Reconciling security efforts and optimization tactics

* Riverbed Technology unveils approach for accelerating SSL traffic

Network security and WAN optimization initiatives don’t always complement one another.

Consider corporate traffic that is encrypted through the SSL protocol. SSL traffic often is left out of traditional acceleration techniques, since speeding traffic over the wide area requires examining the payload - which means un-encrypting the data.

Un-encrypting data can be complicated, since IT pros are likely reluctant to distribute SSL certificates and private security keys outside of the data center.

This week Riverbed Technology plans to unveil its approach for accelerating SSL application traffic. The vendor is releasing the next version of its Riverbed Optimization System (RiOS) software, which powers all of its Steelhead appliances.

In a process Riverbed calls “split termination,” RiOS 4.0 keeps a copy of a company’s SSL certificates and private keys in a Steelhead appliance that resides in the company’s data center. This server-side appliance then uses Riverbed identity certificates to establish a secure connection with Steelhead appliances across the WAN.

“A client request is intercepted on the server-side Steelhead appliance, and the Steelhead appliance on the server side makes a secure connection with the Web server,” explains Alan Saldich, vice president of product marketing at Riverbed. “Next the server-side appliance establishes its own SSL connection directly with the client, and a temporary session key is moved over to the client-side Steelhead appliance.” Once the temporary SSL session begins, the Riverbed appliances can decrypt the traffic and apply standard algorithms to accelerate to the traffic, he says.

Customers’ desire to accelerate SSL traffic has grown as the percentage of network traffic that is encrypted through SSL increases; Riverbed estimates about 15% of enterprise traffic is SSL, and it’s growing at a rate of about 52%. “The SSL feature has been our No. 1 feature request for 18 months,” Saldich says. “We know it’s widely needed.”

Also new to RiOS 4.0 is the ability to discover and track objects on Web pages, including images, scripts and cascading style sheets. When a server-side Steelhead appliance is handling requests for a Web page that has been requested before, the appliance can streamline delivery by transferring groups of objects in parallel, rather than one at a time.

“We’ve always accelerated Web applications by de-duplicating Web traffic. Now we’ve added a way to learn about Web pages and ask for Web content in parallel,” Saldich says. “Very complex Web pages that have embedded objects and CGI scripts and other things that normally would be accessed sequentially - we can access them in parallel once we’ve learned what’s on a page.”

Another area Riverbed refined in RiOS 4.0 is how it optimizes TCP over high bandwidth, high latency connections. Its new Max-Speed TCP (MX-TCP) feature uses QoS enforcement capabilities in RiOS 4.0 to alter and control the sending rate of traffic to maximize utilization of high-bandwidth links.

The TCP protocol is designed to back down transmissions when there’s congestion or packet loss, and then slowly ramp up to maximum speed as congestion decreases. With MX-TCP, administrators can tell the Steelhead devices to use the maximize amount of bandwidth for certain traffic immediately, rather than slowly building up to it as standard TCP does. “It’s most useful for traffic that is non-repetitive, where you just want to fill the pipe to the maximum extent possible,” Saldich says.

RiOS v4.0 will be generally available this month at no additional cost to current licensees.

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022