The NetSwift2012 is a 2U-form-factor appliance powered by dual Intel 866-MHz processors with 1 GB of RAM. Fiber Gigabit Ethernet isn't supported, but dual 10/100/1000 NICs offer gigabit over copper as a standard option. Two CryptoSwift II 600 PCI cards are inside, as expected. In our labs in Green Bay, Wis., our tests on a beta version of the NetSwift2012 showed that this product can indeed handle more than than 1,000 SSL TPS (transactions per second). That's 1,000 SSL encrypted objects per second.
The NetSwift2012 supports SSL versions 2 and 3 and most of the cipher suites available. What differentiates this product are features such as rudimentary load-balancing services and WTLS (Wireless Transport Layer Security) acceleration. At $15,989, this appliance will give competitors a run for their money.
Into the Ring
I fronted as many as three Microsoft IIS (Internet Information Server) Web servers with the NetSwift2012, which operates as a transparent proxy. Configuration and management can be accomplished equally well via the CLI (command-line interface) or through a browser-based interface. Certificate requests can be generated, and key lengths of 512, 1,024 and 2,048 bits are available. Any certificate in PKCS (Public Key Cryptography Standard) #12 format can be imported. I configured the unit to handle SSL for a single Web server using the appliance's default certificate (1,024-bit key), which shipped with the product. Because the connections to the Web servers from the appliance are clear text, you'll need only one certificate per appliance, not one per server.
After powering up five SSL load-generating clients (Rainbow wrote the load generator, which is now distributed freely by Intel), I generated an average of 250 requests per second per client. The NetSwift2012's LCD display merrily reported current TPS and peak TPS. At high loads the NetSwift2012 handled 1,034 SSL TPS. The upper limit of the product seems to be about 1,000 TPS--no small accomplishment.
I also tried out the product's load-balancing feature. Standard algorithms are available--round robin, least connections and their weighted counterparts. I used a simple round-robin algorithm and designated three IIS Web servers as the pool. Configuring this feature is a bit strange, because instead of entering the IP address for a single Web server, you enter a comma-delimited list of IP addresses. I'd like to see this awkward and difficult-to-update process improved.
The most interesting facet of this configuration is that the client request can be to any of the IP addresses of Web servers being load-balanced, and the NetSwift2012 will still load-balance the request.
I generated the same level of traffic and encountered about the same number of transactions per second, but when I used Windows PerfMon to monitor the number of get requests per second on each of the Web servers, the load was now distributed equally.
Rival products match many of the NetSwift2012's basic features--except one: WTLS acceleration. Click a button, define the WAP (Wireless Application Protocol) gateway, and you're ready to go. The product acts as a transparent proxy for the WAP gateway and handles all the encryption and decryption of WTLS sessions. I then set up Captaris' WAPlite on my Web server and configured IIS with the appropriate MIME types.
Using a WAP browser emulator, WinWAP Pro, I retrieved a simple WML (Wireless Markup Language) deck from my Web server. Unfortunately, tools to load test a WTLS accelerator are unavailable, so I couldn't stress the product. While most WAP gateways are still the domain of service providers, an effort is under way to move the gateways into the enterprise. And since security will remain an issue, acceleration services for WTLS will be welcome.
Not Up to Speed?
The product does need some work. To apply configuration changes, you must log out and log in again. And while the device's case provides a measure of security--the power, bypass and serial port for console connectivity sit behind a lockable faceplate--the administrative port is available to anyone with a length of Category 5 cable. The folks from Rainbow agreed this was odd, but we decided that if someone has physical access to your machine you have bigger problems to deal with. Even so, with the management IP address displayed prominently on the LCD, it would be fairly easy to access the browser-based management interface--assuming you know the password.
Also behind the lockable faceplace is a CD-ROM drive for upgrades. Rainbow will provide upgrades and patches via CD rather than over the network to avoid the risks of opening up the machine to transfers. The NetSwift2012 provides stateless failover in an active-active configuration, meaning that both the primary and the secondary devices can service requests. Although most SSL appliance vendors don't provide stateful failover (F5 Networks' Big-IP HA+ is one that does), I'd like to see this feature in the NetSwift2012.
Network Computing technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation organization. Send your comments on this article to her at lmacvitte@nwc.com.
RSS
