Secure Blue: An Architecture for a Scalable, Reliable, High Volume SSL Internet Server

Quantified Score

Visualization

Abstract

Although there exist accelerator products to increasethroughput of encrypted transactions produced by an InternetHTTP server, there are no current architectures thatprovide a truly coordinated and scalable solution for SecureSocket Layer (SSL) encrypted communications. Thispaper presents an architecture that facilitates high volumeSSL Internet serving, scaling from thousands to millions ofindependently active SSL sessions. Reliability, availability,serviceability, and on-line error recovery requirements forsuch an application are also addressed.Our approach is to offload SSL set-up protocol activitythat was traditionally executed by Transaction Engines (anddedicated co-processors), to a scalable array of SSL Hand-shakeProtocol specific servers. This significantly reducesutilization on the Transaction Engines since SSL sessionset-up is a CPU intensive operation. Additionally, the actualencryption/decryption processing is offloaded as well,to a dedicated and scalable array of In-Line Encryption Engine(s). The In-Line Encryption Engine is architected suchthat requests and responses flowing to and from the Trans-actionServers are in clear text. A benefit of this arrangementis that Transaction Engines (as well as Web AcceleratorProxies) will retain the ability to cache web objects,while firewalls will retain the ability to perform packet levelinspection of all traffic directed to the transaction engines.Such features have been sacrificed in prior SSL implementations.