secure, scalable e-commerce web sites (2001)

12/01

51-30-33

DATA COMMUNICATIONS MANAGEMENT

SECURE, SCALABLE E-COMMERCE WEB SITES

Duane Sharp

I N S I D E

Keeping Web Sites Open for Business; Characteristics of E-Commerce Traffic;Ensuring Transaction Security and Reliability; Security Alternatives; E-Commerce Web Site Configurations;

Priority Services for Premium Customers

E-commerce is rapidly becoming a preferred way of doing business, andmany companies throughout the world view this new commercial high-way as an important source of revenue. This is true for both dot.comcompanies as well as traditional enterprises.

Businesses need to ensure the performance of fast-growing E-com-merce Web sites while providing business transaction integrity, positiveshopping experiences for customers, and continuous availability of theirvirtual storefronts.

Web business operations need to deliver rapid transaction responsetime and manage peak-period volume levels, from both seasonal increas-es in traffic and from unexpected surges in customer demand. Customerswill return to E-commerce sites that offer consistently high levels of reli-ability and avoid sites with slow response times, difficult shopping expe-riences, or failed purchase attempts.

KEEPING WEB SITES OPEN FOR BUSINESSEnsuring that E-commerce sites re-main open for business requires somekey technical elements; these include:

• Providing persistent (so-called“sticky”) network connectionsbetween customers and E-com-merce servers, so shopping cartsare not lost before purchasetransactions are completed

P A Y O F F I D E A

E-commerce is rapidly becoming a preferred wayof doing business, and many companies through-out the world view this new commercial highwayas an important source of revenue. Enterprisesneed to ensure the performance of fast-growingE-commerce Web sites while, at the same time,providing business transaction integrity, positiveshopping experiences for customers, and contin-uous availability of their virtual storefronts. Thisarticle details some key technical elements es-sential for ensuring that E-commerce sites re-main open for business.

Auerbach Publications© 2001 CRC Press LLC

12/01

• Delivery of differentiated, customer- and content-focused services• Providing stable, reliable performance

In some business sectors, suppliers recognize that certain customersand content deserve prioritized service because of their strategic value tothe business. This can be accomplished by specialized content-orientedswitching products, such as those offered by Cisco Web NetworkServices and other network product vendors.

The software design of these switches allows corporations with E-businesses to build secure E-commerce sites that are both reliable andscalable. These Web sites will support high-volume E-commerce transac-tions, and provide a consistently positive user experience and prioritizedservices for important customers.

The technical challenges associated with building competitive E-com-merce Web site infrastructures arise from three common Internet trafficscenarios:

• Authenticated/nonencrypted Hypertext Transfer Protocol (HTTP)-based transactions: for transactions where security requirements areless demanding and the need for site performance is high (e.g., incatalog browsing)

• End-to-end encrypted Secure Sockets Layer (SSL)-based transactions:for transactions where high-security E-commerce applications are re-quired (e.g., for banking or online trading)

• Authenticated/encrypted transactions: transactions that combineHTTP connections for browsing and SSL connections for purchases(e.g., high-volume purchasing applications that need to optimize siteperformance by limiting SSL overhead)

CHARACTERISTICS OF E-COMMERCE TRAFFICE-commerce is an accepted method of enhancing sales because of its ef-ficiencies in connecting buyers directly with sellers and reducing salescosts.

Developing and managing an E-commerce infrastructure is a majorchallenge for both established and emerging companies. A single Web-based transaction can span multiple servers, applications, and databases,and companies must be able to connect users seamlessly to these re-sources throughout the life of their shopping session. This can only beaccomplished by creating “sticky connections” between a customer anda single server — regardless of the type of connection used (HTTP, SSL,or a combination of these connections).

