Customers who do business via the Web have itchy mouse fingers, so speed is of the essence. With this in mind, we focused our testing on performance so as to evaluate the increase in response time and the number of transactions per second handled by a secured Web server. Cryptographic processing is one of the most CPU-intensive tasks your Web server can perform. As more customers demand attention from a secure site, more CPU power is used simply performing the complex calculations inherent in encryption. Having fewer CPU cycles available means fewer time slices for responding to new requests, fewer customers served and, in the end, less profit. Although other options--load-balancing, for example--exist and are equally important for improving your customers' ability to access your site, these options involve additional hardware, the cost of maintaining multiple copies of the same site, and less certain return on investment. An HCM can be of immediate benefit without the additional time and expense.

We tested Compaq Computer Corp.'s AXL200 PCI Accelerator Card, Hewlett-Packard Co.'s Praesidium SpeedCard, nCipher's nForce SCSI 300 and Rainbow Technologies' CryptoSwift EN. We looked at response time and transactions per second handled by our secured Web servers while enabled with each of these cryptographic modules. We also evaluated each product's ability to integrate with Web servers, and examined FIPS-140 levels of certification and the number of platforms supported by these units. Most of these modules also support varying versions of PKCS #11 as well as the Entrust Toolkit, which lets developers create secure applications without the performance cost.

The AXL200 PCI Accelerator Card and Praesidium SpeedCard are PCI hardware options; the nForce SCSI 300 is a SCSI-2-based module. The CryptoSwift EN sports a 10/100 Ethernet connection that acts as a NIC, providing service via the LAN or directly to the server by way of a crossover cable. All support several platforms and Web servers, and each offers a range of security functions, from none to complete key management.

The nCipher nForce SCSI 300 takes our Editor's Choice award for the best combination of performance, features and price. It's a scalable, solid product that's certain to enhance the overall security and speed of any "e" site. It also provides complete physical security as well as additional features that keep the keys to your kingdom hidden safely away.

How We Tested
We set up two different servers, one for our Intel-based products and another for our Hewlett-Packard-based products. Our Intel server was a Compaq ProLiant 5500 with four 433-MHz Pentium III processors and 256 MB of RAM. Our HP server was an HP Visualize J5000 with two 440-MHz PA-8500 processors and 4 GB of RAM. Both servers ran SSL version 3-enabled Netscape Enterprise Server 3.63. Our Ethernet network uses a Cisco Catalyst 2900, and all load generators were connected via 100-Mbps NICs.

To generate the 800 virtual clients needed, we used RadView's WebLoad 3.51 distributed across three Windows NT 4.0 clients. We used the same test template for our baseline tests and for each HCM. Our tests consisted of 15 minutes of high-volume requests, starting with 200 clients and peaking at 800 clients halfway through the test. The test was strictly SSL-based, with RSA key lengths of 1,024 bits.

Across the board, the performance of the Web servers on both platforms showed considerable improvement. Response times decreased, processed TPS (transactions per second) improved, and CPU process time on both machines was reduced when enabled with an HCM.

One element we did not test or take into consideration was the performance difference between the machines. We took a baseline test for the ProLiant 5500, then separately installed and tested the nForce SCSI 300 and the AXL200 PCI Accelerator Card on that platform. We performed the same baseline test on the Visualize J5000 and later tested the CryptoSwift EN and Praesidium SpeedCard on that platform. Our performance statistics and percentage increases were calculated according to the performance recorded with the unit as compared with the baseline for that platform. We did not directly compare the numbers of TPS handled by an HCM on the Visualize J5000 versus an HCM on the ProLiant 5500, but instead compared the percentage increases affected by each in order to fairly evaluate the performance of the HCM and not the server.