Table Of Contents
SSL Services Module for the
Cisco Catalyst 6500 Series and Cisco 7600 Series
The SSL Service Module is an integrated service module for the Cisco® Catalyst® 6500 Series and Cisco 7600 Series Internet Routers that offloads processor-intensive tasks related to securing traffic with Secure Sockets Layer (SSL), increases the number of secure connections supported by a Web site, and reduces the operational complexity of high-performance, Web server farms.
Key features of the SSL Service Module include:
•Server SSL offload—performs all SSL-related tasks, allowing servers to handle high-speed clear text traffic
•Scalable performance—provides a simple means of addressing increased performance requirements by installing additional SSL modules in a Cisco Catalyst 6500 switch
•Stickiness—maintains persistence even when clients request new session IDs, in Integrated Mode with Content Switching Module (CSM)
•Certificate optimization—provides cost savings by requiring only a single certificate copy vs. a copy for each server subject to customer and certificate authority agreement
•Backend encryption—SSL Module offers end to end security by also encrypting the communication between Module and servers as well.
Up to four SSL service modules can be installed in each chassis providing the fastest SSL session setup rates and bulk encrypted throughput in the industry and supporting the highest number of concurrent connections:
•3000 connection setups/second per module—10,000 per Chassis fully-populated with SSL modules
•300 Mbps bulk encrypted throughput per chassis module—1.2 Gbps per fully-populated with SSL modules
•64,000 concurrent client connections—256,000 per chassis fully-populated with SSL modules
The SSL Service Module offloads all SSL processing, allowing the end Web and eCommerce servers to process more requests for content and handle more e-transactions—providing a multifold increase in the performance of eCommerce and secure sites using encryption.
As eCommerce continues to grow and involve more applications, security in business-to-consumer (B2C) and business-to-business (B2B) transactions becomes essential. In B2C transactions, analysts estimate that more than 70 percent of consumers avoid making online transactions for fear that someone will steal their credit card numbers. As a result, SSL has become the de facto standard for securing e-commerce transactions.
Businesses use the Internet to streamline operations, improve customer service, and close sales. Businesses are also moving legacy applications to the Web and opening them to intranet and extranet use—requiring them to provide high-speed, secure, authenticated access to confidential information. Increasingly, businesses are using SSL accelerators to perform authentication, encryption, and decryption processing.
Major SSL Service Module Benefits
In the old client/server SSL model, SSL processing is embedded within servers via SSL NIC cards. Drawbacks to this older model include:
•Persistent connections cannot be established and sessions are lost when clients request new SSL IDs, resulting in lost revenue
•Certificate copies must be purchased for each server in the server farm, increasing costs unnecessarily
•Web servers must be added to scale SSL transaction capacity, increasing costs and spreading disruption throughout the server farms
•Web servers waste processing capacity in establishing SSL sessions, driving up costs
Cisco responded to these drawbacks by introducing the integrated SSL Service Module, providing the following benefits:
The SSL Service Module provides the best price/performance of any SSL accelerator on the market. Cost of maintenance is included in the maintenance contract of the Cisco Catalyst chassis, providing cost savings on annual service contracts. By offloading the processing-intensive SSL termination burden from the Web servers, the SSL Service Module eliminates the need to purchase additional servers. Multiple modules can be installed in a chassis, conserving rack space, which is especially important where rack space is at a premium.
Server SSL Offload
The SSL Service Module offloads the SSL termination function from the Web server, allowing the Web server to increase its performance accordingly. Further performance increases occur when a content switch, such as the Cisco CSM, load balances SSL traffic among SSL modules, using standard load balancing algorithms, and maintains SSL session ID stickiness with SSL modules.
Integrated Content Switching Modules or external load balancing appliances can load balance secure HTTPS content requests to multiple Cisco SSL service modules—maximizing SSL termination performance and providing SSL scalability. SSL modules offload SSL processing from Web servers allowing them to handle peak traffic demands without degrading the user experience. Because SSL processing is centralized in the switch, it can be scaled easily by adding additional modules, without interrupting processing.
In Integrated Mode, the SSL Service Module and CSM maintain persistent client-to-SSL device sessions when client browsers renegotiate SSL IDs or when the source IP addresses are modified—events that often occur in wireless traffic flows and when traffic moves through gateways. The SSL Service Module and CSM also maintain persistence by using cookie sticky to stick clients to Web servers—optimizing overall user experience. Additionally, when SSL modules are installed in redundant configurations, user session state is maintained even when hardware failures occur.
