Version Highlights SSL Accelerator Version 2.11 New hardware and software version North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ 07430 Tel 888 234 5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel 972 3 766 8655 www.radware.com
Page - 2 - New Hardware Platform The s product line now includes two platforms: 1. Model B: Supports up to 750 Transactions per second. 2. Model A: Supports up to 450 Transactions per second. Benefit: The combination of these two platforms provides two levels of performance, accommodating the various performance requirements of industry sectors such as online banking, healthcare and e-commerce. New Software Features The following features are available on both Model A and Model B. Back End Encryption Organizations with strict data security policies may want to avoid transmitting clear-text even on their internal networks. By using SSL encryption, the Back End Encryption creates a secure channel between the and the back end Web servers. When establishing an SSL connection to the back end Web server, the behaves like a Web browser. The symmetric session key generated in the initial SSL session is reused by the and the back end Web server in subsequent sessions. This eliminates the need for the Web servers to perform CPU-intensive SSL handshakes for new SSL sessions. In addition configurable key-length enables usage of shorter keys for the back end sessions; further reducing the Web servers CPU load. Encryption can be performed on three types of traffic: HTTP traffic: Converts incoming HTTP to HTTPS HTTPS traffic: Encrypts incoming HTTPS sessions using light-weight encryption HTTP and HTTPS traffic: Converts incoming HTTP and HTTPS traffic into secure information
Page - 3 - SSL Accelerators HTTP Servers HTTPS HTTP /HTTPS Figure 1: Back End Encryption WSD Access Router Benefit: end-to-end secure channels guarantee that the end-user s secure information remains secure all the way to the destination server. In addition, the ability to encrypt secure as well as non-secure information ensures there will be no clear-text transmission on internal networks. Application Example: Banking, financial industries and governmental institutions, have extremely strict requirements about data security. Companies in these sectors demand that data be encrypted end-to-end, including their internal networks. Client Certificate Authentication SSL client authentication enables a server to confirm a user's identity, using the same techniques as those used for server authentication. The verifies that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the s list of trusted CAs. In addition, the also checks that the client certificate does not appear in the Client Revocation List (CRL). In such cases, the user would be denied access and the session terminated. Benefit: Real-time identification and access control for users who are trying to access the server. Application Example: Online banking and healthcare systems are examples of two industry sectors that use client certificate authentication mechanism to verify a user s identity. The information being exchanged on these organizations networks is highly sensitive and validating a users identity only by means of a users name and password is sometimes insufficient. The s client certificate authentication mechanism verifies in real-time the validity and the access rights of each user s certificate. This facilitates high-level access control without adding complexity to the network or loading the organizations back end Web servers with CPU-intensive SSL handshakes.
Page - 4 - Global Server Certificate The United States Government does not allow the export of US versions of Web browsers, such as Netscape Communicator or Microsoft Internet Explorer, to end users outside the US and Canada. This means that the exported Web browser is only able to perform encryption with key lengths of up to 40 bits. However, the US Government export regulations do allow certain industries in countries outside the US and Canada, currently these include financial institutions, such as banks and insurance companies, and health industry organizations, to use cryptographic products with the same key lengths as in the US. The Global Server Certificates are special server certificates that the US Government has authorized the issuing of to customers with strong encryption capability, like financial institutions, etc. When the Web browser recognizes the special certificate, it enables strong encryption routines, such as RC4 with 128-bit keys or Triple DES with 168-bit keys. Version 2.11 enables importing and exporting the Global Server Certificate and binding it to a specific proxy. Therefore, accommodating the strong encryption that is required by many industry sectors operating outside of the US. Benefit: Financial institutions and health industry organizations operating outside of the US can enjoy high security level, just like in the US. Application Example: Banking, financial industries and governmental institutions that operate outside of the US have extremely strict requirements about data security. Companies in these sectors demand data encryption with keys lengths of up to 128 or 168 bits. Managing the Web Based Management Application Like all Radware devices the can also be managed through simple, easy to use, web based management application. This Java based utility allows remote configuration and monitoring of the device. The management application can be launched either via: Configware, in installations where the is used in conjunction with other elements such as WSD. Or From any browser by typing the element URL, in installations where the CertainT 100 is the only Radware element on the network. Bypass Mode (New Hardware Feature) The Bypass mode is a new mechanism that is automatically activated in case of power failure. When the device is in Bypass mode traffic simply passes through it.
Page - 5 - Benefit: This fail-over, pass-through technology ensures uninterrupted service and reduces the risk of a single point of failure, which is particularly important in an in line configuration. Application Example: In an in line configuration, as shown below, the Bypass capability guarantees the network s continuous operation should the s power fail. HTTP Servers WSD SSL Accelerator Access Router Figure 2: In line configuration Note: This feature is only available with new hardware platform.