5.5 SSL network appliance overview

5.5 SSL network appliance overview [4]

SSL appliances offload public-key cryptographic functions from servers. By generating keys with a dedicated appliance, the risk of overloading the web server with secure sessions is minimized and the SSL transactions are only a few milliseconds faster. However, since key generation time is a relatively small portion of total object access time, most SSL appliances increase the SSL capacity of a system but do not provide any noticeable acceleration of the SSL transaction.

5.5.1 Deployment

SSL appliances are often deployed behind a server load balancer (see Figure 5.1). One-arm mode installation is not recommended with an SSL appliance due to the limitations in scalability and availability.

click to expand
Figure 5.1

Installation is easier and security is improved if the SSL appliance includes internal load balancing and intelligent failover and can be deployed as shown in Figure 5.2.

click to expand
Figure 5.2

5.5.2 One-way vs. end-to-end SSL

The SSL appliance may support one-way SSL to clients, end-to-end SSL to clients and internal servers, or both modes of operation.

In one-way SSL, the SSL appliance and client exchange a key, then the client can send an encrypted request to the SSL appliance where it is decrypted and sent to the server for processing. The unencrypted response comes back from the server, is then encrypted by the SSL appliance, and sent back out to the client.

In end-to-end SSL, the SSL appliance must exchange a key with the client, and, in a separate transaction, exchange a different key with the web server. Similar to one-way SSL, the client sends an encrypted request to the SSL appliance where it is decrypted and information such as the header or cookie is read. In end-to-end SSL, the appliance then reencrypts the request for secure transfer to the web server. At the web server, the request is first decrypted, then a response is generated, and finally the web server must encrypt the response before sending it to the SSL appliance. The SSL appliance must decrypt the server's response and then, using the key information for the client, re-encrypt the response for secure transfer to the client. This end-to-end SSL method is necessary to ensure total transaction security, but the additional rounds of encryption and decryption can burden the web server and slow SSL transaction time.

5.5.3 Key generation capacity

The most commonly cited specification for SSL appliances is RSA keys the number of keys the appliance can generate in one second. If the SSL appliance supports session reuse, a single SSL key can be used for multiple requests from a single client, increasing the utility of each key and decreasing the overall need to generate keys. Key generation capacity is an often quoted specification, but there are other features of an SSL appliance to consider when determining the right SSL solution for a site or enterprise including deployment options, load balancing, support for end-to-end SSL, and transaction acceleration.

5.5.4 SSL transaction acceleration

Regardless of the number of new keys per second an SSL appliance can generate, the SSL transaction time will be slower than a similar clear text transaction unless the SSL appliance includes specific acceleration functionality. Even top of the line SSL appliances claiming thousands of keys per second cannot speed end-to-end SSL transactions without acceleration technology.

Figure 5.3 shows the number of milliseconds it takes to generate a key. At best, the large key generation capacity of these appliances provides a few milliseconds of acceleration, something a user would never notice.

SSL Key Generation Times


Key gen time (ms)





















Figure 5.3: SSL key generation time in milliseconds.

It is possible to truly accelerate SSL transactions, but it requires an approach that includes advanced Layer 7 intelligence. To accelerate SSL transaction time more than a few milliseconds, it is necessary to optimize and compress the response data in real-time. If it takes too long to do the optimization and compression work, then the SSL appliance will provide no acceleration benefit. However, if the acceleration work is done at high speed, the response can be optimized, compressed, and encrypted so the amount of data sent to the user is reduced, and user access time is accelerated.

Simply adding compression to an SSL appliance does not ensure faster response time. Layer 7 optimization and compression is intense work that can only be done quickly and at high capacity when run on a purpose-built I/O optimized platform. Additionally, there are hundreds of edge cases that must be dealt with properly to ensure optimal rendering for all content and all users.

5.5.5 Summary

SSL appliances were initially deployed in the network to offload SSL work from servers so the server resources could be dedicated to generating content. While key generation capacity differentiated early SSL appliances, advances in ASIC development have steadily increased key generation capacity and allowed other features such as support for end-to-end SSL, load balancing and transaction acceleration to become the key differentiation among SSL appliances.

For the best in availability, scalability, ease of deployment, and performance, an SSL appliance solution should:

[4]This section reprinted with permission from Redline Networks (Author: Sarah Z. Stanwyck).

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net