Successful E-commerce sites must overcome several other obstaclesresulting from the rapid growth of E-commerce traffic; these obstaclesinclude:


12/01

• Providing scalable solutions that can handle the high traffic volumes• Providing Web site capability to respond to spiking requirements• Providing the capability to rapidly scale site capacity to accommo-

date increases in demand• Maintaining high levels of security

Companies must deliver consistently high response times so that buy-ers can quickly and easily purchase products or services online. Just asretail stores with long lines at the checkout counter lose customers un-willing to wait, E-commerce sites need to make sure that long waits andannoying errors do not result in lost customers. High levels of reliabilityrequire carrier-class networking equipment that can deliver the 24×7availability demanded by E-commerce customers.

Security Issues and DoSIn addition to delivering a responsive service, the site must provide a se-cure transaction environment. Security can be a major obstacle to thesuccessful deployment of an E-commerce site. As well, equipment failureor revenue-reducing downtime must be eliminated or minimized so thatthe E-commerce Web site is free from denial-of-service (DoS) attacks.

DoS attacks are often intentional intervention of Web sites by hackers,and typically involve the misuse of standard protocols or connection pro-cesses with the intent to overload and disable targeted Web servers. Per-flow filtering of content requests, without degrading performance, is a re-quired characteristic of an E-commerce Web site so that policy-based se-curity can be implemented. This process examines any combination ofsource address, destination address, protocol, type, or content URL (Uni-versal Resource Locator) to determine the validity of a site visit.

Protecting personal information is also a major security concern. Com-panies need to evaluate the optimum security level for each site and an-alyze the impact of encryption techniques on both the scalability andperformance of the site.

In addition to protecting personal information, E-commerce business-es must protect mission-critical back-end systems without creating per-formance bottlenecks associated with traditional firewalls. One of themajor challenges for deploying secure E-commerce sites is to build siteswith fast response times that can scale efficiently.

Switching Technology ParametersTo ensure that busy E-commerce Web sites meet the requirements de-scribed above, it is important to apply appropriate switching technology.Traditional Layer 4 switches and new “content-aware” switches are notcapable of providing the high performance required by an E-commerceWeb site, or of balancing traffic loads across Web server farm and cach-


12/01

ing resources. These network components were originally designed foraddress-based switching, and are only capable of differentiating applica-tions based on the identity of well-known TCP ports and source and des-tination IP addresses.

Load BalancingE-commerce traffic generally consists of HTTP requests for content, andconventional load balancers cannot differentiate between multiple HTTPrequests for different content URLs, or between individual customersbased on user cookies. Layer 4 switch architectures with content-awaresoftware upgrades provide limited (40 to 80 contiguous bytes) visibilityinto HTTP header information, but E-commerce solutions require in-creased switching intelligence.

URL- and cookie-based switching let network managers tailor customeror content-specific service agreements; offer premium services for pre-ferred customers; and deploy content-delivery services for streaming audioand video, distance learning, and Internet audio and video broadcasting.Support for sticky connections based on IP address, SSL session ID, andcookies ensures reliability and security for E-commerce transactions.

Content SwitchingContent-switching technology provides the capability for switches to de-termine the following information:

• Customer identification, based on full visibility to the user cookie lo-cated anywhere within the HTTP header

• How to service the customer efficiently and effectively, based on cur-rent information on network, application, and server conditions

• Information or transaction requested

Switching products with the capability to analyze site visits and pro-vide responses to these three issues have the capability to access infor-mation within the TCP and HTTP headers, including complete URL and“mobile” cookies that change location within the header between re-quests. This information is used to enable advanced load balancing, rout-ing of requests, security (DoS and access control), priority access forimportant customers, and sticky connections.

Other features of this switching technology include:

• Enabling organizations to improve reliability and response time byexamining content requests in detail

• Directing users to the best site and best server at that moment• Avoiding busy or overloaded sites• Dynamically replicating hot content across the network


12/01

When users are connected to a server, these switches ensure they stayconnected to a single server for the duration of their transaction, usingthe source IP address or address range, TCP port, SSL session ID, andeven cookies embedded in the users’ request. However “content-aware”solutions cannot deal with complex cookie streams, nor can they providethe successful transition between cookie-based policies and SSL-encrypt-ed portions of the transactions.

