Guest

Cisco SCA 11000 Series Secure Content Accelerators

Cisco SCA 11000 Series Quicklook

Quick Look

Cisco SCA 11000 Secure Content Accelerator

The Cisco SCA 11000 Series Secure Content Accelerator is a component of Cisco's family of solutions for Secure Sockets Layer (SSL) optimization and acceleration, which also includes integrated SSL processing modules and standalone devices. Cisco's SSL product offerings provide Web sites of all sizes the performance they require for optimal SSL processing. The comprehensive set of solutions and seamless integration with Cisco data center products (such as server load balancers) put Cisco and the Cisco SCA 11000 Series on the forefront of SSL technology on the market today.

Cisco's SSL Optimization solutions consist of:

  • Option 1—Cisco's dedicated SSL off-loading device—the Cisco SCA 11000 Series Secure Content Accelerator (SCA or SCA2) with an existing Cisco Layer 4-7 solution, the Cisco CSS 11000 Series Content Services Switch

  • Option 2—Cisco CSS 11500 Series Content Services Switch with integrated SSL module or Cisco Catalyst® 6500 Series Switch with Cisco Content Switching Module (CSM) and integrated SSL module

Compatible with any public key infrastructure (PKI) solution, the Cisco SCA 11000 was engineered to solve Web-site performance problems associated with decrypting and encrypting secure traffic, provide a centrally manageable SSL resource, and enable the Cisco Layer 4-7 devices to apply content-intelligent switching services to secure traffic.

How to Choose the Best Option for Your Customers

Propose the product/solution that matches your customer needs:

  • Propose the Cisco SCA or SCA 2 11000 (Option 1) when customers are not planning to upgrade their Layer 4-7 infrastructure, but still need industry-leading SSL performance and features.

  • Lead with the Cisco CSS 11500 or CSM (Option 2) and integrated SSL modules when customers are looking for the richest transport and application (Layer 4-7) services for Internet and intranet data centers. The key decision point is whether customers want to add Layer 4-7 and SSL offloading to an existing Cisco Catalyst 6500 Switch to obtain a high level of port density or prefer the compact modular platform of the Cisco CSS 11500 with the integrated SSL module.

Metric

Cisco SCA

Cisco SCA 2

SSL Module for the Cisco CSS 11500

SSL Blade for the Cisco Catalyst 6500 Series

Transactions per second

200

800

800/sec per blade
1,600/sec—CSS 11503
3,200/sec—CSS 11506

3,000
12,000 per chassis

Number of Rivest, Shamir, Adelman (RSA) operations per second

200

4,000

4,000/sec per blade
8,000/sec—CSS 11503
16,000/sec—CSS 11506

8,000/sec per blade—
32,000 per chassis

Maximum concurrent connections

5,000

30,000

40,000 per blade
80,000—CSS 11503
160,000—CSS 11506

60,000 concurrent
client connections—
240,000 per chassis

Bulk encryption

30 Mbps

70 Mbps

256 Mbps per blade
512 Mbps—CSS 11503
1,024 Mbps-CSS 11506

300-Mbps bulk rate encryption—
1.2 Gbps per chassis

Sustained sessions

75,000

300,000

TBD

TBD



Target Markets

When used in conjunction with a Cisco CSS 11000 Series Content Services Switch, the Cisco SCA 11000 solves three customer needs:

  • Regaining control of load balancing SSL traffic in their data center

  • Offloading SSL processing from Web servers

  • Improving SSL transaction throughput

Web-site designers and networking engineers are seeing an increase in secure applications that has resulted in an increasing amount of SSL traffic. The secure nature of SSL traffic has made it almost impossible to properly load balance this encrypted traffic within the data center. All the Layer 5-7 information is encrypted, handcuffing the advanced load-balancing functionality available in Cisco content switches. The Cisco SCA 11000 Series decrypts SSL traffic and hands it off to the content switch so that it can be properly load balanced across several servers. The benefits of this approach are improved utilization, responsiveness, availability, and scalability, without sacrificing the security of the Web site. Moving SSL processing to the Cisco SCA 11000 also simplifies security management and allows Web servers to process more requests for content and handle more e-transactions.

The following industries are key targets for the Cisco SCA 11000 Series:

  • Financial institutions and health-care providers are lead adopters of this solution because they typically offer secured online services to customers and patients using SSL.

  • Enterprises moving key business operations to the Web (for example, Cisco Resource Manager applications) will likely use SSL when distributing sensitive content (that is, competitive intelligence, price lists) over their intranet/extranet.

