|
|
|
|
Shopping For An SSL Accelerator
|
 |
|
November 1, 2002
By Lori MacVittie
|
>> continued from previous page
No Easy Answer
Muddying the picture even more, if you have deployed or are thinking about deploying a network-based IDS (intrusion-detection system), you may want to consider an external device. An IDS can't process SSL-enabled traffic, so you'll need to decrypt the traffic before the IDS receives it. You can always re-encrypt to the back end if necessary, but your IDS won't serve its intended purpose if it's getting encrypted traffic. If you need to re-encrypt traffic, choose a device that supports this function on the back end, such as F5's Big-IP.
The catch, though, is that external devices don't take key management as seriously as internal devices do. NCipher Corp.'s products, for example, offer secure key management and cryptographic acceleration. External, network-based devices generally store certificate keys on a hard drive on the device in a rather nonsecure fashion. Although it's difficult to access the keys on an external device, if your security policies stringently require a secure key management solution, you'll want to turn your attention to an internal solution. Why? Because if your keys are stored on the hard drive of an external SSL accelerator and it is broken into, you lose. Your keys have been compromised, and now the "bad guys" may be able to decrypt that SSL traffic. If the keys are stored securely in a HSM (Hardware Security Module), such as that offered by nCipher or Rainbow, you've added another layer of protection.
|
|
Performance & Functionality
There are differences between internal and external devices in terms of the performance increases achieved by each. Cryptographic accelerators are rated in terms of "transactions per second." But don't be fooled; the term transactions in this context refers to 128-bit RSA operations on 1 KB of data. Secure pages via the Web are typically smaller than your average unencrypted page. However, they are almost never as small as 1 KB, and they require more than one RSA operation to complete.
Interestingly enough, an external device can achieve the transaction rates claimed by the vendor--it happened right here in our Green Bay, Wis., Real-World Labs®. But internal devices tend to achieve much lower rates than are claimed. A good rule of thumb is to halve the number of transactions per second claimed by the vendor for an internal SSL acceleration device.
This number is important when sizing the accelerator you want to purchase. You'll need to be sure that the product you choose is not only capable of handling today's load but is capable of scaling as the number of secure transactions being processed grows. Some vendors, such as nCipher and Rainbow, offer multiple internal products handling 300 to 800 tps (transactions per second) while others, such as AEP, target high-volume processing--2,000 tps and up. If the accelerator you select can't support the tps rate you require on a single machine, and you're limited in the number of expansion slots you can use to add cards, reconsider deploying an external solution. If the tps number you're trying to support exceeds what your internal solution can handle, you'll see increasingly longer response times, which is just what you deployed the solution to prevent.
External acceleration devices generally come in a one-size-fits-all configuration. A fixed tps number is offered by a variety of vendors including Array, NetScaler, Nortel Networks, Rainbow and SonicWall. F5 offers a one-size-fits-all solution but also provides a convenient scaling option that lets you start with 100 tps and license additional transactions. Scaling with an external device requires much less configuration and labor because you only have to integrate a single device into the network rather than deploy a new server--the hardware, the OS, the Web server, the accelerator and the certificate.
Lori MacVittie is a Network Computing technology editor. Write to her at lmacvittie@nwc.com.
|
|
|
|
|
|
|
|
RSS
