SSL (Secure Sockets Layer) or more correctly TLS (Transport Layer Security) is an important component in the secure delivery of web applications. It provides for authentication (website to client and optionally client to website) and protects the traffic between clients and sites using encryption.
This protection comes at a cost as the computational overhead involved in setting up each client session is significant. Using a load balancer to offload the SSL processing removes this overhead from the webservers and frees up resources for web application related tasks.
Load balancers are ideally suited to SSL offload which not only frees up webserver resources but also allows the load balancer to inspect the traffic and apply security and traffic management policies. Many hardware load balancers include dedicated cryptographic processors that are optimized to deliver high SSL transaction rates and secure the private keys used to secure communications.
All Kemp LoadMaster products include the ability to offload SSL processing from servers and to provide additional protection with authentication and web application firewalls. In addition to having software optimized for SSL offload, some LoadMaster hardware models include cryptographic processors to accelerate SSL processing.
SSL makes use of the RSA algorithm for authentication and secure key exchange between clients and websites. This algorithm is a mathematical trapdoor that uses two keys – a private key that is stored securely on the webserver or load balancer, and a public key that is available to all clients. The public key is wrapped in a digital certificate so that the client can verify the authenticity of the private key.
Anything encrypted by the private key can be decrypted by the public key and vice-versa. This allows a webserver to prove its identity (encrypt with private key, client validates by decrypting with public key) and for the client to securely communicate with the server (encrypt with the public key, server decrypts with private key). This two-key approach is known as asymmetric encryption.
Because of the computational overhead, using the RSA algorithm for all client-server communications is impractical. Instead the RSA algorithm is only used during the initial session setup when a one-time key (or session key) for a more efficient symmetric algorithm, such as AES, is exchanged. It is this initial handshake between the client and server that requires acceleration and offload.
Another significant benefit of offloading SSL processing to a load balancer is that it provides a single, centralized point of control and management. Certificates and private keys only need to be managed in one place rather than on multiple servers. Policies can be applied and managed in one place. This greatly simplifies the administration overhead and also allows separation of the security role from the application owner role.