Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly
E-Mail vvv

Advances In SSL: 5 Strategies For Secure, High-Performance Load Balancers

Today, even Netflix is streaming hit movies and TV shows via encrypted connections! Here's how to manage higher volumes of encrypted traffic without bogging down your network.

The volume of online transactions continues to grow exponentially, together with the number of web enabled endpoints like mobile and IoT devices. At the same time, privacy and cybersecurity concerns have resulted in more and more encrypted traffic online.

The lock icon or green navigation bar that you used to see only when exchanging sensitive personal or credit card information has now become commonplace for all online activities. Even Netflix is streaming movies via encrypted connections. And when it comes to mobile activities, 65% of all traffic in North America is encrypted, according to the Sandvine Global Internet Phenomena Report.   

Network administrators and planners have long known that better security comes at the cost of network performance and throughput from the infrastructure that they manage. Sitting in an important location right in the data path in the data center, load balancers perform a critical function in the world of secure online traffic. They take on the important task of decrypting data, called “SSL termination,” and manage this computational effort before delivering unencrypted traffic to backend servers. This reduces the computation cycles that busy Web and application servers spend on decrypting traffic to process application data.

So how can network and security architects deal with higher volumes of encrypted traffic without affecting the performance of business-critical applications? Let’s review five key strategies for SSL handling with load balancers.

1.    Webscale performance and new encryption algorithms
While RSA-based public-key cryptography with 2048-bit keys continues to be used widely, many enterprises now support Elliptic Curve Cryptography (ECC), which requires smaller key sizes to provide equivalent security. For example, a 256-bit ECC-based public key provides the comparable security of a 3072-bit RSA public key. Smaller key sizes are less computationally intensive, and result in better performance of servers handling SSL connections, and improve the overall number of SSL transactions per second (TPS).

Advances in the performance of standard Intel x86 servers have enabled large cloud service providers and Web giants such as Google and Amazon to deliver reliable, high-performance application services. These webscale strategies rely on low cost x86 servers, distributed architectures, software and API-driven automation, and rich visibility and analytics. Similarly, software load balancers implemented on standard Intel x86 servers are now becoming a mainstream approach in enterprises, thanks to their price/performance ratio. Software load-balancers implemented on standard Intel x86 servers can now terminate more than 2,500 SSL transactions per second (TPS) at the lower end, to nearly 75,000 SSL TPS on a 36-core Intel x86 server. Compared to hardware-based load balancing, that means software-defined solutions can sometimes incur just a tenth of the cost for similar scale.

2.    Implement perfect forward secrecy (PFS)
If the Heartbleed bug from a couple of years ago and recent cyber espionage incidents have taught us anything, it is that we need forward secrecy more than ever. During the SSL handshake, the client and server create and exchange the symmetric session key to encrypt the bulk data exchanged during subsequent sessions. However, if the server’s private key is somehow compromised, hackers can gain access to the session keys that were used to encrypt data and can compromise data exchanged even during past sessions.

Perfect forward secrecy (PFS) is a cryptography technique to ensure that data exchanged in past sessions cannot be compromised, even if a bad actor somehow gains access to a server’s private key since PFS uses ephemeral session keys. With PFS, new session keys are generated for each session and any compromise can only lead to data exchanged in one session. The case for PFS is obvious, but many sites haven’t yet implemented it due to performance concerns or simply due to lack of information about its benefits.

PFS is best implemented with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). ECC offers much better performance compared to the RSA-based keys for PFS. Continued advances in Intel architecture servers with faster processors and memory management enable software load-balancers to deliver better performance for such CPU-bound encryption tasks.

3.    Central management and hybrid cloud deployments
New software-defined approaches to L4-L7 network services are enabling the delivery of application services including load balancing, application security, and analytics with centralized control. Individual load balancers in such an architecture are connected to a central orchestration engine that controls the lifecycle of software load balancers while giving administrators visibility and control across the entire deployment. Central management also enables administrators to simplify certificate management and enforce specific TLS profiles which use ciphers approved by the security team. Central management enables the delivery of consistent security services for SSL termination, DDoS protection, and L4-L7 ACLs across multiple private or public cloud environments.

4.    Per-app load balancing and horizontal scaling
One strategy to mitigate the need to constantly invest in bigger and better-performing load balancers every few years is to think about per-app load balancing. Instead of deploying a single load balancer to service several applications, many enterprises are considering small software load balancers that are sized correctly in front of individual applications or tenants. When implemented with centrally managed, low-footprint software load balancers, this strategy distributes the SSL termination burden across multiple load balancers and enables enterprises to save costs. In addition, with centralized control, enterprises can automate the scaling out of load balancing services by dynamically invoking additional software load balancers where needed to boost application availability and performance.

5.    Real-time security and analytics
Since load balancers sit in the data path, session data collected from the distributed load balancers can be used to alert administrators in real-time to potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks, and to ensure that security policies are enforced.

In the enterprise network, load balancers must now manage the increased performance needs for applications with encrypted connections. Make sure to check your organizations’ SSL needs and whether your infrastructure needs tuning to handle the associated performance requirements. Run a periodic analysis of your SSL deployment with a service such as SSL labs’ free SSL test to audit your SSL posture and to identify potential gaps. The load balancer should be viewed as another tool in your defense-in-depth strategy to alert and protect your enterprise from malicious actors. 

Related Content:




Ranga is CTO and cofounder at Avi Networks and has been an architect and developer of several high-performance distributed operating systems, as well as networking and storage data center products. Before his current role as CTO, he was the Senior Director at Cisco's Data ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2017 | 3:24:41 PM
Do you support WAF services?
User Rank: Apprentice
1/17/2017 | 3:24:38 PM
Do you support WAF services?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...