Advances In SSL: 5 Strategies For Secure, High-Performance Load BalancersToday, even Netflix is streaming hit movies and TV shows via encrypted connections! Here's how to manage higher volumes of encrypted traffic without bogging down your network.
The volume of online transactions continues to grow exponentially, together with the number of web enabled endpoints like mobile and IoT devices. At the same time, privacy and cybersecurity concerns have resulted in more and more encrypted traffic online.
The lock icon or green navigation bar that you used to see only when exchanging sensitive personal or credit card information has now become commonplace for all online activities. Even Netflix is streaming movies via encrypted connections. And when it comes to mobile activities, 65% of all traffic in North America is encrypted, according to the Sandvine Global Internet Phenomena Report.
Network administrators and planners have long known that better security comes at the cost of network performance and throughput from the infrastructure that they manage. Sitting in an important location right in the data path in the data center, load balancers perform a critical function in the world of secure online traffic. They take on the important task of decrypting data, called “SSL termination,” and manage this computational effort before delivering unencrypted traffic to backend servers. This reduces the computation cycles that busy Web and application servers spend on decrypting traffic to process application data.
So how can network and security architects deal with higher volumes of encrypted traffic without affecting the performance of business-critical applications? Let’s review five key strategies for SSL handling with load balancers.
1. Webscale performance and new encryption algorithms
While RSA-based public-key cryptography with 2048-bit keys continues to be used widely, many enterprises now support Elliptic Curve Cryptography (ECC), which requires smaller key sizes to provide equivalent security. For example, a 256-bit ECC-based public key provides the comparable security of a 3072-bit RSA public key. Smaller key sizes are less computationally intensive, and result in better performance of servers handling SSL connections, and improve the overall number of SSL transactions per second (TPS).
Advances in the performance of standard Intel x86 servers have enabled large cloud service providers and Web giants such as Google and Amazon to deliver reliable, high-performance application services. These webscale strategies rely on low cost x86 servers, distributed architectures, software and API-driven automation, and rich visibility and analytics. Similarly, software load balancers implemented on standard Intel x86 servers are now becoming a mainstream approach in enterprises, thanks to their price/performance ratio. Software load-balancers implemented on standard Intel x86 servers can now terminate more than 2,500 SSL transactions per second (TPS) at the lower end, to nearly 75,000 SSL TPS on a 36-core Intel x86 server. Compared to hardware-based load balancing, that means software-defined solutions can sometimes incur just a tenth of the cost for similar scale.
2. Implement perfect forward secrecy (PFS)
If the Heartbleed bug from a couple of years ago and recent cyber espionage incidents have taught us anything, it is that we need forward secrecy more than ever. During the SSL handshake, the client and server create and exchange the symmetric session key to encrypt the bulk data exchanged during subsequent sessions. However, if the server’s private key is somehow compromised, hackers can gain access to the session keys that were used to encrypt data and can compromise data exchanged even during past sessions.
Perfect forward secrecy (PFS) is a cryptography technique to ensure that data exchanged in past sessions cannot be compromised, even if a bad actor somehow gains access to a server’s private key since PFS uses ephemeral session keys. With PFS, new session keys are generated for each session and any compromise can only lead to data exchanged in one session. The case for PFS is obvious, but many sites haven’t yet implemented it due to performance concerns or simply due to lack of information about its benefits.
PFS is best implemented with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). ECC offers much better performance compared to the RSA-based keys for PFS. Continued advances in Intel architecture servers with faster processors and memory management enable software load-balancers to deliver better performance for such CPU-bound encryption tasks.
3. Central management and hybrid cloud deployments
New software-defined approaches to L4-L7 network services are enabling the delivery of application services including load balancing, application security, and analytics with centralized control. Individual load balancers in such an architecture are connected to a central orchestration engine that controls the lifecycle of software load balancers while giving administrators visibility and control across the entire deployment. Central management also enables administrators to simplify certificate management and enforce specific TLS profiles which use ciphers approved by the security team. Central management enables the delivery of consistent security services for SSL termination, DDoS protection, and L4-L7 ACLs across multiple private or public cloud environments.
4. Per-app load balancing and horizontal scaling
One strategy to mitigate the need to constantly invest in bigger and better-performing load balancers every few years is to think about per-app load balancing. Instead of deploying a single load balancer to service several applications, many enterprises are considering small software load balancers that are sized correctly in front of individual applications or tenants. When implemented with centrally managed, low-footprint software load balancers, this strategy distributes the SSL termination burden across multiple load balancers and enables enterprises to save costs. In addition, with centralized control, enterprises can automate the scaling out of load balancing services by dynamically invoking additional software load balancers where needed to boost application availability and performance.
5. Real-time security and analytics
Since load balancers sit in the data path, session data collected from the distributed load balancers can be used to alert administrators in real-time to potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks, and to ensure that security policies are enforced.
In the enterprise network, load balancers must now manage the increased performance needs for applications with encrypted connections. Make sure to check your organizations’ SSL needs and whether your infrastructure needs tuning to handle the associated performance requirements. Run a periodic analysis of your SSL deployment with a service such as SSL labs’ free SSL test to audit your SSL posture and to identify potential gaps. The load balancer should be viewed as another tool in your defense-in-depth strategy to alert and protect your enterprise from malicious actors.
Ranga is CTO and cofounder at Avi Networks and has been an architect and developer of several high-performance distributed operating systems, as well as networking and storage data center products. Before his current role as CTO, he was the Senior Director at Cisco's Data ... View Full Bio