  • Manufacturers, retailers or other large enterprises using supply chain management (SCM) systems that require many users to access real-time inventory data, account information, and payment instructions via the Internet will use this solution. These applications present a security risk and are often protected with SSL technology.

Features and Benefits

High Performance
  • Traditional Web server-based SSL termination slows down servers with SSL decryption/encryption processing, thereby causing poor overall site performance. The Cisco SCA 11000 offloads processor-intensive SSL decryption/encryption to reduce burden on the Web server and maximize server resources.

  • The Cisco SCA 11000 attaches directly to a Cisco CSS 11000 Series—if incoming traffic is encrypted, the switch directs the incoming request (at wire speed) to the Cisco SCA 11000 for decryption. When decrypted, the Cisco CSS 11000 has cleartext visibility into the request, and applies intelligent load-balancing metrics to pick the most appropriate Web server to fulfill the request in the fastest time possible.

Scalable and Manageable
  • The Cisco SCA 11000 prevents customers from having to deploy SSL-based Personal Computer Interface (PCI) cards for decryption/encryption directly on back-end Web servers. This eliminates the need to manage multiple server-based SSL cards across Web farms.

  • The Cisco SCA 11000 features two 100-Mb Ethernet ports, but only one is required for upstream and downstream communication with the Cisco CSS 11000. This configuration provides port redundancy and protects against a single point of failure. This also constitutes a competitive advantage over Intel, because Intel requires two 100-Mb Ethernet connections per SSL box (one ingress and one egress).

Secure
  • The Cisco SCA 11000 in conjunction with the Cisco CSS 11000 Series prevents denial-of-service (DoS) attacks for attached devices, including Web servers and caches. The Cisco CSS 11000 determines if an incoming flow is legitimate before it is sent to a back-end device. After intercepting malicious requests, the Cisco CSS 11000 harmlessly terminates the bad connection, while allowing normal traffic to flow at wire speed.

  • The Cisco SCA 11000 stores up to 255 key certificates and efficiently manages SSL traffic across all certificates. Furthermore, it supports chained certificates in cases where a third—or fourth-tier certificate authority is needed for a transaction. By chaining the certificates, the Cisco SCA 11000 can automatically find a trusted certificated authority before processing the SSL transaction. This removes the burden of managing certificate information over a wide number of Web servers.

Intelligent Platforms
  • Cisco SCA 11000 Series—This switch performs all SSL protocol processing, including SSL handshake and decryption/encryption; it is a single-function unit with dedicated processor, cryptography chip, RAM, and special-purpose operating system. The Cisco SCA2 model handles up to 800 SSL transactions per second, and the Cisco SCA model handles 200 SSL transactions per second.

  • Cisco CSS 11000 Series—This content switch identifies and load balances authenticated (Hypertext Transfer Protocol [HTTP]) and SSL (Secure HTTP [HTTPS]) traffic for termination by the Cisco SCA 11000; it intelligently load balances content requests to Web servers and caches for secure traffic, and applies Layer 5-7 intelligence across a distributed processing architecture to deliver content to users at wire speed.

Top Applications

B2C: E-Commerce
  • Companies in many industries transact e-commerce with SSL-based secure connections to provide a secure shopping experience to customers. As customers browse e-commerce sites, they connect via HTTP (not encrypted). After adding items to their "shopping cart," customers click the "Checkout" button to purchase the items in their cart. At this point a new TCP connection is set up to create an SSL session, which encrypts this phase of the transaction. The Cisco SCA 11000 Series speeds up HTTP authentication and SSL decryption/encryption, ensuring customer satisfaction and repeat business.

B2C: Financial/Banking/Insurance and Health Care
  • Financial institutions and health-care providers offer secure services to customers and patients using SSL. Most financial institutions have secure areas where a customer can access real-time investment balances, account history, and other sensitive financial information over the Internet. Health-care organizations need to adhere to strict regulations governing patient privacy, and may utilize SSL technology to ensure that data remains protected when traveling across the Internet or intranets. Customer service, Web site performance, and security are critical to financial and health-care organizations. Simple management and scalability of the Cisco SCA 11000 is ideal for financial and health-care companies with IT administrators who need a high-performance alternative to server-based SSL termination.

B2B: Supply Chain Management
  • As e-business channels emerge and companies rely on channel partners for revenue, and suppliers for timely delivery of goods, efficient supply chain management is critical to overall success. Accessing real-time inventory data, account information, and payment instructions via the Internet poses a security risk that businesses must protect with SSL. Because channel relationships are evolving to the Web, enterprises and Web hosters will need to offer high-performance SSL services to manage inventories.

