Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FBI warns of holiday cyber scams
U.S. Open used Web filtering to prevent online gambling
Google Earth used by terrorists in India attacks
Mumbai terrorist attacks don't deter technology companies
Google layoffs: 10,000 jobs being cut, report claims
Experts to Feds: Sign the DNS root ASAP
Cisco shutting down between holidays
Sprint completes Clearwire WiMAX deal
Mobile sales to beat economic gloom, forecasts Ovum
Start-ups starting to feel economic pain
Spam levels fluctuate as crooks try to revive botnets
Mozilla eyes extra beta for Firefox 3.1
Grim forecast for holiday e-commerce sales
Talking Web, memory assistants and solar-powered cell phones headed mainstream, IBM says
Massive botnet returns from the dead, starts spamming


Enterprise Networks / Product tests/info /
Send to a friend Feedback

Optimizing SSL processing for Web

Related linksToday's breaking news
Send to a friendFeedback

By Greg Govatos
Network World, 10/23/00

The Secure Sockets Layer protocol is the de facto means for transmitting data over the Internet privately and securely. The protocol is integrated into every browser and every Web server, allowing any user to interact with any Web site in a secure manner.

How it works
Subscribe to the Tech Update newsletter
  Here is a weekly newsletter to help you stay abreast of new networking standards and technologies by providing down-to-earth explanations of how they work.

For example, SSL is used in online transactions to protect sensitive information such as credit card numbers and stock trade details. SSL-secured pages are accessed with the prefix "https" rather than the standard "http."

Unfortunately, this protection does not come without a cost. Due to its intricate authentication schemes and encryption/ decryption algorithms, SSL is highly CPU-intensive and causes major performance strain on Web servers. The resulting server bottleneck slows Web sites to a crawl - a surefire way to lose online customers.

An emerging class of special-purpose network devices, SSL accelerators, let Web sites satisfy performance and security requirements by handling all SSL processing in optimized hardware and software.

Keys to SSL start-up

When an SSL-capable browser (Netscape Navigator, Microsoft Internet Explorer) and Web server (Apache, Microsoft Internet Information Server) communicate, they confirm each other's identities using digital certificates. Digital certificates are issued by trusted third parties and are used to create public keys.

When the initial authentication is complete, the browser sends the server a 48-byte master secret encrypted with the server's public key. The Web server then decrypts the master secret with its private key. Finally, a set of symmetric keys is generated, which are used by the browser and server to encrypt and decrypt data during the session. Encryption algorithms can be explicitly configured or negotiated for each session, with the most widely used standards being the Data Encryption Standard and RC4.

Once this start-up process is complete, a secure tunnel is established and private data transmission can begin.

While the initial authentication and key generation are transparent to users, they are far from transparent to Web servers. The start-up process must be performed for each user session, placing a major load on server CPU resources and creating severe performance bottlenecks. To illustrate the problem, a standard Web server can handle only 1% to 10% of its normal load when processing secure SSL sessions, according to IT research firm Meta Group in Stamford, Conn.

The performance penalties of SSL result in several undesirable consequences:

  • E-commerce transactions are slow to complete, increasing the probability that customers will cancel a purchase and visit a competitor's site.

  • More Web servers must be added to handle the load.

  • Information that should be protected is not, creating security risks.

  • More expensive private network schemes must be implemented to transmit sensitive information.

Eliminating SSL bottlenecks

To address the performance problems posed by the CPU-hungry SSL protocol, a set of specialized products has emerged: SSL acceleration appliances. These are distinct network elements that are built to process SSL tasks without taxing the Web server. Through hardware and software optimization, a specialized SSL accelerator can process 10 to 40 times as many SSL sessions as a standard Web server. Furthermore, SSL accelerators free server resources to process application logic and database lookups much more expediently, accelerating the entire site.

Integrating an SSL appliance into the network is simple. A Layer 4 to Layer 7 switch or load-balancing device is configured to redirect all port 443 (HTTPS) requests to the appliance. The appliance then assumes all SSL processing duties and the Web servers are instantly offloaded. As secure traffic volumes grow, additional SSL appliances can be deployed without causing any undue management burden.

Most recently, SSL acceleration capabilities have been integrated into Web content-delivery products such as server-side caches (also known as "server accelerators"). The key advantage of this approach is that the server accelerator handles SSL processing and object delivery.

For example, a user accesses a page that has 30 embedded objects. The server accelerator with integrated SSL will perform the initial session setup, establish the secure tunnel and deliver all objects to the client. Web servers are only tasked to retrieve dynamic data elements such as portfolio values or medical records. As a result, the user receives the page in a fraction of the normal time.

An SSL-equipped server accelerator enables widespread use of SSL for secure content exchange over Web infrastructures. Sites can be assured that secure pages will be delivered rapidly and secure transactions will be completed quickly.


Related Links

Govatos is director of product marketing at CacheFlow, Inc. He can be reached at greg.govatos@cacheflow.com.

Phobos NIC boosts e-comm security
In-Boost card promises to speed processing, transactions.
Network World, 08/21/00.

Review: Intel boosts e-comm performance with NetStructure 7110
Network World, 07/10/00.

Ensuring end-to-end security with SSL
Network World, 05/15/00.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.