Internet Security: A Jumpstart for Systems Administrators and IT Managers

SSL appliances offload public-key cryptographic functions from servers. By generating keys with a dedicated appliance, the risk of overloading the web server with secure sessions is minimized and the SSL transactions are only a few milliseconds faster. However, since key generation time is a relatively small portion of total object access time, most SSL appliances increase the SSL capacity of a system but do not provide any noticeable acceleration of the SSL transaction.
SSL appliances are often deployed behind a server load balancer (see Figure 5.1). One-arm mode installation is not recommended with an SSL appliance due to the limitations in scalability and availability.
Installation is easier and security is improved if the SSL appliance includes internal load balancing and intelligent failover and can be deployed as shown in Figure 5.2.
The SSL appliance may support one-way SSL to clients, end-to-end SSL to clients and internal servers, or both modes of operation.
In one-way SSL, the SSL appliance and client exchange a key, then the client can send an encrypted request to the SSL appliance where it is decrypted and sent to the server for processing. The unencrypted response comes back from the server, is then encrypted by the SSL appliance, and sent back out to the client.
In end-to-end SSL, the SSL appliance must exchange a key with the client, and, in a separate transaction, exchange a different key with the web...