Optimizing SSL environments to secure data center applications Solution Brief for SSL offload and acceleration SSL acceleration features of the Offloads servers of SSL processing Hardware-accelerated public key operations Hardware-accelerated bulk encryption Server load balancing Cookie-based persistence Back-end encryption High-availability configuration The is new generation of Secure Sockets Layer (SSL) appliance and now incorporates the full SSL acceleration feature set of the award-winning line of Alteon* SSL Accelerators. The can be deployed seamlessly into any network as a dedicated SSL accelerator with the ability to handle high SSL traffic volumes, optimize secure application performance, and lower security costs. is a flexible security appliance that can be deployed as an SSL VPN gateway for remote access, or as an SSL accelerator to optimize SSL environments by offloading SSL encryption/decryption processing and redundant key and certificate management operations from application servers. Additionally, when deployed as an SSL accelerator, administrators can still activate SSL VPN features to create instant extranets or provide cost-effective remote access to enterprise portals. According to Infonetics Research, has led the SSL Accelerator appliance market for three years in a row. With more SSL Accelerators deployed than any other vendor, leads the market with innovative new applications and features such as back-end encryption, integrated load balancing, session persistence, application address translation, Layer 7 filtering, and secure global server load balancing (GSLB). After winning all evaluation categories, Network Computing named SSL Accelerator King of the Hill in their latest SSL Accelerator bake-off, citing industryleading performance, features, and manageability as distinguishing attributes.
Designed to lower costs Offloads SSL processing from servers Application servers are a significant cost component of any IT infrastructure budget. As more services and applications continue to become Internet-enabled, the importance of securing and optimizing these environments becomes a top priority. With its unique ability to set up secure sessions at the application layer between any client and server connected to the Internet, SSL has quickly become the de facto standard for securing Internet communications. With today s broad set of SSL applications, servers continue to bear the increasing processor load required to handle the secure session setup, as well as the bulk encryption/decryption duties required by the SSL protocol. These functions can slow application servers to a crawl if many sessions are initiated at the same time, or if a large number of concurrent sessions are required. The implementation of SSL is easy because it s a technology that is already embedded in every Web browser, but the performance and financial penalty can be significant when a server s real capacity to handle sessions drops by up to 75 percent. The offloads this expensive processing duty from servers to keep them running at their optimal levels for a fraction of the cost. Integrated load balancing Load balancing has become a mainstay feature of data center infrastructures. Load balancing improves return on investment (ROI) by distributing application processing among multiple devices to keep them operating at a high utilization rate. SSL provides data confidentiality by encrypting packets so that only the client and the server application can see the content. However, the encryption can render load balancers and other Layer 4-7 services useless if these devices cannot look into the encrypted packets to make content-based switching decisions. The provides two options that enable content-based load balancing for secure sessions. First, the offers integrated Layer 4-7 services, such as basic load balancing, session persistence, and server healthchecking. Additionally, the gateway can work in concert with an external Layer 4-7 switch, decrypting traffic and allowing the switch to perform advanced Layer 4-7 services. In addition to improving server performance and utilization, load balancing also in transparent configuration with ensures high-availability within the server cluster should Alteon Application Switch any active server fail..gif.jpg Alteon Application Switch Router Web servers.cgi.exe.bin HTTP or HTTPS HTTPS.html SSL handshake Key exchange Client/server authentication HTTP to HTTPS session context Application services applied by Alteon Application Switch End-to-end encryption option Unclassified HTTPS traffic Load balanced/accelerated/ authenticated HTTP or HTTPS traffic Decreased total cost of ownership The is purpose-built for high performance. By supporting up to 1,500 SSL transactions per second (TPS), 10,000 concurrent secure sessions, and 200 Mbps encrypted traffic throughput, the VPN Gateway 3050 can lower the cost of managing SSL sessions by up to 75 percent when compared to multipurpose servers. And in large server farms, the VPN Gateway 3050 can substantially reduce redundant recurring digital certificate costs by moving the certificate installations and management functions to a single device. The has the SSL processing power of up to 20 servers, cutting the number of required certificates and their collective cost by up to 95 percent. High security environments can get overly complex when managing multiple certificates and keys across tens or hundreds of servers. Consolidating the keys and certificates onto the improves security by providing better protection for private keys, and lowers operations and support costs by simplifying management and streamlining SSL infrastructure. 2
Flexibility Today s broad application of SSL for secure ebusiness, data confidentiality, privacy protection, and Virtual Private Networks drives a wide range of demands on SSL management devices. The is the industry s most feature-rich SSL appliance and combines proven, high-performance SSL acceleration technology with certificate/key management, Layer 4/7 policies, and VPN features. The extensive feature list provides users with multiple deployment options to suit any particular secure application environment. The can support multiple secure environments by creating virtual servers with each server instance mapped to specific keys, certificates, filters, access controls, and load balancing policies. This unique capability allows a single SSL appliance solution to simultaneously deliver ebusiness acceleration, secure remote access, and intranet security for multiple users, applications, departments, or companies. Low-cost security To lower total cost of ownership (TCO), many organizations have implemented a strategy to Web-enable their applications. This approach allows applications to run on streamlined server infrastructures, simplifies client operations by using Web browsers as the