WAN optimization and application acceleration solutions have become more commonplace, and the market has exploded, but a major gripe from the user community is that most optimization appliances can't boost the speeds of SSL encrypted traffic from the server to the client.
Riverbed this week released an update to its RiOS software, which powers its Steelhead appliances. Version 4.0 adds the ability to accelerate SSL encrypted traffic, according to Apurva Dave, Riverbed's director of product marketing.
Depending on whom you ask, anywhere from 15% to 30% of enterprise traffic is SSL encrypted. In the past, however, SSL traffic could not be safely accelerated, forcing IT to choose between speed and security. In most cases, security won out.
Essentially, companies would either have to turn off SSL for acceleration or use certificate faking or spoofing to have SSL certificates and private keys copied and moved outside of the data center onto remote servers.
Dave said Riverbed's RiOS update accelerates SSL traffic across the WAN without faking and spoofing. Using "split termination," the software copies and stores SSL certificates and private keys in the data center on the server-side Steelhead appliance. From there, the Steelhead uses its own identity certificate to establish a secure connection with another Steelhead across the WAN. When the server requests data from the branch office, the client begins an SSL session with the Steelhead on the server-side, which
Robert Whiteley, senior analyst with Forrester Research, said that accelerating SSL traffic is "critical" to enterprises concerned with Sarbanes-Oxley or HIPAA compliance.
"We find that, on average, firms SSL-encrypt as much as 30% of their WAN traffic -- and it's growing," Whiteley said. "Moreover, a financial services, pharmaceutical or hospital might see as much as 70% SSL traffic. A lot of companies are getting ahead of auditors by encrypting traffic."
Before vendors began to take note that SSL traffic acceleration was becoming a necessity, traffic would just pass through WAN optimization and acceleration boxes unsecured. When SSL traffic was limited to 20% or less, that was no big deal, according to Whiteley, but as the use of SSL traffic across the WAN grows, the need for SSL encryption grows with it.
"SSL encrypted traffic is, by nature, the most critical traffic," he said.
A senior systems engineer at a large multi-national holding company, who asked that his name not be used (for reasons of competition), said centralization of applications has made SSL acceleration a near necessity. The majority of centralized applications, which need to be accessed by offices the world over, are considered critical and sensitive.
"Most of these applications are financial and Web-enabled, and we demand reasonable performance and security," he said, adding that users could be turned off by slow response and choose not to use the critical applications because of frustrating delays.
While he couldn't pinpoint specific numbers, the systems engineer said that testing Riverbed's SSL acceleration in a lab environment showed a dramatic improvement in application speed and performance. Now, he said, the company can centralize applications that couldn't be centralized before because of their sensitivity.
"It's not just a matter of speed," he said. "It just wasn't doable for some of the applications to be centralized."
Whiteley noted that other vendors, such as Blue Coat and Silver Peak, have methods of accelerating SSL traffic as well, and Juniper recently announced that it will support SSL traffic natively, though right now it has to do so out-of-band with its DX product line.
Riverbed's SSL acceleration is more "certificate friendly," Whiteley said, but he noted that users who want more visibility into their WAN traffic could also benefit from Blue Coat.
Riverbed accelerates traffic based on the trust model, he said, meaning that it ensures that SSL certificates are not sitting on a piece of hardware where they can be compromised. Riverbed issues a session certificate on the server-side that expires once a session is over.
Silver Peak's solution uses optimization techniques such as latency and TCP optimization, mitigating against the impact of traffic loss, and QoS and traffic shaping to boost SSL traffic, according to the company. Silver Peak "does not currently do data reduction or compression on SSL traffic," the company said in a statement, later noting that it does plan to add this level of optimization in the near future.
"It's worth noting that much of SSL traffic is interactive – requiring low latency and potentially sensitive to packet loss, latency and jitter," Silver Peak said. "Other devices add over 400 ms latency, which is unacceptable for SSL-based interactive applications and, therefore, SSL traffic may need to be bypassed/unoptimized anyway." #33078
Blue Coat, with its MACH5 acceleration technology in its SG appliances, uses a proxy-based method. Because a proxy is an active device, meaning that it terminates traffic, it acts as both the server to the client and the client to the server. In an SSL session, Blue Coat SG appliances terminate the encrypted connection, inspect the traffic and apply acceleration techniques to its content. Then they re-encrypt the traffic and send it to its destination.
In a recent survey of more than 1,400 enterprise IT managers from 40 countries, Blue Coat found that roughly 45% plan to roll out new SSL applications in the next year, building on the 53% that already have SSL-encrypted applications deployed. In addition, 35% of respondents said that SSL already represents a quarter or more of their WAN traffic, with nearly 15% noting that SSL represents half or more of their WAN traffic.
Chris King, director of strategic marketing for Blue Coat said the statistics illustrate the need to accelerate SSL traffic on the WAN.
"There's a lot of SSL traffic," he said. "It makes up a lot of organizations' WAN traffic, and it's on the rise."
King added that since many organizations outsource at least one application, Blue Coat accelerates both internally and externally controlled SSL Web applications.
Along with SSL acceleration, Riverbed today also enhanced HTTP acceleration and added HTTPS acceleration, the protocols used for Web-based applications such as SAP, Siebel, PeopleSoft, IBM WebSphere and MS Sharepoint. RiOS 4.0 has enhancements to the intelligent learning mechanism that discovers and tracks objects on Web pages, such as images, scripts and cascading style sheets. Once the server-side box has knowledge of the objects on a page, it can streamline page requests by transferring all objects in parallel, which confines chattiness to the LAN and optimizes the data transfer on the WAN. On the client side, the Steelhead reconstructs the page and delivers it to the client.
RiOS 4.0 also speeds TCP transmission, with Max-Speed TCP (MX-TCP). TCP typically backs down when a pipe is congested. MX-TCP uses QoS enforcement to alter and control the sending rate of traffic to ensure 100% utilization of the allowable bandwidth dedicated by an administrator. For example, a user that could use only 9% of its 10 Mbps connection because of packet loss could prioritize certain traffic times and ultimately use 90% of its connection for faster throughput with MX-TCP.
Ray Sorois, IT manager for Wright-Pierce, a Maine-based engineering firm, said he uses QoS in Cisco routers to separate voice, video and data traffic and ensure that real-time traffic is prioritized. However, Sorois said he needed more granularity to prioritize more specific traffic. For example, Wright-Pierce has a GIS server that hosts large aerial site photos. In the past, if an end user in one of the company's remote offices wanted to request a photo from the GIS server, Sorois would advise against it, because pulling those huge files would slow traffic for others using the WAN.
"Don't hit on that server," he would tell them. "Call and I'll send it to you on a CD."
While delays wouldn't be as evident for users working in Microsoft Word or Excel, AutoCAD users would experience a "freeze," Sorois said. Their machines would stall and their cursors would stand still.
"During a major hit, their machines would be unresponsive," he said.
A few configuration changes to the Steelhead, however, let Sorois dedicate a certain amount of the pipe to GIS traffic, meaning that it can flow unimpeded without degrading other traffic flows.
And though Wright-Pierce doesn't currently accelerate SSL traffic, Sorois said, he can recognize a need for it in today's security-focused environments.
"A lot of companies do use SSL," he said, "so they'll need that added level of performance."