08:00 AM
Connect Directly
E-Mail vvv

Advances In SSL: 5 Strategies For Secure, High-Performance Load Balancers

Today, even Netflix is streaming hit movies and TV shows via encrypted connections! Here's how to manage higher volumes of encrypted traffic without bogging down your network.

The volume of online transactions continues to grow exponentially, together with the number of web enabled endpoints like mobile and IoT devices. At the same time, privacy and cybersecurity concerns have resulted in more and more encrypted traffic online.

The lock icon or green navigation bar that you used to see only when exchanging sensitive personal or credit card information has now become commonplace for all online activities. Even Netflix is streaming movies via encrypted connections. And when it comes to mobile activities, 65% of all traffic in North America is encrypted, according to the Sandvine Global Internet Phenomena Report.   

Network administrators and planners have long known that better security comes at the cost of network performance and throughput from the infrastructure that they manage. Sitting in an important location right in the data path in the data center, load balancers perform a critical function in the world of secure online traffic. They take on the important task of decrypting data, called “SSL termination,” and manage this computational effort before delivering unencrypted traffic to backend servers. This reduces the computation cycles that busy Web and application servers spend on decrypting traffic to process application data.

So how can network and security architects deal with higher volumes of encrypted traffic without affecting the performance of business-critical applications? Let’s review five key strategies for SSL handling with load balancers.

1.    Webscale performance and new encryption algorithms
While RSA-based public-key cryptography with 2048-bit keys continues to be used widely, many enterprises now support Elliptic Curve Cryptography (ECC), which requires smaller key sizes to provide equivalent security. For example, a 256-bit ECC-based public key provides the comparable security of a 3072-bit RSA public key. Smaller key sizes are less computationally intensive, and result in better performance of servers handling SSL connections, and improve the overall number of SSL transactions per second (TPS).

Advances in the performance of standard Intel x86 servers have enabled large cloud service providers and Web giants such as Google and Amazon to deliver reliable, high-performance application services. These webscale strategies rely on low cost x86 servers, distributed architectures, software and API-driven automation, and rich visibility and analytics. Similarly, software load balancers implemented on standard Intel x86 servers are now becoming a mainstream approach in enterprises, thanks to their price/performance ratio. Software load-balancers implemented on standard Intel x86 servers can now terminate more than 2,500 SSL transactions per second (TPS) at the lower end, to nearly 75,000 SSL TPS on a 36-core Intel x86 server. Compared to hardware-based load balancing, that means software-defined solutions can sometimes incur just a tenth of the cost for similar scale.

2.    Implement perfect forward secrecy (PFS)
If the Heartbleed bug from a couple of years ago and recent cyber espionage incidents have taught us anything, it is that we need forward secrecy more than ever. During the SSL handshake, the client and server create and exchange the symmetric session key to encrypt the bulk data exchanged during subsequent sessions. However, if the server’s private key is somehow compromised, hackers can gain access to the session keys that were used to encrypt data and can compromise data exchanged even during past sessions.

Perfect forward secrecy (PFS) is a cryptography technique to ensure that data exchanged in past sessions cannot be compromised, even if a bad actor somehow gains access to a server’s private key since PFS uses ephemeral session keys. With PFS, new session keys are generated for each session and any compromise can only lead to data exchanged in one session. The case for PFS is obvious, but many sites haven’t yet implemented it due to performance concerns or simply due to lack of information about its benefits.

PFS is best implemented with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). ECC offers much better performance compared to the RSA-based keys for PFS. Continued advances in Intel architecture servers with faster processors and memory management enable software load-balancers to deliver better performance for such CPU-bound encryption tasks.

3.    Central management and hybrid cloud deployments
New software-defined approaches to L4-L7 network services are enabling the delivery of application services including load balancing, application security, and analytics with centralized control. Individual load balancers in such an architecture are connected to a central orchestration engine that controls the lifecycle of software load balancers while giving administrators visibility and control across the entire deployment. Central management also enables administrators to simplify certificate management and enforce specific TLS profiles which use ciphers approved by the security team. Central management enables the delivery of consistent security services for SSL termination, DDoS protection, and L4-L7 ACLs across multiple private or public cloud environments.

4.    Per-app load balancing and horizontal scaling
One strategy to mitigate the need to constantly invest in bigger and better-performing load balancers every few years is to think about per-app load balancing. Instead of deploying a single load balancer to service several applications, many enterprises are considering small software load balancers that are sized correctly in front of individual applications or tenants. When implemented with centrally managed, low-footprint software load balancers, this strategy distributes the SSL termination burden across multiple load balancers and enables enterprises to save costs. In addition, with centralized control, enterprises can automate the scaling out of load balancing services by dynamically invoking additional software load balancers where needed to boost application availability and performance.

5.    Real-time security and analytics
Since load balancers sit in the data path, session data collected from the distributed load balancers can be used to alert administrators in real-time to potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks, and to ensure that security policies are enforced.

In the enterprise network, load balancers must now manage the increased performance needs for applications with encrypted connections. Make sure to check your organizations’ SSL needs and whether your infrastructure needs tuning to handle the associated performance requirements. Run a periodic analysis of your SSL deployment with a service such as SSL labs’ free SSL test to audit your SSL posture and to identify potential gaps. The load balancer should be viewed as another tool in your defense-in-depth strategy to alert and protect your enterprise from malicious actors. 

Related Content:




Ranga is CTO and cofounder at Avi Networks and has been an architect and developer of several high-performance distributed operating systems, as well as networking and storage data center products. Before his current role as CTO, he was the Senior Director at Cisco's Data ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2017 | 3:24:41 PM
Do you support WAF services?
User Rank: Apprentice
1/17/2017 | 3:24:38 PM
Do you support WAF services?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.