Endpoint
1/17/2017
08:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Advances In SSL: 5 Strategies For Secure, High-Performance Load Balancers

Today, even Netflix is streaming hit movies and TV shows via encrypted connections! Here's how to manage higher volumes of encrypted traffic without bogging down your network.

The volume of online transactions continues to grow exponentially, together with the number of web enabled endpoints like mobile and IoT devices. At the same time, privacy and cybersecurity concerns have resulted in more and more encrypted traffic online.

The lock icon or green navigation bar that you used to see only when exchanging sensitive personal or credit card information has now become commonplace for all online activities. Even Netflix is streaming movies via encrypted connections. And when it comes to mobile activities, 65% of all traffic in North America is encrypted, according to the Sandvine Global Internet Phenomena Report.   

Network administrators and planners have long known that better security comes at the cost of network performance and throughput from the infrastructure that they manage. Sitting in an important location right in the data path in the data center, load balancers perform a critical function in the world of secure online traffic. They take on the important task of decrypting data, called “SSL termination,” and manage this computational effort before delivering unencrypted traffic to backend servers. This reduces the computation cycles that busy Web and application servers spend on decrypting traffic to process application data.

So how can network and security architects deal with higher volumes of encrypted traffic without affecting the performance of business-critical applications? Let’s review five key strategies for SSL handling with load balancers.

1.    Webscale performance and new encryption algorithms
While RSA-based public-key cryptography with 2048-bit keys continues to be used widely, many enterprises now support Elliptic Curve Cryptography (ECC), which requires smaller key sizes to provide equivalent security. For example, a 256-bit ECC-based public key provides the comparable security of a 3072-bit RSA public key. Smaller key sizes are less computationally intensive, and result in better performance of servers handling SSL connections, and improve the overall number of SSL transactions per second (TPS).

Advances in the performance of standard Intel x86 servers have enabled large cloud service providers and Web giants such as Google and Amazon to deliver reliable, high-performance application services. These webscale strategies rely on low cost x86 servers, distributed architectures, software and API-driven automation, and rich visibility and analytics. Similarly, software load balancers implemented on standard Intel x86 servers are now becoming a mainstream approach in enterprises, thanks to their price/performance ratio. Software load-balancers implemented on standard Intel x86 servers can now terminate more than 2,500 SSL transactions per second (TPS) at the lower end, to nearly 75,000 SSL TPS on a 36-core Intel x86 server. Compared to hardware-based load balancing, that means software-defined solutions can sometimes incur just a tenth of the cost for similar scale.

2.    Implement perfect forward secrecy (PFS)
If the Heartbleed bug from a couple of years ago and recent cyber espionage incidents have taught us anything, it is that we need forward secrecy more than ever. During the SSL handshake, the client and server create and exchange the symmetric session key to encrypt the bulk data exchanged during subsequent sessions. However, if the server’s private key is somehow compromised, hackers can gain access to the session keys that were used to encrypt data and can compromise data exchanged even during past sessions.

Perfect forward secrecy (PFS) is a cryptography technique to ensure that data exchanged in past sessions cannot be compromised, even if a bad actor somehow gains access to a server’s private key since PFS uses ephemeral session keys. With PFS, new session keys are generated for each session and any compromise can only lead to data exchanged in one session. The case for PFS is obvious, but many sites haven’t yet implemented it due to performance concerns or simply due to lack of information about its benefits.

PFS is best implemented with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). ECC offers much better performance compared to the RSA-based keys for PFS. Continued advances in Intel architecture servers with faster processors and memory management enable software load-balancers to deliver better performance for such CPU-bound encryption tasks.

3.    Central management and hybrid cloud deployments
New software-defined approaches to L4-L7 network services are enabling the delivery of application services including load balancing, application security, and analytics with centralized control. Individual load balancers in such an architecture are connected to a central orchestration engine that controls the lifecycle of software load balancers while giving administrators visibility and control across the entire deployment. Central management also enables administrators to simplify certificate management and enforce specific TLS profiles which use ciphers approved by the security team. Central management enables the delivery of consistent security services for SSL termination, DDoS protection, and L4-L7 ACLs across multiple private or public cloud environments.

4.    Per-app load balancing and horizontal scaling
One strategy to mitigate the need to constantly invest in bigger and better-performing load balancers every few years is to think about per-app load balancing. Instead of deploying a single load balancer to service several applications, many enterprises are considering small software load balancers that are sized correctly in front of individual applications or tenants. When implemented with centrally managed, low-footprint software load balancers, this strategy distributes the SSL termination burden across multiple load balancers and enables enterprises to save costs. In addition, with centralized control, enterprises can automate the scaling out of load balancing services by dynamically invoking additional software load balancers where needed to boost application availability and performance.

5.    Real-time security and analytics
Since load balancers sit in the data path, session data collected from the distributed load balancers can be used to alert administrators in real-time to potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks, and to ensure that security policies are enforced.

In the enterprise network, load balancers must now manage the increased performance needs for applications with encrypted connections. Make sure to check your organizations’ SSL needs and whether your infrastructure needs tuning to handle the associated performance requirements. Run a periodic analysis of your SSL deployment with a service such as SSL labs’ free SSL test to audit your SSL posture and to identify potential gaps. The load balancer should be viewed as another tool in your defense-in-depth strategy to alert and protect your enterprise from malicious actors. 

Related Content:

 

 

 

Ranga is CTO and cofounder at Avi Networks and has been an architect and developer of several high-performance distributed operating systems, as well as networking and storage data center products. Before his current role as CTO, he was the Senior Director at Cisco's Data ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RehanG444
50%
50%
RehanG444,
User Rank: Apprentice
1/17/2017 | 3:24:41 PM
WAF
Do you support WAF services?
RehanG444
50%
50%
RehanG444,
User Rank: Apprentice
1/17/2017 | 3:24:38 PM
WAF
Do you support WAF services?
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.