3Com Weighs in with Server NIC that Offloads Encryption

IT managers who fear internal security threats as much as external ones, will soon have a new option for securing their network traffic.

Early next month, 3Com Corp. (www.3com.com) begins shipping a new server-focused network interface card (NIC) aimed at the security conscious and designed with Windows 2000 Server in mind.

The NIC is called 3Com Etherlink Server 10/100 PCI NIC with 3XP Processor, or the 3CR990 line. It is 3Com’s first server-focused NIC to feature a RISC chip and an encryption chip designed to work in tandem to reduce server CPU use by offloading encryption-related processing as well as other networking tasks to the NIC.

"You can certainly do IPSec on the server processor, but you’ll bring a server to its knees," says David Borison, product line manager for server and advanced NICs at 3Com. "Now communications and data to and from servers can be secure and protected without sacrificing system or network performance."

Networking functions that can be offloaded onto the 3Com adapter are IPSec encryption algorithms, including DES, TripleDES, MD5, and SHA-1; TCP segmentation; and TCP/IP checksum operations. Windows 2000 was designed to incorporate standards-based IPSec.

The card follows a client NIC -- the 3Com EtherLink 10/100 PCI NIC released in October that also offloads encryption. Both support encryption offloads for Windows 95 and 98, as well. The concept of offloading network processing from the server CPU is not new. 3Com has offered offloading of some networking functionality on its cards since 1998.

3Com’s NIC is not the first to offload encryption. 3Com followed its rival Intel Corp. (www.intel.com) to market by about three months, Borison says 3Com’s NIC offers several advantages.

For one, the server NIC’s on-board processor has enough horsepower to handle 1,024 security associations. As each secure connection requires two security associations, limit allows up to 512 LAN users or virtual private network sessions. The headroom represents a differentiator between 3Com’s server and client 3CR990s. The client only has enough on-board memory to handle 15 security associations. Borison says Intel’s client and server NICs are capable of offloading only eight security associations apiece.

The card also comes with a suite of software called DynamicAccess Advanced Server features. It includes bidirectional load-balancing, which spreads incoming and outgoing traffic across up to eight NICs, including adapters from other vendors. Other server features of DynamicAccess are fail-over to backup NICs, self-healing drivers, hot plug PCI, traffic prioritization, and multiple VLAN support.

3Com claims a performance improvement of up to 70 percent over base Windows 2000 Server encryption handled on the server’s CPU.

Patrick Paczkowski,, an analyst at Current Analysis Inc. (www.currentanalysis.com), views 3Com’s NIC and finds the argument for offloading encryption compelling. "You don’t bog down the line working out all the encryption algorithms," he says. Paczkowski also was impressed by 3Com’s use of a RISC chip, which will allow them to add firmware upgrades as market requirements change.

3Com prices the EtherLink Server at $139, which is the price Intel used to introduce its Intel PRO/100 S Server Adapter.