This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
When the firm decided to open its digital doors to thousands of clients, offering online services and Web-based access to accounting and auditing records, it faced the prospect that its site could quickly be overwhelmed. Hundreds of SSL-secured connections could quickly chew up its capacity, leaving paying customers waiting an intolerable five to 10 seconds for their turn.
KPMG turned to nCipher to solve its availability and crypto-processing problem. By installing nCipher's nFast accelerator cards on six of its Web servers, the firm increased its secured-connection capacity by 80 percent.
"What we've found in our benchmarking is the amount of throughput we gained made it reasonable enough to do this," says Ken Shea, KPMG's director of architecture technology.
"If we didn't use the accelerator cards, we would be installing many more boxes."
Compared to five years ago, crypto-accelerator cards are better at expediting the processing of asymmetric keys. Where they once sped traffic to 200 connections per second, today they're pushing 800 to 1,000. Adding accelerator cards to Web servers extends their life, as KPMG found.
"It's about latency," says Richard Moulds, nCipher's VP of marketing. "Even though a Web server can do 20 transactions a second, if you're the 100th connection, you'll be sitting there for five seconds before the padlock will appear on your screen.
"You either buy $5,000 in accelerators or $50,000 in servers. The ROI is obvious."
In recent years, accelerator cards and appliances have seen tremendous performance improvements and steep price reductions. But industry experts say accelerators' days as a vanguard solution are numbered. Contemporary general-purpose processors can now process even heavy-duty algorithms and longer keys, making accelerators less of a necessity in light- to moderate-traffic sites.
"If you look at the current generation of AMD processors, they are remarkably capable at doing cryptography," says Joe Levy, principle architect of engineering at SonicWALL, a maker of accelerator appliances.
With the cost of off-the-shelf general-purpose hardware getting less expensive every day, Levy and others say it's easier to adjust existing resources to accommodate those peak traffic flows rather than install accelerators. The other counterforce is the inclusion of accelerator chips and technology in hardware solutions. SonicWALL, Cisco Systems and NetScreen Technologies are embedding ASIC chips in their firewall/VPN appliances, load balancers and other edge devices to offload crypto and speed throughput.
Vendors that once dealt exclusively in accelerator technology are now leveraging their experience in the field to create more holistic security solutions. Faster, more efficient VPNs. Better load balancing. Embedded crypto processors. Improved and more secure key management and key storage.
"Acceleration is there to optimize the performance of other network and security solutions," says Pat Donnellan, CEO of AEP Systems, a maker of encryption hardware products. "If you're providing a solution, you should provide a more efficient solution. And the cost of an accelerator board in the context of an overall solution--even if you just want to provide for a peak of 5,000 connections that happens just two days a year--is still a good investment."
Using accelerator technology to improve existing solutions seems like a good idea, but this trend isn't signaling the end of pure-play accelerators.
"Content networking is much more a driving factor for the accelerator," says Levy. "Anyone who has a highly available Web site is going to have multiple Web servers; they'll have to guarantee persistence, and then they'll have to have an offloader."
About the author:
Lawrence Walsh is managing editor of Information Security.
This was first published in January 2003