Sometimes putting security solutions in place will undo all the work that has been done to accelerate an application.  I'm not saying throw security out the window as acceleration is more important, both are equally important and can work together.  Let's look at three scenarios SSL, SSL VPNs and web application firewalls.


SSL is critical when sending secure or private data across the Internet, however when providing content over SSL often times the performance of the application is degraded as additional work is created for the servers.  Fortunately SSL can be offloaded to an application delivery controller reducing or eliminating the performance hit.  The offloading of SSL frees up resources on the server and can accelerate the application delivery by providing SSL in hardware.


Here's the dilemma with SSL VPNs

  • SSL VPNS are designed so that remote users can access corporate resources from anywhere home offices, airports, or hotels.
  • Remote users are precisely the ones that need acceleration technologies the most.
  • SSL VPNs like Firepass have settings that will overwrite the cache-control headers provided by the server or WebAccelerator reducing or eliminating the acceleration gains.

Be aware of the settings on the VPN to make sure they aren't counteracting the acceleration policies in place and make sure the acceleration policy is not set to cache highly confidential information.  In all likelihood the images from the corporate portal can be cached by the client the pages however shouldn't be. 

Web Application Firewalls

With PCI compliance directives many companies have deployed web application firewalls however they still want to provide application acceleration.  A web application firewall and acceleration solutions can be deployed together so you can get all the benefits of acceleration and still maintain a high level of security.  Say your application security policy contains a rule that says users are not able to access a document unless they are logged in and have a valid cookie, if the document is accessed without this cookie the user should be presented with a login page.  This document is static can easily be served from a shared cache but first the presence of the cookie needs to be confirmed.  A rule in the acceleration policy would be defined to say if the cookie is absent proxy the request to the server (or in this case it would be the web application firewall) the rules from the security policy would then fire and the user would be presented with a screen to logon.  You're still maintaining the security rules but also offloading the server from having to serve the static document.