SSL Offload Presentation
To download or view the .pdf version, click here
Contents:
- SSL Monitoring vs. SSL Termination
- SSL Monitoring models: "Enterprise In" and "Enterprise Out"
- SSL Acceleration, connection, & bulk crypto
- Inline vs. Parallel SSL Hardware Acceleration
- Inline solutions & features for SSL monitoring solutions
Termination - Standard Web Server Deployment
Web Server Deployment with Reverse Proxy
SSL Monitoring Models: "Enterprise In"
SSL Decoder function could optionally be integrated into the NPB or Analytical Tools units.
SSL Monitoring Models: "Enterprise Out"
SSL Acceleration: connection & bulk crypto
Hardware Acceleration solutions may accelerate connection, bulk crypto, or both.
Many hardware solutions let software process connections while hardware accelerates bulk crypto.
Parallel or Co-processor Hardware Acceleration Model
Typical Hardware SSL Acceleration in use Today
Inline Hardware Acceleration Model
Inline Solution offers advantages for some applications.
Inline vs. Parallel SSL Offload: Parallel PCIE Attached Coprocessors
Receive:
- Load balance to a CPU
- TCP stack
- Open SSL
- To crypto engine
- Back from crypto engine
- Application delivery and processing
Transmit:
- App to open SSL
- Open SSL
- To crypto engine
- Back to Open SSL
- TCP stack
- Out to NIC
For each direction:
- Data crosses PCIE 2x (crypto engine), NIC 1x.
- Significant bus & memory overhead with extra I/O operations
- Still significant software/CPU overhead processing connections and interacting with crypto engine.
Inline vs. Parallel SSL Offload: Inline Solution
Receive:
- Load balance to a CPU
- TCP stack
- Application delivery and processing
Transmit:
- App to TCP stack
- TCP stack
- Out to NIC
Extra bus transfers removed. All SSL software/CPU overhead offloaded to NIC.
Parallel vs. Inline Scalability
Coprocessors are a global resource.
Multiple can be installed but require a software load balance implementation.
Inline crypto acceleration is per NIC.
Multiple can be installed with load balance across interfaces.
Inline Solutions & Features for SSL Monitoring Solutions
Monitoring solution desired features:
- Option to "cut through" non-SSL traffic.
- Out BIW port
- To host for normal analytics.
- 2-way NPB (Network Packet Broker) interface for host to decide to forward or drop a packet (as opposed to a simple Tap interface).
- Option for SSL traffic to be delivered as "payload-only" or "generated TCP streams"
- Support for multiple Tap ports to prevent oversubscription.
Additional MPS Inline SSL Monitoring Features:
- Traffic can be delivered with zero-copy, kernel bypass drivers, directly to user-space applications.
- Host application interface can be customized to meet customer requirements.
- "Cut-through" options can be configurable.