home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



Network + Systems Infrastructure
B U Y E R ' S   G U I D E  
Shopping For An SSL Accelerator

  November 1, 2002
  By Lori MacVittie


TOC Issue TOC
Printer Print full article
Printer Print this page
E-Mail E-Mail this URL
flame author Flame the author
 
  In this article
arrow
Introduction
arrow
No Easy Answer
arrow
Interactive Buyer's Guide
arrow
SSL Accelerators
arrow
Chart
arrow
Customize Chart
arrow
Product Directory
arrow
Search

So you've decided that your secure Web site needs a kick in the derriere, and now you're inundated by a ton of marketing brochures for cryptographic acceleration hardware. What do you do? The best answer is to purchase an SSL accelerator that will move the computationally expensive RSA operations required by SSL from software into silicon and provide that much needed performance boost.

An Innie or An Outie

The first decision you need to make is what type of acceleration device to use. You have a choice--a PCI/SCSI device (internal) that resides on the server(s) you're accelerating, or an appliance-based device (external) that is deployed in front of the server(s). We have a nifty flowchart to help you determine which model accelerator is best suited to your needs (see our flowchart).

If you have a single Web server providing SSL-enabled content and don't plan to deploy additional SSL-enabled Web servers, the decision is fairly straightforward--go with an internal device, such as Rainbow Technologies' CryptoSwift, if you can find one that supports your Web server and operating system. But if you're looking at managing multiple SSL-enabled Web servers, the decision is more complex.


Believe it or not, the cost of a 128-bit certificate can be a significant factor in the decision to purchase an external acceleration device as opposed to an internal device when multiple Web servers are involved. Even with discounts, the cost of purchasing one certificate per Web server rises quickly. And the cost is recurring because renewal is required every year. Don't forget to factor in the expense of managing each certificate and each set of keys. For large sites, the cost of the certificates could quickly grow to more than the cost of the accelerators. On the other hand, an external device can front hundreds of Web servers, enabling them all with SSL for a fraction of the cost.

If you require SSL encryption at all times, including on the wire on your internal network (often the case for financial institutions), you're going to eat the cost of the certificates anyway because you'll need certificates on all servers, and the decision becomes primarily a question of load-balancing needs. If you need the ability to route traffic at Layer 7, you'll want an SSL-enabled external device to handle these chores. A good reason for routing at Layer 7 is service levels based on cookies (gold members are always directed to server A, B or C because they're the "phat" servers; everyone else gets D, E or F). Also, you can organize your Web farm more efficiently (rules like "images are served from server Y unless Y is under heavy load, then it's X" are difficult to code into Web pages). If you don't require load-balancing above Layer 4, you'll be able to get away with a simple load-balancing solution while leveraging your investment in certificates and internal acceleration devices.

The underlying truth here is that even if you deploy an external cryptographic acceleration device, you're going to want internal acceleration. Without it, the encryption bottleneck will continue to be in your SSL-enabled Web servers--you'll gain almost nothing in terms of number and speed of transaction processing. Why? In this scenario, the SSL session is terminated at the load-balancer and a new SSL session is initiated to the Web server. If you aren't accelerating both sides of the equation, you're still introducing high latency because of SSL processing overhead. Some devices, such as those offered by F5 Networks and NetScaler, pool SSL connections to reduce this overhead.

There are two types of external accelerators: those offered by network device manufacturers, such as Array Networks, F5 and NetScaler, and those offered by primarily hardware cryptographic vendors, such as Rainbow and SonicWall. The differences between them are in each device's ability to go beyond accelerating cryptographic functions. Accelerators offered by network device manufacturers generally include more complete network control--load-balancing, cache-redirection--while the network support offered by traditional cryptographic hardware manufacturers tends to focus more on the cryptography and offers limited, if any, additional network-based options. Your selection will depend entirely on your networking needs. If you require load-balancing and other network functionality, an F5 or NetScaler product will serve you well.


start top Introduction No Easy Answer 





Looking for a new job?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
The tumbling of IT jobs stopped in the second quarter, as the IT sector added about 44,000 jobs.

It's just a glimmer, but Oracle is starting to see a bit of light at the end of the recession tunnel.










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service