Ease of Management and Configuration
Additionally, the SSL Service Module integrates SSL processing within the infrastructure and allows any port on the Cisco Catalyst 6500 Switch to operate as an SSL port. The SSL Service Module simplifies security management while encrypting user data to the Web servers, providing privacy, confidentiality, and authentication using a wide range of certificates, including Netscape and VeriSign.
When SSL modules and a CSM are installed in a Cisco Catalyst 6500 configuration, SSL traffic is maintained if failures occur. The failover capabilities of the SSL Module, and the Content Switching Module provide an extremely fault-tolerant solution.
Certificate Cost Reduction
SSL certificates reside on the Cisco SSL module that `front ends' multiple Web servers, centralizing certificate management, eliminating the need to purchase/manage certificates for individual servers, and reducing licensing costs.
Configuration Modes and Traffic Flow
The Cisco SSL Service Module can be installed in two basic configurations:
•Integrated mode—Integrated with the CSM
•Standalone mode—Using external server load balancer
Integrated Mode Configuration
As shown in Figure 2 the SSL Module when integrated with the CSM provides encrypted traffic flow and load-balanced connections between a client and server.
SSL Module Integrated Mode Configuration
The Clients send encrypted traffic on port 443, the standard SSL port. The CSM listens on port 443 and load balances the encrypted traffic to an internal "server farm" of SSL modules. The selected SSL Service Module decrypts the traffic, stamps it with a SSL Session ID, opens a clear-text connection to a Versatile Interface Processor (VIP) on the CSM, and sends the traffic to a port that has been configured to receive "decrypted SSL traffic", for examples port 81.
The CSM receives the decrypted traffic, makes a load balancing decision to select a Web server, and forwards the traffic. When the CSM receives return traffic from the Web server, it sends it to the SSL Service Module that opened the connection.
The SSL Module receives the unencrypted traffic, encrypts it, and sends it back to the CSM from port 443. The CSM receives the encrypted traffic and sends it back to the client.
Note: The selected SSL Module and the client use SSL Session IDs for all the TCP connections that make up that flow. The CSM also uses a portion of that SSL Session ID to stick the selected SSL Service Module to that client. If a client requests a new SSL session ID from the SSL Service Module, the CSM is able to keep the client and the selected SSL Service Module "stuck" together.
Standalone Mode with a CSS or Other Server Load Balancer
In Standalone mode, shown in Figure 3, the SSL Service Module is installed in the Cisco Catalyst 6500 chassis without server load balancing (either hardware or software) inside the chassis.
SSL Module Standalone Mode Configuration
The Cisco Catalyst 6500 uses ACLs containing entries that associate IP addresses and port numbers to direct traffic flows from clients to SSL modules and from servers to SSL modules. In the client-to-server direction, the ACL identifies data flows that need to be directed to server port 443, the SSL port. The Cisco Catalyst 6500 allows normal data traffic that is not associated with an ACL entry to go directly to a server, without first directing it to the SSL module.
The Standalone mode traffic flow is very similar to the flow in Integrated Mode, with the following exceptions:
•The SSL session ID sticky feature is not available
•Clients and servers must be on separate subnets
•The server may be a real server address, or the virtual address of a cluster of real servers
•Depending on the capability of the server load balancer, the cookie sticky feature may or may not be available
No licensing is required.
•Supervisor 720 or Supervisor 2/Multilayer Switch Feature Card 2 (MSFC2)
•Native Cisco IOS® software release 12.1(13)E or higher
•Hybrid CatOS minimum software release 7.5(1)
•Occupies one slot in a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Internet Router
•Max of four SSL modules in the same chassis
Operating temperature: 32° to 104°F (0° to 40°C)
Storage temperature: -40° to 167°F (-40° to 75°C)
Relative humidity: 10% to 90%, noncondensing
Operating altitude: -60 to 4000 m
CSA C22.2 No. 950-95
FCC Part 15 Class A
ICES-003 Class A
VCCI Class B
EN55022 Class B
CISPR22 Class B
AS/NZS3548 Class B
SR-3580—NEBS: Criteria Levels (Level 3 Compliant)
GR-63-CORE—NEBS: Physical Protection
GR-1089-CORE—NEBS: EMC and Safety
ETS-300386-2 Switching Equipment
ITU-T G.783 Sections 9-10
ITU-T G.957 Table 3
ETSI ETS 300 417-1-1
TAS SC BISDN (1998)
ACA TS 026 (1997)
BABT /TC/139 (Draft 1e)