-1,000	0.1-0.5 ms	1-10 MB	5-15%	Hash tables
1,000-10,000	0.5-2.0 ms	10-100 MB	15-30%	Tree structures
10,000-100,000	2.0-5.0 ms	100 MB-1 GB	30-50%	Indexed lookup
100,000+	5.0+ ms	1+ GB	50%+	Distributed processing

Scale Optimization Strategies:

Use rule grouping and categorization
Implement policy caching for frequently accessed rules
Optimize rule ordering for most common matches
Consider policy distribution across multiple gateways

Rule Type	Processing Overhead	Memory per Rule	Scalability	Performance Tips
Simple IP/Port	0.01 ms	0.1 KB	Excellent	Use CIDR blocks
Wildcard Match	0.1-1.0 ms	1-5 KB	Good	Minimize wildcards
Regex Pattern	1.0-10 ms	5-50 KB	Limited	Optimize patterns
Time-based	0.1-0.5 ms	1-2 KB	Good	Cache time checks
User/Group	0.5-2.0 ms	2-10 KB	Medium	Cache user data
GeoIP	0.2-1.0 ms	2-5 KB	Good	Local IP databases

Rule Optimization Best Practices:

Start with most specific rules
Use efficient matching algorithms
Implement rule caching where appropriate
Regular policy cleanup and consolidation

Update Method	Update Time	Service Impact	Consistency	Use Cases
Real-time	< 1 second	Minimal	Eventual	Threat feeds
Batch	1-60 seconds	Low	Strong	Policy changes
Scheduled	Minutes	None	Strong	Maintenance

Concepts & Architecture

Guides

Reference

Overview

Firewall Performance

Distributed Firewall Throughput

VPN Performance

IPSec VPN Throughput

Encryption Overhead

Encryption Performance Impact

Deep Packet Inspection (DPI)

Inspection Service Performance

Security Policy Performance

Policy Evaluation Impact

Concepts & Architecture

Guides

Reference

​Overview

​Firewall Performance

​Distributed Firewall Throughput

​VPN Performance

​IPSec VPN Throughput

​Encryption Overhead

​Encryption Performance Impact

​Deep Packet Inspection (DPI)

​Inspection Service Performance

​Security Policy Performance

​Policy Evaluation Impact

Overview

Firewall Performance

Distributed Firewall Throughput

VPN Performance

IPSec VPN Throughput

Encryption Overhead

Encryption Performance Impact

Deep Packet Inspection (DPI)

Inspection Service Performance

Security Policy Performance

Policy Evaluation Impact