E-commerce sites can eliminate debilitating DoS attacks by using se-curity features built into these products, which provide wire-speed, per-flow filtering of content requests with no performance penalty.

ENSURING TRANSACTION SECURITY AND RELIABILITYThe SSL (Secure Sockets Layer) protocol is an end-to-end encryptionmechanism and is currently the primary means of encrypting Web trans-actions. This protocol was developed by Netscape Communications toenable encrypted and authenticated communications across the Internet.

SSL is primarily used to establish secure connections between Webservers and browser clients, and provides privacy, authentication, andmessage integrity. If a Web address begins with HTTPs, it means that us-ers are entering a secure, encrypted connection. In an SSL connection,each side of the link transmits a security certificate or session key. Theserver and the browser both encrypt traffic flows using the other’s certif-icate so that only the intended recipient can decrypt the information.This ensures that the session came from the intended user and that theflow has not been altered along the way.

Despite its usefulness and widespread adoption for Internet transac-tions, SSL imposes significant processing overhead on servers. This in-creased overhead burden can significantly affect E-commerce siteperformance. Data encryption and decryption both increase SSL process-ing overhead, and several approaches to increasing SSL performance arecommonly used. The most substantial overhead from SSL is created bythe negotiation of session keys.

Security AlternativesTo minimize the effects of this overhead, three alternative methods arecommonly used:

• Integrating encryption directly into business applications offers thetightest security. Traffic flow is encrypted from the client directly tothe application; however, the computing-intensive encryption pro-cess will consume significant Web server resources.

• Deploying hardware-based encryption accelerators in the Web serveritself to improve SSL performance.


12/01

• Employing dedicated devices that sit in the path to the server farmand process all SSL traffic for all servers in the server farm. Althoughthis offloads processing from Web servers onto dedicated devices, itis complicated to administer, may not scale for busy Web sites, andcreates a potential security breach between the hardware acceleratorand the Web server if the traffic is not encrypted.

A single dedicated encryption device can handle more SSL requeststhan one or even several nonaccelerated servers. However, using hard-ware accelerators on a per-server basis is preferable because it provideslinear scalability as servers are added.

E-commerce sites need the flexibility to balance security and site per-formance based on their unique business requirements. The capability tomaintain sticky connections requires the site to support all three of thefollowing E-commerce security scenarios:

• Authenticated transactions based on HTTP connections• Transactions encrypted end-to-end with SSL connections• Hybrid transactions that combine both types of connections

Organizations can evaluate the three basic means of securing E-com-merce Web sites and select the most appropriate option with the knowl-edge that the solution can scale effectively to support more customersand new business initiatives in the future.

E-COMMERCE WEB SITE CONFIGURATIONSThere are three basic E-commerce Web site security configurations:

• E-Commerce Scenario 1 — Authenticated Transactions: for sites thatauthenticate users without encrypting each customer’s connection.SSL processing overhead is minimized and high levels of scalabilityare supported.

• E-Commerce Scenario 2 — Transactions Encrypted End to End withSSL: for E-commerce sites requiring the highest levels of security toenable business transactions over the Web, and where authenticationalone is not sufficient.

• E-Commerce Scenario 3 — Hybrid Transactions Using HTTP and SSL:the most common security scenario for E-commerce Web sites is ahybrid of authenticated (HTTP) and encrypted (SSL) connections, al-lowing these sites to deploy the optimum level of security for eachstage of the transaction while minimizing processor overhead.

In the following paragraphs, each of these scenarios is described indetail.


12/01

Web Site Scenario 1An example of this scenario is a market research site that allows users toaccess its proprietary research online. After the user enters name and pass-word, the system conducts a database lookup to confirm that the user haspaid for access to the site and will then grant access to the secure area.

Preventing an authenticated subscriber from losing the continuity ofthe session is essential to customer satisfaction. Customers will not toler-ate continuous disconnects each time the session is passed to a differentserver, and many will not bother to re-authenticate to regain access.

