SSL (Secure Sockets Layer) or more correctly TLS (Transport Layer Security) is an important component in the secure delivery of web applications. It provides for authentication (website to client and optionally client to website) and protects the traffic between clients and sites using encryption.
However, this protection comes at a cost as the computational overhead involved in setting up each client session is significant. Using a load balancer to offload the SSL processing removes this overhead from the webservers and frees up resources for web application related tasks.
Load balancers are ideally suited to SSL offload as it not only frees up webserver resources but also allows the load balancer to inspect the traffic and apply security and traffic management policies. Many hardware load balancers include dedicated cryptographic processors that are optimized to deliver high SSL transaction rates and secure the private keys used to secure communications.
All KEMP LoadMaster products include the ability to offload SSL processing from servers and to provide additional protection with authentication and web application firewalls. In addition to having software optimized for SSL offload, some LoadMaster hardware models include cryptographic processors to accelerate SSL processing.
What is SSL Acceleration?
SSL makes use of the RSA algorithm for authentication and secure key exchange between clients and websites. This algorithm is a mathematical trapdoor that uses two keys – a private key that is stored securely on the webserver (or load balancer) and a public key that is available to all clients. The public key is wrapped in a digital certificate so that the client can verify the authenticity of the private key.
The fundamental part of the RSA algorithm is that anything encrypted by the private key can be decrypted by the public key and vice-versa. This allows a webserver to prove its identity (encrypt with private key, client validates by decrypting with public key) and for the client to securely communicate with the server (encrypt with the public key, server decrypts with private key). This two-key approach is known as asymmetric encryption.
Because of the computational overhead, using the RSA algorithm for all client-server communications is impractical. Instead the RSA algorithm is only used during the initial session setup when a one-time key (or session key) for a more efficient symmetric algorithm, such as AES, is exchanged. It is this initial handshake between the client and server that requires acceleration and offload.
Benefits of SSL Acceleration and Offload
With SSL sessions offloaded to the load balancer, the traffic is now unencrypted and can be subjected to additional processing to enhance security or to optimize delivery of webserver content. The security and performance of applications is significantly enhanced with features such as:
- Web application Firewall (WAF) – inspect client requests for dangerous content that could compromise the security of webservers
- Authentication – validate the identity of clients before any access is allowed to web resources
- Content Rewrite – rewrite webserver content to obfuscate URLs and to fix issues related to publishing applications with hardcoded elements
- Content Inspection – prevent the transfer of specific types of content based on patterns such as file extension
- Content Based Routing – redirect traffic based on content type such as sending all image request to a server optimized for serving images
- Caching – web content can be cached on the load balancer removing the need to re-request frequently accessed content from the webserver
- Re-encryption – the load balancer can re-encrypt the traffic going to the servers for additional security
Another significant benefit of offloading SSL processing to a load balancer is that it provides a single, centralized point of control and management. Certificates and private keys only need to be managed in one place rather than on multiple servers. Policies can be applied and managed in one place. This greatly simplifies the administration overhead and also allows separation of the security role from the application owner role.
LoadMaster Subscriptions simplify application delivery choices
About KEMP Technologies
KEMP Technologies is a leader in cost-effective application delivery controllers and server load balancer appliances tailored to meet the needs of small-to-medium sized businesses (SMB) that rely on the Internet for e-commerce and business-critical applications. KEMP helps SMBs rapidly grow their business with 24/7 high-availability, better web infrastructure performance, scalability and secure operations - while streamlining IT costs.
Thousands of KEMP LoadMaster products are in use today to improve customer satisfaction by accelerating user access to business-critical web applications. Managed service providers also rely upon KEMP products to enable fast time-to-market and cost-effective operations for new and existing managed services.
KEMP’s highly affordable LoadMaster products include Layers 4-7 load balancing, content switching and server persistence, SSL offload/acceleration, WTS load balancing and persistence with Session Directory integration, and application front-end capabilities (caching, compression, intrusion prevention system) delivering industry leading price/performance value.