user application interface, and brings the added benefit of universal compatibility with almost any device. SSL is the standard mechanism for securing these Internet-enabled applications and can simply be turned on by running SSL-based HTTPS sessions instead of cleartext HTTP. The provides SSL processing at a fraction of the cost of standard application servers and provides favorable economics for a ubiquitous encryption environment. Simplified operations Multiple certificates and keys not only cost money but also add unnecessary complexity. Each has the SSL management and processing capability to replace anywhere from 5 to 20 SSL-enabled application servers. Signed digital certificates can cost many hundreds of dollars per year, and each key stored on a basic Web server can be a security risk that requires routine updates. The is a single device capable of managing all SSL operations, freeing unnecessary complexity from the data center infrastructure. Advanced key and certificate management capabilities further simplify administration: Encrypted private key management Multiple certificate generation and support Variable cipher selection Client/server certificate authentication and revocation Features 1,500 SSL TPS per Gateway Over 200 Mbps 3DES encrypted throughput Hardware-accelerated public key operations Hardware-accelerated bulk encryption Accelerated encryption, secure key exchange, and certificate validation Cluster up to 255 SSL Accelerators process over 380,000 TPS Virtual Server technology for multiple unique domains End-to-end encryption for maximum security High-availability configurations Advanced logging captures SSL handshake fields, certificate data, and SSL/TLS alerts Automatic import of keys generated by Apache, Stronghold, OpenSSL, IIS, and Weblogic Processes SSL transactions 5 to 50 times faster than an HTTPS server Supports multiple Virtual Servers in active-standby mode for resilient SSL services Integrated load balancing, cookie-based session persistence, and health checking Intrusion protection URL filtering on inbound and outbound messages URL rewriting for instant extranets HTTP application level knowledge enables header add/remove and redirection Maintains session context between HTTP and HTTPS Supports SMTP-S, POP3-S, IMAP-S secure messaging protocols Cookie-based session persistence SSH secure management protocol and Optimized for secure application extranets SNMP support The productivity gains achieved through the use of corporate intranets and enterprise Supports SSLv2.0, SSLv3.0, and TLSv1.0 portals are well documented and recognized by IT professionals. Today, successful companies are extending this model by securely connecting remote employees, customers, and strategic business partners to critical corporate resources and applications using extranets. The provides on-the-fly content translation, client authentication, and access control to create instant extranets without the need to deploy redundant servers or re-write applications. Client authentication and access control The VPN Gateway provides client and server authentication and can be seamlessly integrated with RADIUS, LDAP, NTLM, or Netegrity services. For enterprises that have adopted PKI, X.509 certificates are supported for both client and user authentication. Digital certificates can be generated by the itself and validated by issuing a certificate-signing request to a Certificate Authority (CA). Alternatively, an enterprise can act as their own CA and validate self-issued digital certificates with their own digital signature. The also supports two-factor authentication mechanisms such as Secure Computing SafeWord or RSA SecurID. User access privileges can be enforced at the individual application, URL path, or file level to create unique extranet environments for multiple user groups. 3
Securing ecommerce, extranets, and enterprise portals with the Headquarters Telecommuters Suppliers SSL Partners Internet SSL Accelerated secure Web applications Web mail Enterprise portal remote access Extranet applications CRM/SFA Customers Mobile workforce The allows administrators to evolve their Web-only extranets to full-scale remote access VPNs simply by activating SSL VPN features. Secure session management Users accessing load balanced applications through their Web browser can experience dropped sessions if their requests are redirected to an alternate server during a session key refresh. This browser-initiated security feature is intended to limit the risk of open but unattended live sessions by continually renegotiating session keys. However, a subsequent DNS lookup for the same application might very well direct users to a different server, breaking client persistence and interrupting their session. To solve this problem, the uses a second-tier virtual IP address structure that associates certificates with backup servers to allow for SSL session persistence in a globally distributed environment ensuring that application availability and performance are maintained for remote users operating lengthy sessions. Content translation The is no ordinary SSL accelerator. Its long list of SSL VPN features can be applied as needed to simplify extranet environments. Application Address Translation rewrites private IP addresses to DNS resolvable public IP addresses without any server or application reconfiguration. The also parses packets on-the-fly to identify and rewrite links that contain embedded URLs. All client sessions are converted to SSL-secured HTTPS sessions including FTP and CIFS/SMB protocols. Advanced filtering SSL traffic on Port 443 is almost always permitted across firewalls in their default configuration. This presents a possible security risk if an authenticated user has malicious intent. To overcome this risk, the incorporates a proven Layer 4-7 filter that can provide a line of defense by denying access to authenticated users based on IP address, TCP port, requested URL, application type, or cookie information. Auditing The can create detailed activity reports so administrators can track individual usage and create lists of user attributes. To monitor application usage, the Gateway can also provide detailed daily reports on the number of sessions and session rates, including application access. All information can be exported to popular databases for analysis and recording. 4 Application tunneling Applications that integrate businesses with partners and suppliers often share sensitive information. While the enterprise might be concerned with authenticating end users, chances are that the end user is more concerned about the confidentiality and integrity of the data both of which are compromised if the SSL session is broken. The can be configured to maintain SSL-encrypted sessions to the back-end servers, ensuring that no data is open to attack at any point along the connection.