Because HTTP does not carry any information on the state of theseapplications, it is important that the browser maps to the same server foreach HTTP request until the transaction is complete. This ensures thatthe user is not load balanced in mid-session to a different server andforced to log in again.

Although traditional load balancers can provide sticky connections us-ing IP source address and TCP port, this is dependent on the client main-taining a consistent source IP address for the full session. If the user iscoming to the site through a proxy server, traditional load-balancingproducts do not have sufficient information to reliably connect the userto the same server to complete the transaction.

The source IP address is not sufficient to identify the client because, in thecase of an outbound client proxy, the same source IP address can be usedby any number of clients. If the proxy server dies, the source IP can change;therefore, the IP header itself is not a reliable means of identification.

Sticky connections can be maintained using cookies to identify indi-vidual customers. The Web-server application can write a server-specificstring in the HTTP header, and then the Web switch is configured to lo-cate this string in the specified byte range after the cookie in the HTTPrequest. The Web switch associates the cookie with a specific service anddirects the request to that service, all transparent to the user.

As noted previously, traditional routers, load balancers, and content-aware switches are insufficient for this critical task because dynamichigher-layer information is needed to find and process the cookie. Forthis application, switch products are required that support sticky connec-tions based on these parameters:

• Source IP address• Address range• TCP port• SSL session ID• A cookie embedded in the user’s HTTP header

This feature is key to enabling sophisticated E-commerce applications byproviding sticky client/server connections based on the unique informa-tion embedded in the cookie.


12/01

The authenticated transactions scenario is the only way to ensuresticky connections for authenticated applications, when thousands of us-ers are coming into a site via a mega-proxy server, or whenever multipleincoming clients share a common source IP address. Server crashes re-sulting from proxy clients being connected to the same server are alsoeliminated.

Web Site Scenario 2In some transactions, a critical issue in Web site security is the protectionof highly sensitive information, such as credit-card numbers and otherpersonal information. For example, it is mandatory for banks and broker-ages that allow customers to access highly personal information, to em-ploy encrypted, end-to-end transactions. This scenario represents thenext level of Web site security.

This security scenario requires switch products that maintain stickyconnections for SSL transactions using the SSL session ID. Because cook-ies are located in the HTTP header that is encrypted for SSL transactions,the Web switch cannot maintain sticky connections without this productfeature.

The initial SSL message from browser to server contains either anempty session ID field (if a new SSL session is to be established) or thelast SSL session used by that client. This is not the session ID that will beused for the impending E-commerce session. In response to the initialclient message, the server picks a new session ID and then sends its ownresponse back to the client with that session ID. The switch detects thisnew SSL session ID in the server message and routes the request to thebest server at that point in time. All subsequent requests with that SSLsession ID will then be routed to the same server.

The SSL timeout issue is also resolved, and to optimize resources, aWeb server is programmed to end a session after a defined period of in-activity. After several minutes with no activity, the server will timeout andthe session ID will be released. When the user sends a new request, theserver thinks it is a new user and begins a new SSL session.

In situations where the user is filling out a long form — a mortgage ap-plication or credit profile, for example — all the information already filledin will be lost if a timeout occurs, and the user will have to start over.

The Web switch resolves this issue by detecting the client’s SSL sessionID when it attempts to reconnect, and uses it to route the user to the last-connected server. This server will create a new SSL session ID, which theswitch learns and then uses to keep the user connected to the same server.

Web switching devices that recognize content improve efficiency anduser satisfaction by creating sticky connections for encrypted sessions. Be-cause the SSL handshake that establishes a session involves the exchangeof public keys, it creates the largest single drain on computing resources.


12/01

By intercepting session IDs and transparently reestablishing failed ses-sions, a “content-smart” Web switch in this scenario eliminates the pro-cessing-intensive task of negotiating a new session after each link failure.

Web Site Scenario 3The most common security scenario is a hybrid of authenticated (HTTP)and encrypted (SSL) connections. This allows E-commerce sites to de-ploy the optimum level of security for each stage of the transaction whileminimizing processor overhead.

