Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Similar documents
Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

Intel Data Direct I/O Technology (Intel DDIO): A Primer >

Intel Media SDK Library Distribution and Dispatching Process

Haswell Cryptographic Performance

Intel Service Assurance Administrator. Product Overview

Creating Overlay Networks Using Intel Ethernet Converged Network Adapters

Intel Ethernet and Configuring Single Root I/O Virtualization (SR-IOV) on Microsoft* Windows* Server 2012 Hyper-V. Technical Brief v1.

White Paper. Enhancing Website Security with Algorithm Agility

VNF & Performance: A practical approach

with PKI Use Case Guide

Developing High-Performance, Flexible SDN & NFV Solutions with Intel Open Network Platform Server Reference Architecture

A Superior Hardware Platform for Server Virtualization

Cloud based Holdfast Electronic Sports Game Platform

The Case for Rack Scale Architecture

How to Configure Intel Ethernet Converged Network Adapter-Enabled Virtual Functions on VMware* ESXi* 5.1

Securing the Intelligent Network

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

Achieve Deeper Network Security

Intel HTML5 Development Environment. Article - Native Application Facebook* Integration

Product Overview. UNIFIED COMPUTING Managed Load Balancing Data Sheet

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Accelerating High-Speed Networking with Intel I/O Acceleration Technology

Intel vpro Technology. How To Purchase and Install Go Daddy* Certificates for Intel AMT Remote Setup and Configuration

The Application Front End Understanding Next-Generation Load Balancing Appliances

Intel Identity Protection Technology with PKI (Intel IPT with PKI)

Fast, Low-Overhead Encryption for Apache Hadoop*

Achieve Deeper Network Security and Application Control

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN

How To Reduce Pci Dss Scope

iscsi Quick-Connect Guide for Red Hat Linux

Intel Technical Advisory

Intel Cloud Builder Guide to Cloud Design and Deployment on Intel Xeon Processor-based Platforms

Software Solutions for Multi-Display Setups

NFV Reference Platform in Telefónica: Bringing Lab Experience to Real Deployments

COSBench: A benchmark Tool for Cloud Object Storage Services. Jiangang.Duan@intel.com

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

新 一 代 軟 體 定 義 的 網 路 架 構 Software Defined Networking (SDN) and Network Function Virtualization (NFV)

Secure SSL, Fast SSL

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Three Paths to Faster Simulations Using ANSYS Mechanical 16.0 and Intel Architecture

How To Get A Client Side Virtualization Solution For Your Financial Services Business

Intel Cloud Builders Guide to Cloud Design and Deployment on Intel Platforms

How to Build a Massively Scalable Next-Generation Firewall

Intel Internet of Things (IoT) Developer Kit

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Intel Platform and Big Data: Making big data work for you.

Cloud Service Brokerage Case Study. Health Insurance Association Launches a Security and Integration Cloud Service Brokerage

Getting More Performance and Efficiency in the Application Delivery Network

Intel Identity Protection Technology (IPT)

Different NFV/SDN Solutions for Telecoms and Enterprise Cloud

The ROI from Optimizing Software Performance with Intel Parallel Studio XE

4 Delivers over 20,000 SSL connections per second (cps), which

Power Benefits Using Intel Quick Sync Video H.264 Codec With Sorenson Squeeze

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

SSL Performance Problems

Intel Solid-State Drive Pro 2500 Series Opal* Compatibility Guide

Vendor Update Intel 49 th IDC HPC User Forum. Mike Lafferty HPC Marketing Intel Americas Corp.

Implementation and Performance of AES-NI in CyaSSL. Embedded SSL

Intel Data Migration Software

Intel: a Thought Leader Helping IoT Scale Out

Intel HTML5 Development Environment Article Using the App Dev Center

Intel Open Network Platform Release 2.1: Driving Network Transformation

Intel Small Business Advantage (Intel SBA) Release Notes for OEMs

Accelerating Business Intelligence with Large-Scale System Memory

Server Consolidation with SQL Server 2008

SiteCelerate white paper

The Evolution of Application Acceleration:

Deliver More Applications for More Users

Intel SSD 520 Series Specification Update

Intel HTML5 Development Environment. Tutorial Building an Apple ios* Application Binary

Intel and Qihoo 360 Internet Portal Datacenter - Big Data Storage Optimization Case Study

Intel Core i5 processor 520E CPU Embedded Application Power Guideline Addendum January 2011

White paper. Keys to SAP application acceleration: advances in delivery systems.

