Brocade Communications Systems 12.4.00a Manuale Utente

Pagina di 226
ServerIron ADX Security Guide
SSL acceleration on the ServerIron ADX
Public key 
The other half of a key pair, a public key is held in a digital certificate. Public keys are usually 
published in a directory. Any public key can encrypt information; however, data encrypted with a 
specific public key can only be decrypted by the corresponding private key.
We recommend that you always back up your SSL certificate keys. These keys may be lost in the 
event of module failure.
SSL acceleration on the ServerIron ADX
The ServerIronADX SSL module provides hardware-accelerated encryption and decryption services 
to clients. The ServerIronADX sits between clients and servers and all client traffic is terminated on 
the switch. When traffic is decrypted, the ServerIronADX analyzes the data and selects a server 
where the connection traffic can be forwarded. The ServerIronADX then opens a new connection to 
the server and passes all data to this server. On the return path, the ServerIronADX receives all 
data from the server, encrypts it, and forwards it to the client. For every incoming connection from 
the client, the ServerIronADX maintains an additional connection to the server. Both connections 
are completely separate. The ServerIron ADX essentially acts as a proxy.
SSL acceleration on the ServerIron ADX can be configured to operate in either of the following two 
SSL Termination Mode – In SSL Termination mode, an SSL connection is maintained between 
a client and a ServerIron ADX. The connection between the ServerIron ADX and the server is 
not encrypted.
SSL Full Proxy Mode – In SSL Full Proxy mode, one SSL connection is maintained between a 
client and a ServerIron ADX and a separate SSL connection is maintained between a 
ServerIron ADX and a server. This connection allows for traffic encryption to be maintained all 
the way from the client to the server and back.
For details on how to configure a ServerIronADX for SSL Termination and Proxy modes, see 
 and for examples of 
how to create the configurations shown in this section se
SSL Termination Mode
In this mode, the ServerIron ADX terminates the SSL connections, decrypts the data, and sends 
clear text to the server. The ServerIron ADX offloads the encryption and decryption services from 
the server CPU and performs them in hardware, thereby offloading the burden from the server.
The ServerIronADX maintains an encrypted data-channel with the client and a clear-text data 
channel with the server.
Figure  shows a topology that terminates SSL on the ServerIron ADX.
ServerIron ADX SSL Termination