SSL Accelerators
This is a discussion on SSL Accelerators within the Linux Security forums, part of the System Security and Security Related category; We're a poor company and are looking at ways to offload our SSL traffic. Since we're cheap, we'...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-04-2005
|
|||
|
|||
Re: SSL Accelerators
> We're a poor company and are looking at ways to offload our SSL traffic.
> Since we're cheap, we'd like to consider one of those PCI SSL accelerators. > > What experience do you guys have with SSL accelerators? Any recommendations > or caveats? We've been playing with "network box" ones... Pretty sweet stuff; we were able to use it to get an application server (happened to be running AIX) to a load average of about 500, and still be usable, in a "scary concurrency test." -- (reverse (concatenate 'string "moc.liamg" "@" "enworbbc")) http://cbbrowne.com/info/ If we were meant to fly, we wouldn't keep losing our luggage. 
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
"Christopher Browne" <cbbrowne@acm.org> wrote in message
news:m3fyqdb1mi.fsf@mobile.int.cbbrowne.com... > > We're a poor company and are looking at ways to offload our SSL traffic. > > Since we're cheap, we'd like to consider one of those PCI SSL accelerators. > > > > What experience do you guys have with SSL accelerators? Any recommendations > > or caveats? > > We've been playing with "network box" ones... Could you explain? "Network box"? Is that a brand? [snip] Michael
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
> "Christopher Browne" <cbbrowne@acm.org> wrote in message
> news:m3fyqdb1mi.fsf@mobile.int.cbbrowne.com... >> > We're a poor company and are looking at ways to offload our SSL traffic. >> > Since we're cheap, we'd like to consider one of those PCI SSL > accelerators. >> > >> > What experience do you guys have with SSL accelerators? Any > recommendations >> > or caveats? >> >> We've been playing with "network box" ones... > > Could you explain? "Network box"? Is that a brand? F5 is the brand... They sell SSL accelerators that are add-on modules for their "Big-IP" network management appliances. So SSL acceleration takes place as a proxy on another box. This has a *very* significant benefit over doing it inside your PC in that you get the other "Big-IP" network traffic management features. -- output = reverse("moc.enworbbc" "@" "enworbbc") http://cbbrowne.com/info/languages.html To quote from a friend's conference talk: "they told me that their network was physically secure, so I asked them `then what's with all these do-not-leave-valuables-in-your-desk signs?'". -- Henry Spencer
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
Michael wrote:
> We're a poor company and are looking at ways to offload our SSL traffic. > Since we're cheap, we'd like to consider one of those PCI SSL accelerators. > > What experience do you guys have with SSL accelerators? Any recommendations > or caveats? > > > Michael > > You might try this adapter. https://www.britestream.com/
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
Michael wrote:
> We're a poor company and are looking at ways to offload our SSL traffic. > Since we're cheap, we'd like to consider one of those PCI SSL > accelerators. > > What experience do you guys have with SSL accelerators? Any > recommendations or caveats? > Looking at the history of SSL, I'd stay well clear of 'hardware' solutions for an exposed interface. I've found stunnel very reliable and easy to use. As a software solution, you can run it chroot on the webserver, or on a seperate box. You say 'one'? As in you only have one webserver? In that case I'd say get a second box to run as a webserver and run stunnel chrooted on each machine. C.
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
"Colin McKinnon"
<colin.thisisnotmysurname@ntlworld.deletemeunlessU RaBot.com> wrote in message [snip] Hi Colin, > Looking at the history of SSL, I'd stay well clear of 'hardware' solutions > for an exposed interface. > > I've found stunnel very reliable and easy to use. As a software solution, > you can run it chroot on the webserver, or on a seperate box. You say > 'one'? As in you only have one webserver? In that case I'd say get a second > box to run as a webserver and run stunnel chrooted on each machine. Thanks for the reply. We actually have five web servers and considered stunnel, but... Gosh, does that scale well? I'd actually love to just do stunnel and will now give it a shot due to your suggestion (i.e. if you suggest it, it must mean that other people must be at least trying it too). Doing the SSL acceleration on our load balancer has been just way too slow, but perhaps if we offloaded to each individual server via stunnel we'd be ok. Michael
|
|
11-04-2005
|
|||
|
|||
|
Re: SSL Accelerators
> Michael wrote:
> >> We're a poor company and are looking at ways to offload our SSL traffic. >> Since we're cheap, we'd like to consider one of those PCI SSL >> accelerators. >> >> What experience do you guys have with SSL accelerators? Any >> recommendations or caveats? >> > > Looking at the history of SSL, I'd stay well clear of 'hardware' solutions > for an exposed interface. > > I've found stunnel very reliable and easy to use. As a software solution, > you can run it chroot on the webserver, or on a seperate box. You say > 'one'? As in you only have one webserver? In that case I'd say get a second > box to run as a webserver and run stunnel chrooted on each machine. But the reason to be interested in SSL accelerators is the fact that they, well, accelerate it. I'll buy the story that it's better to separate it to another host, but "stunnel" won't get you one iota of hardware acceleration, which was the point of the exercise in the first place. -- output = ("cbbrowne" "@" "gmail.com") http://linuxdatabases.info/info/x.html Rules of the Evil Overlord #187. "I will not hold lavish banquets in the middle of a famine. The good PR among the guests doesn't make up for the bad PR among the masses." <http://www.eviloverlord.com/>
|
Linear Mode
