SSL Acceleration .info |
Saturday, 31-Jul-2010 14:11:30 GMT |
Hardware: SSL terminators/routers and reverse proxies Considering that https:// connections are just http:// connections encapsulated inside encryption and shoved to the web server down port 443 instead of 80, one might be tempted to ask why not just place a completely separate machine in front of ones web server that decrypts traffic and then sends it off to the web server?Indeed this is what an SSL terminator is. And there are a few available products. Firstly the free Apache Web server has a "JK" connector that can forward unencrypted traffic to an application server. So this would effectively provide such "acceleration" in the sense that the Apache software could run on a fast 64-bit AMD or Intel box and forward on the decrypted connection to an entirely separate box. Not exactly a turn-key solution. The products below all look good (although the marketing can be a little hilarious). I would like people who have actually bought these products to comment on them in the FEEDBACK AND COMMENTS section on the right. Array Networks http://www.arraynetworks.net/ have a range of appliances of which, at the upper end, they claim 20,000 SSL transactions per second. Of course it is missing the word "new", because a returning cached SSL session or sustained SSL session is much less CPU intensive per download than a new SSL connection. I am not sure I believe that it can indeed perform 20k entirely NEW transactions negotiations per second, but if it can, it is an awesome product. On the whole, the Array Networks product line in this department seems to hold the most promise. They also claim 2,000,000 concurrent TCP sessions. Now there is a theoretical limit of 64k TCP sessions per IP address if you are terminating the connection. So obviously they mean something else. Perhaps this appliance can operate in a packet routing mode as well as a terminator mode and the "2000000" applies to the former mode. I think it is doubtful that it can really operate 2000000 concurrent SSL sessions and at the same time do 20000 new SSL negotiations per second!! Radware http://radware.com has a product AppXcel that seems to do just this. They claim "clustering capabilities" "up to" "150,000 new SSL TPS" (transactions per second). I like the fact that they quote actual SSL transactions per second and not RSA per second. However there are no cryptography chips that do 150k anything per second, so they are obviously implying that you are going to have to buy many of these extremely expensive little boxes. They also ain't saying how many SSL TPS one of them will do! F5 http://www.f5.com has something similar. And once again don't say how fast it is! They also say things like "Consolidation of Certificates" "saving hundreds of dollars per certificate" indicating they don't understand how a network works. Hmmmmmm. Cisco has a product called Application Velocity System (AVS). It can be configured in a variety of ways of which an SSL terminator seems to be one. No specs on performance that I could see. Then Juniper has some kind of similar SSL product, and a product that does "SSL VPN", which after a quick glance looks just like the terminator we are speaking of. Strangeloop http://www.strangeloopnetworks.com/ makes an appliance called the AS1000 which claims to do SSL. Very little info on their site. |
|