Web Traffic Encryption with TLS/SSL and Progress Kemp LoadMaster

Posted on

Protecting your organization from the ever-changing threat landscape requires a defense strategy that deploys multiple technologies and human factors at multiple levels. One of the most important is data encryption when transferred across the network.  

Data encryption in transit uses TLS protocol (Transport Layer Security). TLS has evolved from and replaced SSL protocol (Secure Sockets Layer). Everyone should be using TLS 1.3 today, where possible. Still, some services use TLS 1.2. Exchange Server still uses TLS 1.2. Microsoft will add support for TLS 1.3 to Exchange Server in 2023.  

You will still see SSL used when discussing encryption on networks, and this is the result of years of use for that term. But where you see SSL used when talking about encryption on modern systems, substitute TLS.  

Supporting TLS with LoadMaster Load Balancers

Encryption and decryption of TLS traffic can place a significant overhead on communications between clients and servers. Application servers must expend resources decrypting incoming network packets and then encrypting outgoing responses. This takes processing power away from the servers for application delivery tasks.  

Progress Kemp LoadMaster load balancers can offload this encryption function from backend servers and perform the TLS activities on the traffic before it reaches the application servers.  

Some hardware LoadMaster models contain custom chips designed and optimized for rapid TLS encryption and decryption. For high-traffic sites that need strong security and fast response times, this TLS offloading is essential. LoadMaster’s virtual and Cloud instances do TLS encryption via optimized software routines. 

The Keys to Understanding TLS Protocol 

The TLS protocol outlines various algorithms within a cipher suite that get implemented in TLS supporting services. There are used for authentication, encryption, and key exchange when handling network traffic. When nodes on the network establish connections to transfer data, they negotiate which TLS cipher to use based on the strongest they both support.  

Here are the main requirements for TLS:  

TLS RequirementImplementation
Securely establishing a secret key between two communicating parties RSA and DIffe-Hellman (DH) algorithms are the most common method of securely establishing the once-off secret for the TLS session. TLS supports the use of a pre-shared key where no key establishment is required.  
Authenticating and trusting the other party Digital certificates are used to establish trust. Certificates can be provided by clients and servers, although in most implementations, only the server provides a certificate as the client will be anonymous or authenticate using an alternative method, like a password.  
Protecting the confidentiality of data in transit Encryption algorithms such as AES make sure that data is not visible to third parties. These algorithms are generally known as ‘Symmetric’ ciphers as the same key is used by both parties for encryption and decryption. This is the key that is established securely between the parties using RSA, DH, or pre-shared protocols.  

 LoadMaster fully supports TLS protocol and the ciphers needed to implement it. Read more technical detail on TLS protocol and implementations via our page titled The Security Building Blocks of TLS/SSL

LoadMaster allows the configuration of cipher suites from the administration interface and has settings to prevent the use of weak ciphers. The centralized administration of cipher suites on LoadMaster dramatically simplifies the administration of TLS implementation and enforcement across multiple servers and provides a single point of management for TLS policies. 

How LoadMaster Makes Using TLS Easier

LoadMaster makes it easy to deploy robust TLS/SSL encryption on your networks. The benefits that using LoadMaster brings to managing TLS include the following:  

  • Enforcement of TLS Cipher Suites in one place — Cipher suites contain the security configuration information that different parts of the security and encryption stack use to enable and secure HTTPS connections using TLS. Different web applications and services will typically require different combinations of cipher suites, and this can become complex and difficult to manage when spread over multiple servers. LoadMaster collects all in a single place while hosting the TLS service.  
  • Simplified certificate and key management — Digital certificates and associated keys are fundamental to TLS encryption. LoadMaster enables centralized management of these assets without the need to move them around to other application or web servers. Additionally, support for Let’s Encrypt is built-in, enabling the automatic renewal of certificates issued by Let’s Encrypt within the 90 days they are valid — this eliminates an all-too-common source of unplanned service outages. Certificates from other certificate authorities can also be viewed and managed.  

The Web User Interface, WUI, makes it easy to configure TLS/SSL for your virtual services that are serving application servers. Download the WUI Configuration Guide here.   

Next Steps

Protecting your organization from the ever-changing threat landscape requires a defense strategy that deploys multi-technology and layered defense mechanisms. Click here to connect with one of our technical experts and get personalized assistance on how to use LoadMaster to make TLS easier.  

LoadMaster is the premier choice for organizations requiring load balancing. With more than 100,000 deployments, LoadMaster offers the most capable solutions for load balancing, to ensure applications are always on.   

Posted on

Maurice McMullin

Maurice McMullin was a Principal Product Marketing Manager at Progress Kemp.