The Challenge of Measuring Security Overhead

Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or threads. The features of the Windows NT Security Model and other Internet Information Server security services run in the context of the IIS process and are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services.

Instead, the most common method of measuring security overhead is to run tests comparing the server performance with and without the security feature. The tests should be run with fixed workloads and a fixed server configuration so that the security feature is the only variable. During the tests, you probably want to measure:

Processor activity and the processor queue. Authentication, IP address checking, SSL protocol, and encryption schemes are security features that require significant processing. You are likely to see increased processor activity, both in privileged and user mode, and an increase in the rate of context switches and interrupts. If the processors in the server are not sufficient to handle the increased load, queues are likely to develop.

Physical memory used. Security requires that the system store and retrieve more user information. Also, the SSL protocol uses long keys — 40 bits to 1024 bits long — for encyrpting and decrypting the messages.

Network activity. The most obvious performance degradation resulting from complex security features like SSL is increased latency. Latency is a measure of the time required to complete a task. Downloading files on servers using the SSL protocol can be 10 to 100 times slower than on servers that are not using SSL.

You are also likely to see an increase in traffic between the IIS server and the domain controller used for authenticating logons and verifying IP addresses. If a server is used both for running Internet Information Server and used as a domain controller, the proportion of processor use, memory, and network and disk activity consumed by domain services is likely to increase significantly. The increased activity can be enough to prevent the IIS services from running efficiently.

You can run a test that monitors processor, memory, and network activity by using the Microsoft Web Capacity Analysis Toolkit (WCAT). You can run WCAT alone or in conjunction with other tools, such as Performance Monitor and Microsoft Internet Information Service Logging.