Cisco and Citrix Solution

Healthcare Security and HIPAA Compliance with A10

Advanced Core Operating System (ACOS): Experience the Performance

Specification Update. January 2014

Intel HTML5 Development Environment. Tutorial Test & Submit a Microsoft Windows Phone 8* App (BETA)

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Leading Virtualization 2.0

CLOUD SECURITY: Secure Your Infrastructure

Accelerating Business Intelligence with Large-Scale System Memory

Intel Virtualization Technology (VT) in Converged Application Platforms

Intel Solid-State Drives Increase Productivity of Product Design and Simulation

PC Solutions That Mean Business

Accelerating Data Compression with Intel Multi-Core Processors

Customizing Boot Media for Linux* Direct Boot

Intel Atom Processor E3800 Product Family

Virtualized Security: The Next Generation of Consolidation

Intel Network Builders

How Does Fax over IP Work?

Douglas Fisher Vice President General Manager, Software and Services Group Intel Corporation

Intel Active Management Technology Embedded Host-based Configuration in Intelligent Systems

Cisco Application Networking for IBM WebSphere

Transcription:

WHITE PAPER Cost-Efficient SSL Application Delivery Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery Always On SSL Since 1994, enterprises looking to protect the security and integrity of web transactions have relied on HTTPS. HTTPS uses the standards-based IETF SSL/TLS 1 protocols to authenticate web servers and to encrypt traffic sent between the user and the web server. In recent years, there has been a notable movement towards extending encryption beyond just web commerce transactions to protecting all web traffic. In 2010, Google switched to using HTTPS to secure use of their email service and browser searches. 2 This helped prevent the theft of identity cookies, eavesdropping, as well as unwanted changes to transmitted content. Many other Internet service providers have also switched to HTTPS to secure their customers traffic, including Twitter and Facebook. 3,4 More recently, Microsoft issued a patch to all their client and server operating systems that blocked the usage of cryptographic keys less than 2048 bits RSA. 5 The transition to encrypting all Internet traffic is commonly referred to as always on SSL. A recent analysis by Sandvine of the Internet traffic on their customers networks revealed that 3.73 percent of upstream traffic and 1.97 percent of downstream traffic was protected with SSL. 6 Figure 1 predicts the impact of SSL traffic on IT organizations over the next five years. The blue line shows growth if the percentage of SSL protected traffic stays at the 2012 aggregated level of 2.23 percent. The red line shows the Coyote Point projection that 5 percent of Internet traffic will utilize SSL by 2018. These projections show that the growth in SSL traffic is significant, and that even small to mid-size enterprises will need highperformance SSL application delivery platforms starting as early as 2013. Today, most enterprises use SSL/TLS to secure traffic between multiple locations. However, these organizations are recognizing that a critical part of success depends on Exabytes per Year 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 SSL Traffic Growth Data courtesy of Sandvine* Global Internet Phenomena Report - 2H 2012 2012 2013 2014 2015 2016 2017 2018 Sandvine GIPR Projection Coyote Point* Projection Figure 1. Projected growth in SSL traffic 2013 to 2018 the ability to also protect the privacy of customer and client traffic. Upgrading websites and applications to support SSL can take considerable effort. SSL is computationally intensive, and requires the server CPU to spend a considerable number of cycles encrypting and decrypting

