Network World (US)
Secure and speedy is a tough combination to get when you are talking about an e-commerce site.
Intel Corp.’s new NetStructure 7110 eCommerce Accelerator was designed to give your Web site speed – it accelerates Secure Sockets Layer (SSL) transactions – without sacrificing security.
SSL was developed in 1994 to provide the security required for conducting e-commerce, but the price for this security reduced Web server performance.
An SSL connection consists of an SSL handshake followed by cipher negotiation and generation. The next step in an SSL transaction is bulk encryption and decryption of the client request, which is followed by the server response. SSL acceleration removes the SSL handshake, cipher negotiation and generation, and the encryption/decryption burden from the Web server.
Our tests showed that the NetStructure 7110 – a drop-in, scalable appliance that processes up to 200 secure connections per second – handles the task of removing the SSL overhead burden from the Web server very well. It works by decrypting the client SSL packet before it reaches the Web server, requiring less CPU processing power from the server. After the request is processed, the packet is re-encrypted by the NetStructure 7110 and sent back to the client.
Our tests demonstrated that the NetStructure 7110 improved the performance of secure transactions by 80% over the baseline configuration.
We created a test harness capable of generating varying amounts of encrypted transactions per second using an HTTP Secure site comprised of three pages, one of which required posting to a form. Our transactions consisted of a user accessing a home page, selecting a link to a secure order entry page, entering customer data and a test credit card number and submitting this information for confirmation.
Both the single and paired NetStructure 7110 configurations we tested achieved more than double the total transactions over the traditional Web server environment. When we ran 600 virtual users against the base Web server configuration, approximately 2,000 transactions were processed in five minutes. When we ran 600 virtual users against the single and multiple NetStructure 7110 deployments, approximately 4,200 transactions were processed in five minutes.
The NetStructure 7110 also showed improvement in average transaction time, which was represented by the increase of transactions, and the average transaction time was cut by approximately 75%.
For the total transaction count to increase and the average transaction time to decrease, the total number of successful connections per second had to be increased. Our tests showed the number of successful connections increased almost tenfold. When we ran the tests without the NetStructure 7110, only 10 connections could be processed per second. However, when the NetStructure 7110 devices were installed, approximately 100 connections per second were made.
Our results showed little difference in performance when we added the second NetStructure 7110 unit. This condition may have been a result of the limited size of our test server. We believe that if you are using a larger server containing multiple CPUs, you will see the benefits of the second Intel unit, as the server should be better able to handle the increased throughput realized from the SSL acceleration.
Intel’s NetStructure 7110 is supported in an array of Web server environments, including Apache, Microsoft Corp. and Netscape Communications Corp. Operating systems supported include multiple Unix flavors and Windows NT.
Another benefit of the NetStructure 7110 is the number of security algorithms currently supported. The algorithms supported are RSA Security Inc., RC2, RC4, RC5, DSA, Data Encryption Standard, Triple-DES, International Data Encryptions Algorithm, CAST, CAST5, Blowfish, MD5, MDC2, RMD-160, SHA and SHA-1.
The NetStructure 7110 is fully configurable via the Command Line Interface that an administrator can get to the serial port and aux console RS232 port. However, the use of this administrative system was not adequately documented in the users’ guide. Initial setup of certificates and keys require tweaking. We suggest a Java- or Web-enabled user interface would make installation and configuration easier.
The NetStructure 7110 can be installed in a standard 19-inch rack or can be free-standing on a flat surface. Either installation should allow for unrestricted airflow and ventilation openings. Other considerations are maximum ambient temperatures and circuit overloading.
A necessary part of the NetStructure 7110 configuration is the use of keys and certificates. There are three ways to obtain them:
A certificate authority such as VeriSign Inc.
Using an existing key/ certificate.
Creating a certificate on the NetStructure 7110.
For testing purposes, the appliance comes with default keys/certificates. However, for production purposes, the certificate should come from a recognized authority.
The NetStructure 7110 supports both auto mapping and manual mapping. Mapping is the process of associating a key identification with a server.
The initial configuration provides an automatic mapping entry for network port 443 and server port 80. A user can manually create mapping entries for individual servers using the “create map” command.
The appliance can be configured into a network in several ways. In the simplest, most common configuration, the NetStructure 7110 box is connected to the network between router and server by plugging in an Ethernet cable. You can also accelerate multiple Web servers with a 7110 NetStructure machine. In this configuration, the NetStructure 7110 is located between a router and hub that sits in front of your Web server farm.
The third way to deploy these appliances is to cascade multiple NetStructure 7110 units between the router and the Web server for additional performance and availability. By enabling the “set spill enable” command of the first 7110, the next 7110 will handle overflow from the first and so on with multiple 7110 boxes. In all cases, the NetStructure 7110 boxes have no IP address; therefore it’s transparent to the server and the router except for the lower communication layer.
Web sites running SSL have traditionally had performance issues forcing companies to throw more expensive infrastructure resources into the site to ensure reasonable response time for the end user. Implementing Intel’s NetStructure 7110 on your site would ensure a significant improvement in performance without sacrificing security.
Gray is a software test engineer with SysTest Labs LLC in Denver. He has more than 11 years professional experience with quality assurance/ quality control project work including requirement development, requirement analysis, test planning, automated test design/ development, database development and application development. In addition, he has five years of experience as a network/system administrator for both PC and Unix environments.
Copyright 2000 Network World (US), International Data Group Inc. All rights reserved.
Prices listed are in US currency.