Multi-protocol support The can offload and accelerate all applications that provide native support for SSL, including HTTPS, LDAP-S, SMTP-S, POP3-S, IMAP-S, and Telnet-S. But, offloading encryption/decryption processing is only half of the story the opens up a new world of SSL applications by applying advanced SSL VPN features to secure virtually all TCP/UDP applications. Performance optimization Secure ebusiness applications are characterized by a high rate of new session adds that have a limited duration as customers enter critical information such as credit card numbers and personal data. The is designed to support these environments with a high number of SSL transactions per second (TPS) and concurrent session capacity. SSL acceleration devices are often rated at the maximum TPS capabilities of integrated cryptographic processors; however, real-world performance is often less than 50 percent of these stated figures due to I/O limitations within the device and processor overhead for software-based features. The has a non-blocking I/O architecture that provides a real-world processing capability of 1,500 RSA public key operations per second. To push performance levels even higher, the VPN Gateway 3050 incorporates hardware-accelerated bulk encryption, which increases encrypted throughput to over 200 Mbps. End-to-end encryption The supports back-end encryption, allowing for all the benefits of SSL acceleration and content-based switching services without sacrificing the security of client-to-server SSL encryption. Security-sensitive industries such as financial, healthcare, and government services End-to-end encryption and integrated load balancing cannot accept the liability of breaking the clientto-server encrypted path. Until now, these strict with the requirements have made it impossible for these industries to benefit from SSL offload and acceleration solutions. Traditional SSL accelerators can only be configured to offload back-end servers Internet by terminating the SSL sessions and establishing non-secure, clear text sessions with back-end End-to-end encryption servers. This presents a security risk as anyone with access to the back-end infrastructure can sniff packets and pull sensitive information such as credit card numbers and passwords. Installing specialized cryptographic cards in the servers themselves leads to increased capital and management costs, server downtime, and installation complications. This approach also limits load balancing and other content-based services. Less sophisticated back-end encryption schemes establish a second SSL session to the server in response to a request. This approach actually involves two SSL session negotiations and becomes non-accelerated back-end encryption. The solution incorporates session reuse, variable encryption, and connection pooling to allow for secure session proxying that accelerates servers without losing client-to-server encryption. Site monitoring Mature ebusiness sites use performance monitoring tools to keep track of site activity. As the secure component of customer visits moves beyond just authentication and transaction pages to include most of the session, important information can be lost through encryption. The VPN Gateway 3050 incorporates advance logging capabilities that re-capture important client data, alert/error messages, and certificate data that can subsequently be exported for use with performance monitoring tools. Content-based load balancing Cookie-based session persistence Server health checking Layer 7 filtering Ethernet switch Load balanced server farm 5
High availability The concentrates business-critical functions onto a single platform and often needs to be deployed in a high-availability configuration. Multiple active VPN Gateways can be deployed with redundant switches in an active-active or active-standby configuration to provide full redundancy of both switching and SSL functions. The can also provide session persistence in secure global server load balancing (GSLB) configurations and distributed environments. Scalability The can be clustered in groups of up to 255 units when used with an Alteon Application Switch. This configuration can support any requirement between 1,500 to over 380,000 TPS with single-system management capabilities for easy cluster additions. Simple implementation The is non-intrusive to existing network topologies. Attached directly or across a local broadcast domain to an Alteon Application Switch, the appears as another transparent server, allowing all Alteon traffic management services including load balancing, filtering, network address translation, policy redirection, automatic fail-over, and intelligent scriptable server health checks to be configured for one or a group of VPN Gateways. In this configuration, the SSL traffic can be processed by the switch s intelligent traffic management capabilities and the clear non-encrypted traffic is directly passed to the servers without being delayed by yet another layer of data analysis. In the United States: 35 Davis Drive, Research Triangle Park, NC 27709 In Canada: 8200 Dixie Road,Suite 100, Brampton, Ontario L6T 5P6 In Caribbean and Latin America: 1500 Concorde Terrace, Sunrise, FL 33323 USA In Europe: Maidenhead Office Park, Westacott Way, Maidenhead Berkshire SL6 3QH UK In Asia: Asia, 6/F Cityplaza 4, Taikooshing, 12 Taikoo Wan Road, Hong Kong is an industry leader and innovator focused on transforming how the world communicates and exchanges information. The company is supplying its service provider and enterprise customers with communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Wireless Networks, Wireline Networks, Enterprise Networks, and Optical Networks. As a global company, does business in more than 150 countries. More information about can be found on the web at: www.nortelnetworks.com For more information, contact your representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America. *, the logo, the globemark design, and Alteon are trademarks of. All other trademarks are the property of their owners. Copyright 2004. All rights reserved. Information in this document is subject to change without notice. 94017.02-032204