Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Riverbed Upgrade Focuses on SSL Acceleration

Riverbed's technique is straightforward. All WAN optimizers work the same way--they proxy TCP connections between the client and the server. There are actually three TCP connections: One between the client and the local appliance; one between the appliances; and one between the remote appliance and the server. This is nearly always transparent to the user and the network.
SSL is an end-to-end security protocol, so proxying breaks SSL. Riverbed calls its technology "Split Termination." Companies must export their servers public/private key pairs to the Steelhead appliance in the data center. When an SSL client initiates an SSL connection, the Steelhead appliance within the data center completes the SSL negotiation and pushes the session key to the remote Steelhead appliance. That lets the remote Steelhead communicate securely with the client. The two Steelhead appliances do their WAN optimization magic before sending the traffic over SSL between them, and the datacenter Steelhead appliance creates an SSL session with the target server. This is a split reverse proxy.
Bluecoat has similar functionality, in addition to a forward proxy. Rather than having to move keys from the server to the WAN optimization appliance with a forward proxy, Blue Coat's system generates a digital certificate and distributes it to your WAN optimization appliances, and the appliance certificate or the CA certificate must be distributed to the clients. That lets the Bluecoat products optimize any SSL application.
The trade-off is that with Riverbed you must move your private keys into each core appliance that will be accelerating SSL for each supported Web server. Any application that you don't own, like a hosted application, will present a problem if the private key can't be moved. Given that few companyies are actually storing their private keys in hardened storage anyway, moving the keys may not be much of a security risk. By comparison, with Bluecoat, your server's private keys remain where they are, but you have to distribute a CA certificate or the appliances certificate to your clients' browsers.
In the end, the security of the system is essentially the same with each approach, but from a management perspective, there might be advantages in only generating a new root CA on the proxy and distributing it to the clients if the old one is compromised, versus generating new private keys on all the servers and distributing them to the proxy. It really depends on the usage scenario as to which will be the best choice.

Mike Fratto
NWC Technology Editor

Riverbed Technology this week launched a new version of its application-acceleration technology that it says can be used to optimize SSL (Secure Sockets Layer) traffic without interfering with existing enterprise trust models.

Riverbed's RiOS (Riverbed Optimization System) 4.0 is the latest version of the underlying optimization technology running in the vendor's Steelhead optimization appliances. The software accelerates SSL-encrypted traffic without forcing certificates or private keys to be distributed to the edge, thus dodging potential key-management problems, Riverbed officials said.

  • 1