Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Network + Systems Infrastructure
B U Y E R ' S   G U I D E  
Shopping For An SSL Accelerator

  November 1, 2002
  By Lori MacVittie


>> continued from previous page

No Easy Answer
TOC Issue TOC
Printer Print full article
Printer Print this page
E-Mail E-Mail this URL
flame author Flame the author
 
  In this article
arrow
Introduction
arrow
No Easy Answer
arrow
Interactive Buyer's Guide
arrow
SSL Accelerators
arrow
Chart
arrow
Customize Chart
arrow
Product Directory
arrow
Search

Muddying the picture even more, if you have deployed or are thinking about deploying a network-based IDS (intrusion-detection system), you may want to consider an external device. An IDS can't process SSL-enabled traffic, so you'll need to decrypt the traffic before the IDS receives it. You can always re-encrypt to the back end if necessary, but your IDS won't serve its intended purpose if it's getting encrypted traffic. If you need to re-encrypt traffic, choose a device that supports this function on the back end, such as F5's Big-IP.

The catch, though, is that external devices don't take key management as seriously as internal devices do. NCipher Corp.'s products, for example, offer secure key management and cryptographic acceleration. External, network-based devices generally store certificate keys on a hard drive on the device in a rather nonsecure fashion. Although it's difficult to access the keys on an external device, if your security policies stringently require a secure key management solution, you'll want to turn your attention to an internal solution. Why? Because if your keys are stored on the hard drive of an external SSL accelerator and it is broken into, you lose. Your keys have been compromised, and now the "bad guys" may be able to decrypt that SSL traffic. If the keys are stored securely in a HSM (Hardware Security Module), such as that offered by nCipher or Rainbow, you've added another layer of protection.


Performance & Functionality



What Kind of Accelerator Do You Need?

Click to enlarge

There are differences between internal and external devices in terms of the performance increases achieved by each. Cryptographic accelerators are rated in terms of "transactions per second." But don't be fooled; the term transactions in this context refers to 128-bit RSA operations on 1 KB of data. Secure pages via the Web are typically smaller than your average unencrypted page. However, they are almost never as small as 1 KB, and they require more than one RSA operation to complete.

Interestingly enough, an external device can achieve the transaction rates claimed by the vendor--it happened right here in our Green Bay, Wis., Real-World Labs®. But internal devices tend to achieve much lower rates than are claimed. A good rule of thumb is to halve the number of transactions per second claimed by the vendor for an internal SSL acceleration device.

This number is important when sizing the accelerator you want to purchase. You'll need to be sure that the product you choose is not only capable of handling today's load but is capable of scaling as the number of secure transactions being processed grows. Some vendors, such as nCipher and Rainbow, offer multiple internal products handling 300 to 800 tps (transactions per second) while others, such as AEP, target high-volume processing--2,000 tps and up. If the accelerator you select can't support the tps rate you require on a single machine, and you're limited in the number of expansion slots you can use to add cards, reconsider deploying an external solution. If the tps number you're trying to support exceeds what your internal solution can handle, you'll see increasingly longer response times, which is just what you deployed the solution to prevent.



Features to Consider in SSL Acceleration Devices

Click here to enlarge

External acceleration devices generally come in a one-size-fits-all configuration. A fixed tps number is offered by a variety of vendors including Array, NetScaler, Nortel Networks, Rainbow and SonicWall. F5 offers a one-size-fits-all solution but also provides a convenient scaling option that lets you start with 100 tps and license additional transactions. Scaling with an external device requires much less configuration and labor because you only have to integrate a single device into the network rather than deploy a new server--the hardware, the OS, the Web server, the accelerator and the certificate.

Lori MacVittie is a Network Computing technology editor. Write to her at lmacvittie@nwc.com.


start top  Introduction No Easy Answer

Research and Reports

Hypervisor Derby
August 2011

Network Computing: August 2011

TechWeb Careers