SSL Deployment

SSL Accelerators and Content Switching Deployment.
Most high traffic secure sites discovered long ago that the highly CPU intensive SSL handshake process dramatically reduces a server’s capacity to serve pages, and to perform other functions like CGI or other server-side scripting. In an effort to return to non-encrypted performance levels, many sites began to employ SSL accelerators to handle the public-key cryptographic functions, or the RSA key-exchange. Although this dramatically reduced CPU utilization, it was not a content switch friendly solution because the traffic remained encrypted all the way to the server’s bus.

The next generation SSL accelerators, also known as SSL Offloaders, took cryptographic computational assistance one step further by handling not only the RSA key-exchange, but also the bulk-data decryption and encryption, offering even greater performance benefits. Generally available in appliance (SSL-IA) or rack-mount (SSL-R) form-factors, SSL Offloaders receive encrypted SSL traffic and transmit decrypted clear text traffic, enabling them to restore the benefits of content switching to an SSL environment.

In-Line versus One-Armed

SonicWALL Accelerators are designed to work either in a conventional In-Line mode, or in the more efficient, more easily integrated One-Arm mode.

In-Line Mode	One-Arm Mode

The conventional method of deploying an SSL accelerator, a method supported by diverse and heterogeneous groupings of equipment, is the In-Line mode. The In-Line mode places the SSL Accelerator (SSL-x) at some point on the network between the router and the content switch. This point can be before or after any preliminary switching or firewalling occurs on the network. While the SonicWALL SSL-x products support this method, it is but one of four deployment methods available to the SSL-x family.

The One-Arm mode takes advantage of SonicWALL's distinctive One-Arm SSL Offloading architecture. Traditional methods of SSL Offloading required the use of two ports: one ingress port for encrypted traffic and one egress port for decrypted traffic. While this remains an acceptable requirement for networks using shared ports (hubs) or inexpensive switched ports (layer 2 switches,) it becomes less endurable in a content switch’s premium-port environment. Sensitive to the value of the content switched-port, SonicWALL engineered a method of SSL Offloading that allows for a single port to be used for both ingress and egress traffic, with no performance degradation.

The full list of deployment methods:

Method	Difficulty	Availability	Scalability	Other
In-Line Mode	Easy	Low	Poor	All traffic passes through the SSL-x
Trans-wich Mode	Medium	Medium	Good	Requires min. 2 content switches
Proxy Mode	Easy	High	Excellent	Lose client IP tracking capability
Transparent Mode	Hard	High	Excellent	Most efficient design overall

To learn more about each of these deployment methods, click on a link above