As SSLSSL adoption continues to trend upward, enterprises are demanding WAN optimization techniques that can adapt to traffic secured by the technology. This demand will continue to increase as enterprises adopt business-critical applications delivered through the Software as a Service model.
While the technology has improved in both performance and ease of use, significant barriers still stand between networking administrators and the huge return on investment that SSL-enabled WAN optimization promises.
"People worry that SSL encryption will be too complicated, and ... when they plan their WAN optimization strategy, end-to-end encryption is something they have to consider," said Eric Siegel, a senior analyst with the Burton Group. "And I would worry about it."
The complexity of such implementations, both technologically and even organizationally, is considerable. But the payoff, particularly in cash-strapped times, can be irresistible.
SSL WAN optimization's young history
The race to secure SSL traffic began in earnest about two years ago, as vendors began unveiling methods to intercept encrypted traffic at key chokepoints (typically at the edges of branch office and regional headquarters networks).
WAN optimization vendors would intercept data at those chokepoints. They would decrypt the data, optimize it for the WAN, re-encrypt it, and send it to the next chokepoint, where the vendor would begin the process again before sending the data to its ultimate destination.
This complexity is a headache for network administrators, who must maintain duplicate SSL certificates on clients, servers and optimization appliances. To this day, some vendors, such as Silver Peak, have decided to sit out of the SSL optimization game, opting instead to focus on optimizing the majority of the traffic that is unencrypted.
But companies that are in strict, highly regulated industries, with stringent security requirements, need to have that encrypted traffic optimized. Many vendors say their products are up for the challenge, but implementation could still cause some headaches.
Savings worth fighting for
"This can be complex," Siegel admitted. "But the payoff can be huge, and so people should get on this."
He said many implementations see a return on investment in as little as a year, generated by bandwidth savings and increased productivity as workers are no longer being hobbled by a slow network.
To fully realize those savings, many more companies will have to tap into a solution that at least addresses the need for SSL traffic.
In 2007, various studies found that 15% to 30% of enterprise WAN traffic was encrypted. Blue Coat now estimates that roughly 60% of its acceleration customers are optimizing SSL traffic alongside unencrypted traffic.
Forrester Research says this trend is likely to continue, with companies using SSL to support remote workers, for example.
"Increasingly, it's not only about how much you can accelerate applications, but are you doing it in a way that fits current security procedures," said Mark Urban, senior director of product marketing for Blue Coat. "Integration of acceleration technologies along with security technologies becomes more important."
Proper training on how to use these advanced features is also becoming important.
"[Vendors] always say it's so trivial, but it can be complicated," Siegel said. "It's not just encryption; it's how … this intercept[s] the data that goes between the server and the user. And it has to intercept both directions [of traffic]."
Some appliances completely modify header information; others leave it largely untouched. With either approach, the misconfiguration of one head end appliance can lead to misrouting.
On a more basic level, Siegel said, some administrators are uncertain exactly how well, if at all, these capabilities can work -- uncertainty driven in part by vendors' attacks on one another.
"Vendors say the other guy is going to kill you; and then people start to worry that everyone is going to kill them," Siegel said.
The end result is occasional misinformation. In a recent TechTarget survey, for example, a reader heaped high praise on Riverbed's Steelhead appliance, only wishing it had SSL encryption support, a feature the company has had for about two years.
"Surveys are always interesting because you're talking to specific individuals and not the market as a whole," said Apurva Dave, Riverbed's senior director of product marketing. "We certainly think there is always room for more education for the market at large, and even our own customers."
Dig deeper on Internet and application security