SSL Termination: How to Decrypt SSL-Encrypted Data Effectively
Online transactions are part of day-to-day life now. With online transactions increasing like never before and with IoT devices and mobile devices being used in a large number, the need for having SSL certificates and encryption also increases. This is due to concerns pertaining to privacy and cybersecurity.
Today encrypted connections are preferred by almost everyone who is on the net. Thus while encrypted internet traffic is on the rise, it has to be ensured that such higher volumes of encrypted traffic don’t affect network performances. It’s here that load balancers come in. Load balancers perform the task of ‘SSL Termination’ or decrypting data. This computational effort is thus managed by load balancers before the unencrypted traffic is delivered to backend servers. Thus the computation cycles that web and application servers need to spend on decrypting traffic is reduced.
Load balancers thus have a key role to perform as far as SSL encryption is concerned. Here’s a look at some key strategies to ensure secure, high-performance load balancing…
- Still widely used is the RSA-based public-key cryptography with 2048-bit keys, but now some enterprises go for Elliptic Curve Cryptography (ECC), which gives same security with smaller key sizes. Thus security provided by a 256-bit ECC-based public key equals that provided by a 3072-bit RSA public key. Using ECC and a smaller key helps ensure better performance of SSL-handling servers and improves the overall number of SSL TPS (Transactions per Second).
- Software load balancers implemented on Intel x86 servers too help a lot. Load balancers implemented on standard Intel x86 servers terminate over 2,500 SSL TPS (Transactions per Second) at the lower end, to nearly 75,000 TPS on a 36-core Intel x86 server. Thus software-defined solutions might cost a tenth of what hardware-based load balancing costs.
- Implementing PFS (Perfect Forward Secrecy) helps a lot. PFS is a cryptography technique that helps ensure that the data that has been exchanged in past sessions would not be compromised, even if a cyber criminal gets access to the server’s private key. This because PFS uses ephemeral session keys and new session keys are generated for each session. Thus any compromise that happens can affect only the data that’s exchanged in one session. It’s always advisable to implement PFS with TLS v1.2 and ECC Diffie-Hellman key exchange (DHE). This ensures much better performance compared to the RSA-based keys for PFS.
- Central management, which includes a central orchestration engine that controls the lifecycle of load balancers and gives administrators visibility plus control over entire deployment, is really useful. This also helps to simplify certificate management and ensures delivery of consistent security services for SSL termination, L4-L7 ACLs, and DDoS protection across multiple private or public cloud environments.
- Per-app load balancing, ie, using small software load balancers in front of individual applications or tenants instead of deploying a single load balancer for servicing several applications, is always better. When implemented well, with low-footprint software load balancers that are centrally managed, this helps distribute the SSL termination burden across multiple load balancers, thereby helping enterprises in saving costs.
- Real-time security and analytics is a vital thing that helps when it comes to load balancing. Collecting session data from distributed load balancers and using them to alert administrators in real-time regarding potential vulnerabilities including TLS versions used by clients, expired certificates, DDoS attacks etc is important. Running periodic analysis of the company’s SSL deployment along with auditing SSL posture and identifying potential gaps (using a service such as SSL labs’ free SSL test) is also important.