WatchGuard has launched a quartet of new security appliances in its Firebox line. The appliances, which target sites from 100 to 850 users, include the ability to decrypt and inspect encrypted Web traffic.
The new appliances are built on Intel chipsets that support AES-NI, an Intel instruction set that moves some cryptographic functions into hardware to accelerate encryption and decryption. The Fireboxes act a man in the middle to intercept and decrypt HTTPS traffic. The traffic can then be run through inspection engines and re-encrypted for final delivery.
Some operational effort is required to enable the Fireboxes to decrypt/re-encrypt traffic. To decrypt/re-encrypt outbound traffic, you’ll have to export a Firebox certificate from the appliance to your users’ browsers. To decrypt inbound traffic, you’ll have to import your domain certificate onto the Firebox.
For more details from WatchGuard on how this is done, see the links in the comments section below.
Functions And Performance
Like other Firebox models, the new appliances bundle together a variety of security services, including firewalling, intrusion prevention, AV, and other capabilities.
As with any multi-function security appliance, performance and throughput on the Fireboxes are affected by the number and type of security functions that are activated.
That’s particularly the case with the HTTPS decrypt/re-encrypt capability. According to a WatchGuard data sheet, throughput on the M670 Firebox drops from 34Gbps in firewall-only mode to 4Gbps in HTTPS intercept mode.
That’s a precipitous drop, but I appreciate that WatchGuard is up front about the performance differences; it’s very helpful to customers and potential customers when such information is clearly listed in product materials such as data sheets.
The new appliances ship with eight 1Gbps ports as the standard configuration. Three of the models also include a slot for expansion modules, including 8 x 1Gb fiber, 8 x 1Gb copper, and 4 x 10Gb fiber.