Securing delivery of web applications
SSL (Secure Sockets Layer) or more correctly TLS (Transport Layer Security) is an important component in the secure delivery of web applications. It provides for authentication (website to client and optionally client to website) and protects the traffic between clients and sites using encryption.
This protection comes at a cost as the computational overhead involved in setting up each client session is significant. Using a load balancer to offload the SSL processing removes this overhead from the webservers and frees up resources for web application related tasks.
Load balancers are ideally suited to SSL offload which not only frees up webserver resources but also allows the load balancer to inspect the traffic and apply security and traffic management policies. Many hardware load balancers include dedicated cryptographic processors that are optimized to deliver high SSL transaction rates and secure the private keys used to secure communications.
All Kemp LoadMaster products include the ability to offload SSL processing from servers and to provide additional protection with authentication and web application firewalls. In addition to having software optimized for SSL offload, some LoadMaster hardware models include cryptographic processors to accelerate SSL processing.
What is SSL Acceleration?
SSL makes use of the RSA algorithm for authentication and secure key exchange between clients and websites. This algorithm is a mathematical trapdoor that uses two keys – a private key that is stored securely on the webserver or load balancer, and a public key that is available to all clients. The public key is wrapped in a digital certificate so that the client can verify the authenticity of the private key.
Anything encrypted by the private key can be decrypted by the public key and vice-versa. This allows a webserver to prove its identity (encrypt with private key, client validates by decrypting with public key) and for the client to securely communicate with the server (encrypt with the public key, server decrypts with private key). This two-key approach is known as asymmetric encryption.
Because of the computational overhead, using the RSA algorithm for all client-server communications is impractical. Instead the RSA algorithm is only used during the initial session setup when a one-time key (or session key) for a more efficient symmetric algorithm, such as AES, is exchanged. It is this initial handshake between the client and server that requires acceleration and offload.
Benefits of SSL Acceleration and Offload
- Web application firewall (WAF) – inspect client requests for dangerous content that could compromise the security of webservers
- Authentication – validate the identity of clients before any access is allowed to web resources
- Content rewrite – rewrite webserver content to obfuscate URLs and to fix issues related to publishing applications with hardcoded elements
- Content inspection – prevent the transfer of specific types of content based on patterns such as file extension
- Content based routing – redirect traffic based on content type such as sending all image request to a server optimized for serving images
- Caching – web content can be cached on the load balancer, removing the need to re-request frequently accessed content from the webserver
- Re-encryption – the load balancer can re-encrypt the traffic going to the servers for additional security
Another significant benefit of offloading SSL processing to a load balancer is that it provides a single, centralized point of control and management. Certificates and private keys only need to be managed in one place rather than on multiple servers. Policies can be applied and managed in one place. This greatly simplifies the administration overhead and also allows separation of the security role from the application owner role.