Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly
E-Mail vvv

Advances In SSL: 5 Strategies For Secure, High-Performance Load Balancers

Today, even Netflix is streaming hit movies and TV shows via encrypted connections! Here's how to manage higher volumes of encrypted traffic without bogging down your network.

The volume of online transactions continues to grow exponentially, together with the number of web enabled endpoints like mobile and IoT devices. At the same time, privacy and cybersecurity concerns have resulted in more and more encrypted traffic online.

The lock icon or green navigation bar that you used to see only when exchanging sensitive personal or credit card information has now become commonplace for all online activities. Even Netflix is streaming movies via encrypted connections. And when it comes to mobile activities, 65% of all traffic in North America is encrypted, according to the Sandvine Global Internet Phenomena Report.   

Network administrators and planners have long known that better security comes at the cost of network performance and throughput from the infrastructure that they manage. Sitting in an important location right in the data path in the data center, load balancers perform a critical function in the world of secure online traffic. They take on the important task of decrypting data, called “SSL termination,” and manage this computational effort before delivering unencrypted traffic to backend servers. This reduces the computation cycles that busy Web and application servers spend on decrypting traffic to process application data.

So how can network and security architects deal with higher volumes of encrypted traffic without affecting the performance of business-critical applications? Let’s review five key strategies for SSL handling with load balancers.

1.    Webscale performance and new encryption algorithms
While RSA-based public-key cryptography with 2048-bit keys continues to be used widely, many enterprises now support Elliptic Curve Cryptography (ECC), which requires smaller key sizes to provide equivalent security. For example, a 256-bit ECC-based public key provides the comparable security of a 3072-bit RSA public key. Smaller key sizes are less computationally intensive, and result in better performance of servers handling SSL connections, and improve the overall number of SSL transactions per second (TPS).

Advances in the performance of standard Intel x86 servers have enabled large cloud service providers and Web giants such as Google and Amazon to deliver reliable, high-performance application services. These webscale strategies rely on low cost x86 servers, distributed architectures, software and API-driven automation, and rich visibility and analytics. Similarly, software load balancers implemented on standard Intel x86 servers are now becoming a mainstream approach in enterprises, thanks to their price/performance ratio. Software load-balancers implemented on standard Intel x86 servers can now terminate more than 2,500 SSL transactions per second (TPS) at the lower end, to nearly 75,000 SSL TPS on a 36-core Intel x86 server. Compared to hardware-based load balancing, that means software-defined solutions can sometimes incur just a tenth of the cost for similar scale.

2.    Implement perfect forward secrecy (PFS)
If the Heartbleed bug from a couple of years ago and recent cyber espionage incidents have taught us anything, it is that we need forward secrecy more than ever. During the SSL handshake, the client and server create and exchange the symmetric session key to encrypt the bulk data exchanged during subsequent sessions. However, if the server’s private key is somehow compromised, hackers can gain access to the session keys that were used to encrypt data and can compromise data exchanged even during past sessions.

Perfect forward secrecy (PFS) is a cryptography technique to ensure that data exchanged in past sessions cannot be compromised, even if a bad actor somehow gains access to a server’s private key since PFS uses ephemeral session keys. With PFS, new session keys are generated for each session and any compromise can only lead to data exchanged in one session. The case for PFS is obvious, but many sites haven’t yet implemented it due to performance concerns or simply due to lack of information about its benefits.

PFS is best implemented with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). ECC offers much better performance compared to the RSA-based keys for PFS. Continued advances in Intel architecture servers with faster processors and memory management enable software load-balancers to deliver better performance for such CPU-bound encryption tasks.

3.    Central management and hybrid cloud deployments
New software-defined approaches to L4-L7 network services are enabling the delivery of application services including load balancing, application security, and analytics with centralized control. Individual load balancers in such an architecture are connected to a central orchestration engine that controls the lifecycle of software load balancers while giving administrators visibility and control across the entire deployment. Central management also enables administrators to simplify certificate management and enforce specific TLS profiles which use ciphers approved by the security team. Central management enables the delivery of consistent security services for SSL termination, DDoS protection, and L4-L7 ACLs across multiple private or public cloud environments.

4.    Per-app load balancing and horizontal scaling
One strategy to mitigate the need to constantly invest in bigger and better-performing load balancers every few years is to think about per-app load balancing. Instead of deploying a single load balancer to service several applications, many enterprises are considering small software load balancers that are sized correctly in front of individual applications or tenants. When implemented with centrally managed, low-footprint software load balancers, this strategy distributes the SSL termination burden across multiple load balancers and enables enterprises to save costs. In addition, with centralized control, enterprises can automate the scaling out of load balancing services by dynamically invoking additional software load balancers where needed to boost application availability and performance.

5.    Real-time security and analytics
Since load balancers sit in the data path, session data collected from the distributed load balancers can be used to alert administrators in real-time to potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks, and to ensure that security policies are enforced.

In the enterprise network, load balancers must now manage the increased performance needs for applications with encrypted connections. Make sure to check your organizations’ SSL needs and whether your infrastructure needs tuning to handle the associated performance requirements. Run a periodic analysis of your SSL deployment with a service such as SSL labs’ free SSL test to audit your SSL posture and to identify potential gaps. The load balancer should be viewed as another tool in your defense-in-depth strategy to alert and protect your enterprise from malicious actors. 

Related Content:




Ranga is CTO and cofounder at Avi Networks and has been an architect and developer of several high-performance distributed operating systems, as well as networking and storage data center products. Before his current role as CTO, he was the Senior Director at Cisco's Data ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2017 | 3:24:41 PM
Do you support WAF services?
User Rank: Apprentice
1/17/2017 | 3:24:38 PM
Do you support WAF services?
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...