traffic. This negatively impacts the response times and latency that the user experiences. The performance impact and resulting slower page loads caused by SSL processing were particularly notable through out 2011 and 2012 as the industry transitioned certificates based upon 1024-bit RSA keys to Extended Validation (EV) certificates using 2048-bit RSA keys. The longer key lengths increased the level of security, but required substantially more CPU processing cycles. There is the potential that even longer keys may be required in the future, as 4096-bit certificates are emerging for some applications. An effective solution to this performance bottleneck is to offload SSL processing from the web servers to separate appliances designed to perform SSL acceleration. These appliances must be fast, efficient, and cost effective to meet today s needs, and they must be capable of scaling as demand grows. Coyote Point provides SSL offload and acceleration on its application delivery controller (ADC) products. The company recognized that, as SSL protected traffic continued to grow, they needed to identify new technologies that would allow their appliances to exceed projected requirements. For this reason, Coyote Point chose the Intel platform for communications infrastructure to build its next-generation ADC product family. This paper describes the factors that influenced Coyote Point to design its next-generation ADC around this Intel platform, and how this translates into tangible benefits for IT organizations needing to address the challenges of increasing SSL traffic. How Application Delivery Controllers Manage SSL Traffic The common usage scenario for ADCs is to provide the appearance of a single Internet service, which is actually running on multiple servers. Examples include a single URL for multiple WWW servers or a single email address for multiple Microsoft * Exchange servers. Any IT organization responsible for delivering web and application services to customers, probably has or is considering the purchase of ADCs, commonly called next-generation load balancers. ADC load balancers are deployed in enterprise organizations between the Internet and web servers, where workloads are distributed evenly across multiple servers, networks, CPUs, and other system resources. Load balancing has several key benefits, including maximizing throughput, minimizing network and server processing latencies and improving the performance and capacity of server infrastructure. Perhaps the most crucial benefit is that it prevents any one web or application server from becoming a single point of failure and interrupting application availability. Next-generation load balancers use sophisticated policy rules and scheduling algorithms to determine which server should receive a specific client request. Rules may be based on an extensive number of factors, such as geographical location, response times, and server capabilities. However, ADCs have evolved to do more than just load balancing. They continuously monitor and manage traffic and workloads, facilitate decisions about taking computing resources on and off line, monitor the health of a system, and identify potential resource constraints. Next-generation ADCs look deep inside packets to make intelligent decisions about how content should be manipulated and how to apply advanced routing strategies. Deep packet inspections provide a new level of optimization where workloads can be managed, based on the type of content and packet attributes, such as Quality of Service. There are two major technical challenges in designing next- generation ADCs with deep packet inspection capabilities. First, the underlying platform must be scalable and support the continued growth in Internet traffic. Second, the solution must efficiently handle the encryption/decryption of SSL traffic. Without the ability to decrypt packets, a load balancer cannot do deep packet inspections on encrypted traffic. 2

Interweb SSL-Enabled Web Browsers, Smart Phones, etc. SSL Secured Traffic Coyote Point * Load Balancer with Intel QuickAssist Technology Cleartext Traffic Figure 2. Coyote Point* SSL application delivery solution The location of the load balancer ADC, between the insecure Internet and the physically secured data center, makes it uniquely positioned to provide SSL offload and acceleration services. The ADC can provide SSL/TLS authentication and encryption services over the Internet, and then communicate in cleartext with the servers in the secured data center. This removes the need for servers to be burdened with processor-intensive decryption/ encryption processing. The Coyote Point * Solution A typical Coyote Point deployment is shown in Figure 2, with the ADC between the firewall and web servers. Arriving web traffic is decrypted at the ADC, inspected for application-specific parameters and forwarded to the appropriate servers in cleartext. Returning traffic from the servers is encrypted by the ADC before it is transmitted over the Internet. SSL hardware accelerators are not new in the Coyote Point feature set, and the company has used several different non-intel chipsets in previous product lines. However, when designing its next-generation ADC to meet the upsurge in encrypted traffic, a platform was needed that would provide an order of magnitude performance improvement. In 2013, Coyote Point will roll out a new series of ADCs, based on the Intel platform for communications infrastructure. Designed to process up to 160 million packets per second, it utilizes the Intel Communications Chipset 89xx Series to provide SSL hardware acceleration, compression, and pattern matching, and represents a major improvement in scalability and performance. This chipset series is dedicated and optimized to process the encryption and decryption of SSL traffic. It enables customers to offload the computationally intensive SSL processing from their servers while maintaining performance, even as the percentage of encrypted traffic grows. The Intel Communications Chipset 89xx Series is available in four SKUs, as shown in Table 1; three featuring hardware acceleration, making them scalable from 5 to Intel Communications Chipset 89xx Series 8900 8903: 5G 8910: 10G 8920: 20G SSL Throughput (Gbps) * RSA CRT decryption using 1024 bit key Performance SSL Throughput (PKE ops/s) No hardware acceleration Total Throughput (Gbps) 5 12,000 8 10 24,000 15 20 28,000 25 Table 1: Intel Communications Chipset 89xx Series performance 3

