Product names of SSL accelerators often contain numbers, like the Speedy300 or the SSLEnhancer600. But what do these numbers really mean? The rating for SSL accelerators is based on the number of RSA key signings, or RSA modulus operations, that the device is capable of performing in a second. Don't get excited, though: This is not the number of transactions per second that your Web server will suddenly be able to perform after the deployment of an SSL acceleration device. Of course, this raises the question: "How many transactions per second will my Web server be capable of performing?" We set out to measure the benefits of SSL accelerators when they're deployed in a real-world scenario.

We acquired two servers -- a quad-processor, 700-MHz Compaq Computer Corp. ProLiant and a six-processor, 450-MHz Hewlett-Packard Co. NetServer 6000 -- and set them up with Microsoft Windows NT 4.0 SP6 and iPlanet WebServer Enterprise Edition 4.1. After baselining both Web servers with unassisted SSL using RadView Software's WebLoad 4.51, we were ready to test the products. Our 12 WebLoad clients, emulating Microsoft Internet Explorer 5.0, generated traffic over a Gigabit Ethernet infrastructure to ensure that bandwidth bottlenecks were not an issue.

Each product was set up and configured, then put through the same battery of tests. The first test involved six Web pages with a mix of content: a 1-KB text file, a 1-KB image, a 10-KB file with text and images, a 10-KB text file, a 24-KB file with text and images and finally a 24-KB text file. Each product was run through these tests under loads of 600 and 1,980 clients.

We split the nine tested products into two categories: external devices, which require no integration with the Web server, and internal devices, which require integration with the Web server.

For our performance category, we looked at the number of successful transactions per second as well as the connect times, which give a good indication of improvements in the speed of the SSL handshake. We also monitored the time the server took to process the request, giving us a good indication of the speed at which bulk encryption is performed. We compared the results with the baselines and came up with the improvement in performance over the baseline for each product.

We also looked at the scalability of each device, an important factor when building a high-availability infrastructure for e-commerce sites, and discovered some ugly truths about PCI-based solutions. We calculated price points based on the number of key signings and judged products based on their value per dollar. We examined physical security of the device and network access to the device. But most important, we evaluated the products based on where they store your private keys and how accessible these keys are to the bad guys.

We considered cryptographic support for each product, as well as management and configuration of the device, especially certificate management. For internal solutions, we also evaluated the robustness of the product's platform and Web server support.

Hewlett-Packard and Compaq lent us servers for this review, and iPlanet contributed an iPlanet WebServer.

WebLoad 4.51, RadView Software. www.radview.com/products/webload4.5.asp