B2B, B2C: Secure Intranet/Extranet Applications
  • In an enterprise environment, intranet/extranet use for sensitive content (that is, competitive intelligence, price lists, human resources data) requires the use of SSL. With the continuing rise in the number of hacking attacks and security breaches from within corporate intranets, companies must require encryption of sensitive data transferred over the Internet. As an enterprise grows, scalability for secure intranet applications becomes a priority. The Cisco SCA 11000 is an ideal fit for these types of applications.

When to Sell

Cisco SCA 11000 Series Secure Content Accelerator

The Cisco SCA 11000 Series offers a high-performance, feature-rich, standalone SSL accelerator that is ideal for the installed base of Cisco CSS 11000 Series customers who require SSL processing but are waiting to increase the content switching aspect of their data center infrastructure. Available in two versions—the Cisco SCA and SCA2—the Cisco SCA 11000 Series provides the level of SSL processing needed to scale sites of even the highest SSL traffic.

Performance Cisco SCA Cisco SCA2

Connection rates

200

800

Concurrent sessions

5,000

20,000

RSA operations per second

200

4,000

SSL session ID cache

75,000

300,000

Number of proxy servers

255

512

Bulk encryption (rc4-128-md5)

30 Mbps

70 Mbps

Cryptology hardware

Rainbow

BC 5821

RSA hardware

Yes

Yes

Hardware-based bulk encryption

Yes

Yes



Competitive Advantages

Cisco engineered SSL solutions to create industry-leading offerings for SSL traffic management. The Cisco SCA 11000 offers more flexibility than competitive solutions by supporting various configurations, including "one-armed" configurations. The solution has the leading price/performance of any solution on the market, supporting as many as 800 to 1,000 SSL transactions per second. The solution also has scalability that cannot be matched. As SSL requirements increase, capacity can be added in increments of 200 or 800 connections per second, depending on the version of SCA, without having to increase the number of server load balancing (SLB) devices. Scalability of SSL capacity is completely independent of the Layer 2-7 SLB.

Typical Configuration

Recommended Tested Configuration: One-Armed Configuration

This configuration was co-engineered to provide high performance, scalability, and redundancy.

  • High performance—This solution is capable of encrypting/decrypting up to 800 SSL transactions per second, much faster than a typical Web server, which averages only 50 SSL transactions per second.

  • Scalability—Cisco SCA 11000 Series devices are connected to a Cisco CSS 11000 via a one-to-one 100-Mb Ethernet connection. Competitive offerings (Intel) require one port for ingress and one port for egress traffic. As SSL processing requirements increase, up to 15 additional Cisco SCA 11000 devices can be added.

  • Redundancy—Redundant ports on the Cisco SCA 11000 protect against a single point of failure.


Figure 1.  Recommended Configuration


Useful Links

Cisco SCA 11000 product information: http://www.cisco.com/go/sca

Cisco CSS 11000 product information: www.cisco.com/go/contentswitch

Ordering Information

Cisco SCA 11000 Part Numbers

SSL-SCA-2FE-K9SSL-SCA2-2FE-K9

Cisco SCA 11000 Cisco SCA2 11000

Additional Tested and Approved Configurations

Alternate Tested Configuration: Inline Configuration

This configuration is ideal for light traffic loads, has minimal impact on rack space, and is very cost-efficient.

  • High performance—This solution is capable of encrypting/decrypting up to 800 SSL transactions per second, much faster than a typical Web server, which averages up to 50 SSL transactions per second.

  • In this configuration, the Cisco SCA 11000 device is deployed inline to monitor inbound traffic and identify SSL (port 443) traffic before it is passed to the Cisco CSS 11000. When an SSL request is identified, the Cisco SCA 11000 device decrypts data within the request and passes it down to the Cisco CSS 11000 (port 81) for intelligent Layer 5/7 load balancing. For all non-SSL types of end-user requests (port 80), the Cisco SCA 11000 device transparently passes the request directly to the Cisco CSS 11000.


Figure 2. Inline Configuration


Alternate Tested Configuration: Sandwich Configuration

In this configuration, secure SSL traffic is passed on one port, while all non-SSL traffic passes on a separate port.

  • High performance—This solution is capable of encrypting/decrypting up to 800 SSL transactions per second, much faster than a typical Web server, which averages up to 50 SSL transactions per second.

  • As encrypted inbound port 443 SSL traffic hits the front-end Cisco CSS 11000 Switch; it is transparently passed (via a specific port) down to a Cisco SCA 11000 device, which then handles the decryption. Decrypted requests are then passed to a downstream Cisco CSS 11000 Switch (port 81 to a virtual IP address), which intelligently load balances the requests.


Figure 3.  Sandwich Configuration