20 Gbps cryptography. The hardware accelerator can handle up to 28 thousand RSA CRT 7 operations per second, assuming a 1024 bit key, and 5.5 thousand assuming a 2048 bit key. The low-end SKU handles SSL cryptography in software, allowing developers to design and build their product solutions, and subsequently add hardware acceleration. Multiple Intel Communications Chipsets can be deployed within a single hardware platform, providing additional scalability. Customer Advantage with Coyote Point ADCs based on Intel Communications Chipsets Improve efficiency of server resources Most IT organizations are acutely aware that Internet traffic is growing exponentially, and are planning to expand their networks and data centers to support this growth. Many have already deployed ADCs to balance the load across multiple servers and optimize their resources. However, many IT organizations are only just beginning to see the uptake of encrypted SSL traffic over the Internet and its negative impact on performance. The recent transition to long length keys further exasperates this situation. The solution is to replace slower, legacy SSL products with higher performance and scalable SSL platforms. However, the advantages of implementing the Coyote Point ADC, based on Intel architecture, go beyond performance and scalability. Improve network performance Coyote Point s technical analysis shows that the Intel platform provides competitive performance advantages for both SSL processing and Layer 4 to 7 traffic management. Bill Kish, CEO at Coyote Point states, Typically Extended Validation SSL certificates and longer private key lengths slow servers and ADCs down by five to six times. In our trials we have seen a significant performance gain when we transitioned to the Intel Communications Chipset 89xx Series. Enable scalability as business grows The scalability of the Intel Communications Chipset 89xx Series enables Coyote Point to drive SSL acceleration capabilities into its low-end product family. This makes the technology and its benefits available to small businesses with as few as two web or exchange servers, through to large enterprise organizations that manage large data centers in multiple geographic locations. This level of scalability provides IT organizations with a solid plan for growth and the ability to quickly respond to traffic changes. Protect your investment For years, IT organizations have seen the benefits of running on Intel architecture. These include a roadmap of continued performance improvements and the ability to take advantage of new processors without the need to redesign and develop existing software applications. Intel s renowned tick-tock development methodology delivers a roadmap of continuous performance improvements to the market. Tick represents a significant reduction in the die size. The tock represents a new microarchitecture based on a reduced die size that optimizes both performance and power consumption. The Intel x86 processor family continues to support legacy operating systems, meaning that programs developed to run on older processors can run on the newer processors. IT departments can rest assured that application software, designed to run on the Intel platform for communications infrastructure, will run on future Intel microprocessors, and customers can take immediate advantage of new, higher-performance chipsets as they become available. Two things can be said with certainty: Internet traffic will continue to grow and a greater percentage of traffic will be encrypted in the future. We can also anticipate more complex and expensive encryption techniques. A Coyote Point ADC based on Intel architecture provides the performance to support this growth, and the 4

