Technical Notes

Reflection Security Proxy Server Performance Factors
Technical Note 1557
Last Reviewed 30-May-2008
Applies To
Reflection for the Web 2008 (All Editions except Standard)
Reflection for the Web version 8.0 through 9.6
Reflection Administrator 2008
Reflection Administrator
Summary

This technical note describes hardware, software, and environment factors that affect the performance of the Reflection for the Web security proxy server.

Recommendations Overview

For 2000 concurrent and active connections, the following specifications are recommended.

Speed of Processors	2.13 GHz or faster
Number of Processors (or Cores)	2 or more
Amount of RAM	4 GB or more
Private Virtual Memory Per Process	Default (2 GB)
JVM Thread Stack Size	Default
JVM Heap Size	512MB

Performance factors are described in the following sections, in relative order of importance:

Processor Speed

Processor speed is an important factor that affects security proxy server performance. As a general rule, a faster processor will perform operations more quickly. The two most processor-intensive operations that the security proxy server performs are establishing new connections and encrypting and decrypting data. On a dedicated Reflection security proxy server, a 2 GHz dual core processor is adequate for 2000 concurrent and active connections, and a 400 MHz Pentium processor should be adequate for 500 connections. However, in heavier use, or on a server that performs several other functions, processor speed should be kept commensurate with server workload.

Number of Processors (or Cores)

The proxy server is a thread-intensive application. Each connection to the Proxy spawns two threads. Therefore, a system with more processors (or cores) will perform better than a similar system with fewer processors. Generally speaking, one should favor more processors (or cores) over processor speed.

System RAM Available

Each connection requires memory, so more connections can be made with more memory. More RAM installed on the machine means less paging to disk and better overall performance. A minimum of four gigabytes (4 GB) of RAM is recommended in order to maintain 2000 concurrent and active connections.

Java Runtime Environment

The Java Runtime Environment (JRE) on the server can be a significant factor in performance; generally the newer the JRE, the better the performance. More current versions of the JRE include improvements such as better memory handling, HotSpot technology, improved speed, and the ability to support an increased number of sessions. Several companies provide JREs, including Sun, IBM, and Oracle. Performance varies from one product to another.

For Reflection for the Web 2008 Security Proxy Server, use Java 1.5 or higher; for earlier versions, using Java 1.4 or higher is recommended.

If the Proxy Server automated installer is used, the Sun JRE version is installed as follows:

Proxy Server Version	Sun JRE Version
10.0 (Reflection for the Web 2008)	1.6
9.0	1.6
8.0	1.5
7.0	1.4

The JVM minimum (256 MB) and maximum (512 MB) heap size options are included by default. These settings are adequate to maintain 2000 concurrent and active connections, as long as the above system requirements are met.

Note: On Microsoft Windows, to maximize the number of connections, start the proxy server using the batch file <installation directory>\bin\SecurityProxy.bat. Starting the proxy server using the installed Start menu shortcut or Windows Service will limit the number of potential concurrent connections to approximately 650-700. (The installed Start menu shortcut command limits maximum Java heap size at 64 MB, and the installed Windows Service sets a non-default Java thread stack size of 1024 KB.)

Number of Concurrent Connections

It has been demonstrated through considerable stress testing that the Proxy Server can maintain 2000 concurrent and active connections with heavy payloads, as long as the above system requirements are met. Note: The number of permitted concurrent sessions is governed by your Reflection product licensing.

Server Dedication

A dedicated proxy server will perform better than a server that performs multiple functions. For example, if the server acts as a web server, a mail server, or as a host, in addition to acting as a proxy server, performance for all concurrent functions will be affected.

Cipher Suites and Key Lengths

The Reflection for the Web Security Proxy Server uses two distinct cipher algorithms to establish and secure an SSL/TLS connection. A public key algorithm (DSA or RSA) is used during the connection process to authenticate the server and exchange shared-secret (symmetric) keys for the secure connection. The Data Encryption Standard (DES) key is used in data encryption and decryption. Consider both when examining Reflection Security Proxy Server performance.

Key Lengths Used for Authentication

A longer DSA or RSA public key will slow the initial connection speed but may be suitable when security is a primary concern. RSA or DSA keys can be configured for 512-bit, 768-bit, 1024-bit, or 2048-bit. Beginning in Reflection for the Web version 7.0, a 2048-bit DSA key is no longer supported.

Cipher Suites Used for Data Encryption/Decryption

The cipher suites used in session data encryption/decryption can dramatically affect the connection speed once the connection is established. DES 56-bit encryption has been shown to be approximately three times faster than triple DES (168-bit encryption), but is also significantly less secure. AES (Advanced Encryption Standard) may increase performance significantly over 3DES, and is also considered more secure. Reflection for the Web supports AES 256-bit (RSA or DSA) and AES 128-bit (RSA or DSA).

Related Technical Notes

1610	Reflection for the Web Usage Metering Performance Factors
9988	Reflection for the Web Technical Notes