Monitoring Splunk

What are the implications and performance impact of enabling FIPS 140-2 in our Splunk deployment?

javiergn
SplunkTrust
SplunkTrust

Hi all,

Because of regulatory reasons, we might need to use FIPS in our brand new Splunk deployment.
I've been going through the documentation but it's very vague in terms of performance implications and what sort of impact is this going to have overall.

All I could find was:

may potentially make your system slower

Any thoughts/experiences you can share would be much appreciated.

Thanks,
J

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Hi J,

No experience with FIPS but I understand the concept.

It's the same performance degradation you'd expect with any form of SSL. If i used a 16mb certificate for example (2048 bits is "standard" issue these days), then each new SSL connection would require 16mb of bandwidth/download and the system would be extremely slow. The same concept goes for using FIPS versus 1024-bit SSL. FIPS will be larger and thus slower.

The only way to determine the impact of enabling FIPS vs SSL 2048 bits... is to do load testing before and after because many factors are at play here, and there is no "cut & dry" answer. I cant say SSL2048 is 2% slower than FIPS without looking like an idiot for example. It would only be 2% slower on my systems in this example.

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Hi J,

No experience with FIPS but I understand the concept.

It's the same performance degradation you'd expect with any form of SSL. If i used a 16mb certificate for example (2048 bits is "standard" issue these days), then each new SSL connection would require 16mb of bandwidth/download and the system would be extremely slow. The same concept goes for using FIPS versus 1024-bit SSL. FIPS will be larger and thus slower.

The only way to determine the impact of enabling FIPS vs SSL 2048 bits... is to do load testing before and after because many factors are at play here, and there is no "cut & dry" answer. I cant say SSL2048 is 2% slower than FIPS without looking like an idiot for example. It would only be 2% slower on my systems in this example.

javiergn
SplunkTrust
SplunkTrust

Thanks. It makes perfect sense.

I would still like to hear some comments from people that already implemented FIPS in their environment.
If not I guess it's something we are going to have to measure in our lab, as you said above.

0 Karma

jkat54
SplunkTrust
SplunkTrust

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Server Certificate
Note: If using a FIPS 140-2 cryptomodule disregard the following rules and defer to the recommended configuration for the particular cryptomodule. Nevertheless we recommend to use this rules to audit your configuration.

Rule - Use Strong Keys & Protect Them
The private key used to generate the cipher key must be sufficiently strong for the anticipated lifetime of the private key and corresponding certificate. The current best practice is to select a key size of at least 2048 bits. Additional information on key lifetimes and comparable key strengths can be found in [1], NIST SP 800-57. In addition, the private key must be stored in a location that is protected from unauthorized access.

So unless you're using crypto modules... i think you can assume the same performance degradation as standard SSL.

0 Karma

jkat54
SplunkTrust
SplunkTrust

http://stackoverflow.com/questions/548029/how-much-overhead-does-ssl-impose

Here's an interesting anecdote. When Google switched Gmail to use HTTPS, no additional resources were required; no network hardware, no new hosts. It only increased CPU load by about 1%.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Thanks for taking the time to look into this.

0 Karma

jkat54
SplunkTrust
SplunkTrust

you're very welcome. Happy to help & learn!

Thanks for the up vote and marking the answer as accepted!

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi all, does anyone have any experience with FIPS?

Thanks,
J

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...