ability to roll out emerging cryptographic standards and recommendations. Drive down the cost of provisioning secure SSL connections The Coyote Point product roadmap delivers ADC products that increase performance while reducing the cost of processing SSL connections year after year. An essential part of delivering this roadmap is a robust software development environment. The Intel software development environment provides a comprehensive suite of tools that supports the entire software development cycle, from coding, compiling, and debugging to analyzing performance and troubleshooting. It combines industry-leading, open source software with a broad set of tools, to enable product development that achieves exceptional performance, code stability, and power optimization on the latest generation of Intel microprocessors. Figure 3 shows the Intel QuickAssist technology that provides developers with a consistent API to invoke the hardware acceleration engine. 8 This means that ADC applications, written for the Intel Communications Chipset 89xx Series, will work on the next generation of Intel s hardware accelerators, providing the reliability that IT departments need to support their data center traffic. Leverage virtualization The Intel Communications Chipset 89xx Series can perform thousands of RSA operations per second. When hardware acceleration is used in a virtual environment, its capabilities can be shared by multiple instances of the ADC applications. Conversely, an ADC application can utilize multiple chipsets. There are many advantages of virtualization, including the ability to consolidate hardware, reduce power consumption, improve security, and the flexibility to provision ADC resources as needed. Support of SSL hardware acceleration in a virtualized environment is important for large enterprise organizations that are hosting applications or providing cloud services, and need to quickly respond to changing traffic usages. These benefits can also be realized by small-and mediumsize businesses looking to improve the efficiency of their IT organizations. Coyote Point is fully committed to implementing virtualization on its next-generation ADC platform. According to Michael Hayes, President of Coyote Point, commented that, We anticipate being the first virtual ADC appliance vendor to support cryptographic acceleration and offload with the Intel Communications Chipset 89xx Series. Support the latest cryptography standards Security standards and recommendations continue to evolve. The Intel Communications Chipset 89xx Series supports the current industry SSL recommendations, such as adoption of longer length RSA keys and Extended Validation SSL certificates. It also supports new public key encryption techniques like Elliptic Curve Cryptography (ECC), which is expected to be standardized over the next few years as SSL/TLS security becomes even more prevalent. Figure 3. Intel Communications Chipset 89xx Series for SSL hardware acceleration Intel Ethernet Network Connection I347-AT4 PCIe* x16 Gen2 Intel Communications Chipset 89xx Series x4 GbE MAC x6 USB Intel QuickAssist Technology Crypto x2 SATA x50 GPIO x2 UART x4 DMI Compression SMBus LPC & SPI Timers WDT RTC HPET PCIe Gen1 Root PCIe Gen1 1x4 2x2 4x1 5

Product Plans and Real Solutions Today, Coyote Point is a market leader in the production of SSL performance and application delivery platforms. Its next-generation ADCs, running on the Intel communications platform, will provide IT organizations with solutions for handling the growth and the increasing complexity of encrypted web traffic. Coyote Point s initial Application Delivery Controller to be based on Intel architecture, targets smaller-tier to large enterprise markets. It provides a truly highperformance solution for enterprise organizations running data centers and experiencing increased SSL processing loads on their servers. Through intelligent rule-based decision making, these next-generation ADCs will load balance traffic across the servers while offloading and accelerating SSL processing, to allow the servers to run at optimal performance. Coyote Point is also extending the performance advantages of its next-generation ADC platform to small- and midtier customers. This will enable organizations with only a few servers to meet the growing market demands for encryption of Internet traffic while maintaining server performance. For more information about Coyote Point products go to www.coyotepoint.com/products For more information about Intel solutions for SSL hardware accelerators visit www.intel.com/go/commsinfrastructure 6

1 Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). SSL is used in this white paper as an umbrella term encompassing both TLS and SSL protocols 2 http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html 3 https://dev.twitter.com/docs/tweet-button/faq 4 https://developers.facebook.com/blog/post/497/ 5 http://support.microsoft.com/kb/2661254 6 Global Internet Phenomena Report: Sandvine,2012 7 Operations using the Chinese Remainder Theorem (CRT). 8 For additional information on Intel QuickAssist technology see http://www.intel.com/content/www/us/en/communications/communications-quick-assist-paper.html INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EX-PRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RE-LATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A Mission Critical Application is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations: www.intel.com/performance/resources/ benchmark_limitations.htm. Intel and the Intel logo, are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. * Other names and brands may be claimed as the property of others. Other vendors are listed by Intel as a convenience to Intel s general customer base, but Intel does not make any representations or warranties whatsoever regarding quality, reliability, functionality, or compatibility of these devices. This list and/or these devices may be subject to change without notice. Results have been estimated based on internal Intel analysis and are provided for informational purposes only. Any difference in system hardware or software design or configuration may affect actual performance. This document contains information on products in the design phase of development. Copyright 2013, Intel Corporation. All rights reserved. Printed in USA MS/VC/0113 Order No. 328564-001US 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information