Scenario - Low throughput due to IPS
03/26/2020 21 12113
This is one of a series of scenario based articles describing a real time case and its eventual resolution. In this scenario the customer has a proprietary back-up system where hosts on the WAN perform regular back-ups to a server behind the SonicWall. Customer has a 1 Gbps link to the server. The maximum achievable throughput to the server is 850-950 Mbps but was being drastically reduced to 450 Mbps.
The following information was gathered during troubleshooting:
- The back-up traffic was HTTPS.
- Several different file types were tried - ISO, video, music etc - from the backup target to the data centre without any change in the throughput.
- Further troubleshooting revealed that the cause of the low throughput was IPS. This was determined by SonicWall's Realtime Monitor and traffic statistics built into the HDS system. It was conjectured that Deep Packet Inspection (DPI) performed by IPS was the root cause of reduced throughput.
It was not possible to inspect the HTTPS traffic as the customer did not have DPI-SSL license. Therefore, it was necessary to exclude inspection of HTTPS traffic to the server from DPI. However, the purpose of DPI by IPS on HTTPS traffic was to protect against SSL protocol based vulnerabilities. Excluding all HTTPS traffic from DPI was not an acceptable solution as doing so would open the server to SSL vulnerabilities and exploits.
Since such exploits and vulnerabilities occur during SSL negotiation, it was decided to exclude DPI by IPS from that part of the SSL negotiation which had the least possibility of containing an exploit or vulnerability. The solution was to use the SonicWall Application Firewall Bypass DPI feature to exclude DPI of the Change Cipher Spec message in SSL handshakes. Below is the Change Cipher Spec message from a server:
To this effect the following Match Object and App Rule policy were created:
The hexadecimal digits, 140301000101, is for TLSv1.0. Other values are:
- SSLv3 = 140300000101
- TLSv1.1 = 140302000101
- TLSv1.2 = 140303000101
Deploying this solution the customer was able to see immediate result. The throughput increased to the expected average of 944 Mbps.