John, Florida - Michigan State, probably anyone's game Monday night. The NCAAs this year are like the Academy Awards were, no clear favorite.
Not much news here lately. Here's an Intel web security appliance that fits in very well with their web server business. That business might just help Intel get all the right requirements together for lots of products, as in necessity is the mother of invention. Servers themselves also come to mind.
INTERNET APPLIANCES -- Getting UP TO SPEED
SATURDAY, APRIL 01, 2000 1:34 AM
- CMP Media
Mar. 31, 2000 (InternetWeek - CMP via COMTEX) -- As more users go online to
purchase goods, you can bet they will require a secure link to the Web site before they
punch in their credit card information. A new problem cropping up as Web servers
seek to secure user information while in transit over the Internet is the processing
overhead associated with encrypting SSL (Secure Sockets Layer) data at the Web
server.
To help offload some of the processing overhead associated with secure HTTP traffic
(HTTPS), the NetStructure 7110 e-Commerce Accelerator from Intel drops
transparently between your Internet connection and your Web server farm and handles
all of your SSL encryption. Software-independent, the 7110 can work with any number
of Web servers, and you can use multiple 7110s to provide cascading load balancing.
The only thing missing is remote configuration and management of any kind.
Studies show a huge decrease in Web server performance when HTTPS traffic
comes into the system. The 7110 e-Commerce Accelerator, acquired when Intel
purchased IPivot in October 1999, performs the long integer SSL arithmetic usually
done by the Web server. Intel claims up to a 50-times improvement in SSL
performance by using a single 7110 in front of your Web servers. While we could
generate sufficient levels of SSL traffic to slow down our Internet Information Server
4.0 Web server on a Gateway ALR 7200 server, with the 7110 in place and using the
same clients, we could not see any performance degradation.
The way the 7110 works is that you either copy your existing certificate from your Web
server to the 7110 or create a new one right on the box. The 7110 works with SSL
version 3, available in most popular browsers, and can drop back to version 2 if
necessary.
It supports a wide range of security algorithms, including RSA, DSA, RC2, RC4, RC5,
3DES, IDEA, CAST, CAST5, Blowfish, MD5, MDC2, RMD-160, SHA and SHA-1.
The 7110 actually terminates the SSL session from the user's browser. All SSL data
is decrypted and sent onto the Web servers as clear text, greatly reducing processing
requirements. Also, you can have as many as 300 certificates in a single 7110.
Installation of the 7110 is pretty uneventful. Because the 7110 does not use an IP
address, it does not disrupt your existing IP scheme. It has two 10/100-Mbps Ethernet
ports for network connectivity and two serial ports: one for the terminal-based
command-line configuration and the other for use with an auxiliary console. You simply
insert the 7110 inline with your Internet router and your Web servers, using Category 5
patch cables, and configure the box. We used HyperTerminal on a Windows NT 4.0
Workstation PC to configure our test unit over the serial console port.
The command-line interface is usable, but lacks any type of context-sensitive help, and
the printed documentation leaves a lot of unanswered questions. Because the unit
does not have an IP address, you cannot monitor the 7110 using SNMP or manage it
remotely with any type of graphical utility.
Be that as it may, we were able to get the 7110 up and running in less than an hour,
feeling our way through the commands to create our certificate and designate a
"mapping" for our Web server. A mapping defines the Web server's IP address, the
SSL port number (usually port 443), the clear text port (usually port 80) and the KeyID
(the security key) associated with this server. This is what tells the 7110 what traffic to
monitor.
With Intel taking the inline approach, we were concerned about downtime to our Web
server should the 7110 fail for any reason. Intel has already taken this into
consideration by designing the 7110 to short the two Ethernet interfaces together if
there was ever a hardware or software failure in the unit.
Another fault-tolerance feature built into the 7110 is the ability to run multiple 7110s in
series. This not only provides for backup in case one fails, but also allows you to set
traffic thresholds so that excessive traffic will spill over from one unit to the next. For
example, suppose you have two 7110s inline with your Web server farm. You can set
the first unit to pass raw data downstream if the traffic reaches a predefined level.
While the first 7110 still handles all SSL traffic up to that threshold, the second unit
would handle the excess SSL traffic passed on by the first.
Although SSL is in place and capable of securing browser-to-business traffic, to
overcome the SSL performance penalties, devices like the Intel NetStructure 7110
need to be deployed at the Web server farms. With the exception of remote
management and monitoring, the 7110 does a fantastic job of offloading SSL
overhead from the Web server and moves it one step closer to the end user.
Keith Schultz is a contributing editor at InternetWeek and president of NetData
Consulting Services Inc., a Destin, Fla.-based consulting firm. He can be reached at
kschultz@netdatacs.com.
---
NetStructure 7110 e-Commerce Accelerator
Intel
San Diego
800-538-3373
www.intel.com/network
PRICING: $12,995
internetwk.com |