In this combination approach, part of the transaction may be nonsecureand available to the general public, while other parts may be authenticat-ed but not encrypted. Still others may be authenticated and encrypted.

A retail Web site is a good example of a site that may have productinformation available to the general public, have authenticated serviceswith additional information available for repeat customers, and offer theability to purchase goods online. The hybrid security scenario with acombination of security technologies enables these sites to deliver a scal-able security solution efficiently.

General product information can be nonsecure and available to allbrowsers, but established customers can input their passwords to enter aspecial area of the site that contains additional product information, suchas pricing and availability.

During these phases of the transaction, the Web switch uses source IPaddress or address range, or the cookie to maintain sticky connections.This permits the Web switches to track content requests and to maintainsticky connections while the user fills up the shopping cart and finalizesthe purchase.

At checkout time, when the customer elects to purchase the selectedmerchandise in the shopping cart, a new TCP connection is set up be-tween the browser and the server to create an SSL session that will en-crypt this phase of the transaction. At this point, the transaction isencrypted and the Web switch can now use SSL session IDs to maintainsticky connections.

When the browser has the same source IP address for both phases ofthe transaction, the switch has a sufficient level of detail to maintain con-sistent sticky connections between both parts of the transaction.

However, when the client is coming to the site from a mega-proxyserver, it is likely to use multiple source IP addresses over the life of thetransaction. This transition between non-SSL and SSL is the process thatvirtually guarantees that a new source IP address is used, causing a po-tential buyer to be load balanced away from the original server in themiddle of a purchase.

If the client is incorrectly sent to a different Web server in the middleof the shopping experience, the new server may have no record of what


12/01

is in the shopping cart and the user becomes frustrated — at the pointwhen the sale is about to be completed.

To avoid this situation, switching products used in this scenario havethe capability for complex “content rules” association between the cook-ie-based policy and the SSL sticky connections that arrive at the server ona different connection. This level of granularity and the required numberof content rules are not supported in content-light implementations.

PRIORITY SERVICES FOR PREMIUM CUSTOMERSIn addition to handling all of the important operational and security as-pects of E-commerce Web sites, sophisticated switching technology canalso provide priority services for premium customers. When the switchreceives a request with a cookie, the switch routes the request to the ser-vice associated with that cookie. When using cookies for premium ser-vices, the main difference is that the cookie is now associated with a“content rule,” which is in turn associated with a group of services.

The servers in the premium group can be configured with a limitednumber of transactions, or a maximum load limit, ensuring that they willalways have sufficient capacity to provide the best possible service.

If the premium servers become oversubscribed, additional overflowservices can be configured using a demand-based content-replication ca-pability, available in some switch products. This capability allows thresh-olds to be set for specific content; and if the threshold is reached, theswitch will replicate the hot content to overflow servers or caches.

Priority services for premium customers involve the following stages:

• First time users: the switch does not detect a cookie and routes therequest to the registration server.

• The user is authenticated and the application determines the user’spriority, based on potential business or some other criteria.

• The application then writes a cookie defining the priority on a presetscale.

• The next request that comes in with a preselected priority cookie isrouted to the group of servers associated with that cookie.

CONCLUSIONContent-switching technology provides maximum control in allocatingE-commerce site resources, ensuring security of Web sites based on thelevel of security required, and building services for optimal return oninvestment.

Implementing advanced switching technology for E-commerce Websites enables companies and their hosting partners to provide reliableand secure E-commerce sites. In addition, this switching technology pro-


12/01

vides a facility for scaling Web site services, offering premium levels ofservices to selected customers, based on predetermined priority levels.

Duane E. Sharp is president of SharpTech Associates, a Canadian company specializing in the communicationof technology. An electronics engineer with more than 25 years of experience in the IT field, he has authorednumerous articles on technology and a textbook on interactive computer terminals. He can be reached at:[email protected].


secure, scalable e-commerce web sites (2001)

Documents