From DeleGate/9.0.1, the configuration of DeleGate as a TLS (or SSL) gateway has become simple and uniform. TLS gateways for any application protocol including HTTP, FTP, SMTP, POP, IMAP and so on, can be enabled by simply specifying the common STLS parameter as this:
STLS=fcl
In older versions, it was a little complicated to configure DeleGate as a TLS gateway, especially for FTP protocol as described in the former document, like this:
// FTP/FTPS gateway before DeleGate/9.0.1 delegated-older -P990 SERVER=ftp FCL=sslway delegated-older -P21 SERVER=ftp CMAP=sslway:FCL:ftp CMAP="sslway -st:FCL:ftp-data"Also it was necessary to run two DeleGate servers to make services for FTPS and FTP+AUTH-TLS clients respectively. And the configuration of the latter was a bit complex.
But now, those DeleGate can be realized with one DeleGate server as this.
(Note: This unit was originally developed by iPivot, who was subsequently bought by Intel. It appears to be based on the Rainbow card.)
This is a box running BSD and OpenSSL internally; it has two Ethernet ports, and transparantly converts SSL connections to normal ones. It handles about 200 conn/sec. Up to 5 7110's may be cascaded. The 7180 is larger, handles 600 conn/sec, and can't be cascaded (though you can put 7100's in front of it.)
Price: 7110 is $13000, 7180 is $40000 as of April 2000.
The nCipher/Linux solution is spotty. I had a lot of trouble getting it to work right and ended up getting a tech out to help me. In addition to a driver, it needs a special application that loads into memory to help it....
The Rainbow card is better, but their OpenSSL support is so/so. From the patches, it appears that they basically modify OpenSSL so that it can offload the big number stuff to the card. I think it would be much wiser of them to publish a spec to the OpenSSL group and let them do true integration with it. Because of their patch, we could never get more than 117 connections/sec. with the Rainbow card.
Now the catch with the Rainbow card.... =) Read the fine print carefully and you see that they do 200 RSA ops/sec. More accurately, they can do one RSA operation in 4.9ms. This does not take into account the overhead of SSL, network connection setup and tear down, etc. The iPivot (Intel) solution that advertises 200 connections per second really only gets 117 when you tell Web Bench to not do any session id reuse. (Oops.) I'm sure that is also the case with anyone who uses the Rainbow card in their product. Ditto with nCipher.
Overall experience with the Rainbow card: Good. Their tech support is pretty good. The patch to OpenSSL works reliably, albeit, slower than I'd like it to. Their sales team is confused, but what else is new?
Personally, I'd like to get my hands on the Compaq Atalla card to benchmark it and find out. I'm sure if they managed to get native OpenSSL support, they'll whip the pants off Rainbow.
From: rafal@mediaone.net
Date: April 30, 2000
Hi Dan,
I noticed you put up a nice page on getting SSL hardware acceleration for linux (kudos for the great info!) and wanted to follow up with some info about Rainbow, and iPivot (now Intel).First, Rainbow: I'm very happy with them... We're currently using a bunch of CryptoSwift cards, and I've also played with their NetSwift (which is targetted more for IPSec/IKE applications). We've gotten full driver source for the NetSwift and the kernel crypto libraries, as well as sources CryptoSwift driver from them without any arm- twisting on our part (well, we bought ten cards for starters, so that may have had some effect 8-). Although their OpenSSL integration is not the greatest (from the point of view of ease-of-use, keeping up with new OpenSSL versions, and archtiecture of their code), it works and was given to us also without any major effort on our part.
I'm pretty happy with performance -- with our in-house servers, which use a phhttpd-based I/O core, I get pretty close to the 200 conn/s. I hear they also have a card spec'ed at 600 connections/second.
Next, iPivot: I don't want to crap on these guys, but they're the main reason I ended up writing the SSL-terminator software mentioned above from scratch. Both their boxes do 200 conn/s, but max out at around 2500 connections through one box. When we were evaluating their CA-1000 box in December, it would regularly crash and nuke all existing 2500 connections rather than roll over or deny the connection. The max connection limit may not be bad for people doing standard web serving where connection come and go quickly, but we had a need for long-lived connections, so it was of ultimate importance. (As a side note, it was also pretty easy to defeat their lame console security and muck around in the OS -- which is BSDI, and it does just package an OEM version of the Rainbox chip onboard -- running on the box, although we had to return the box before I really had any fun with it 8-).
IRVINE, CA. July 15, 1998 – Rainbow Technologies (NASDAQ: RNBO), a leading supplier of cryptographic accelerator hardware boards for increased secure web server performance, announced today that CryptoSwift II, the fastest public key cryptographic processor in the world, is now shipping. CryptoSwift II will be showcased at this year's Internet World in Chicago, July 15th - 17th, (booth number 1654). CryptoSwift II provides companies with hardware level security for electronic commerce transactions.
CryptoSwift II leads its competition in price/performance and in transaction processing speed. CryptoSwift is capable of handling more than 200 transactions per second and performing a reference RSA signature in five milliseconds. In comparison, a Pentium II™ at 400Mhz takes 25 milliseconds – five times longer – to complete the same operation. In real world servers, CryptoSwift II improves server response time by up to 90 percent and increases server capacity by at least 10 times by offloading and accelerating public key cryptography.
CryptoSwift is widely deployed in several
Found an old list of SSL accelerator cards at
http://www.peoplebridge.com/Performance/links.htm
and tracked down updated links for the products mentioned
there. IMHO the right place to hook these things
in is at the OpenSSL crypto library level. I think ncipher
might already do this, at least to support Apache.
Cards that may support Linux:
http://www.ncipher.com/products/nfast.html
http://www.phobos.com
http://www.ibm.com/security/cryptocards/
ZDNet eWEEK Mega-proxy servers A load of trouble
Cards that probably don't support Linux:
http://www.tandem.com/quickspecs/axl200qs/axl200qs.htm
http://isg.rainbow.com/products/cs_1.html
http://www.chrysalis-its.com/product/spec_sheets/toolkit_specsheet.htm
Boxes:
http://www.intel.com/network/products/accel_7110.htm (nee ipivot)
Reviews:
http://www.infosecuritymag.com/jan2000/cover.htm (comparison graph at bottom)
http://www.infowar.com/chezwinn/ecommerce.html-ssi
CPUs:
supposedly the Itanium and the Ultrasparc III will both be better
at doing the computations of SSL than were the Pentium 3 or Ultrasparc 2.
APIs:
RSA's BSAFE BHAPI http://www.rsasecurity.com/news/pr/970730.html
|
|
|
|
|
|
||||||
|
|
|
|
||||||||
|
|
||||||||||
 |
|||||||||
|
|
|
|
|
|
|||||
|
|
|
|
|||||||
|
|
|||||||||
|
1Tested publicly at NetWorld and Interop 1999 show May 10-12 using Sun E450 server with Solaris* operating system. Also see Networkshop "Scaling E-Commerce Applications" report of 1999:http://www.networkshop.ca |
Intel(r) NetStructure(tm) e-Commerce Equipment
|
|
|||||||||||||||||||||||
|
1Tested publicly at NetWorld and Interop 1999 show May 10-12 using Sun E450 server with Solaris operating system. Also see Networkshop "Scaling E-Commerce Applications" report of 1999:http://www.networkshop.ca |
