What is SSL Offloading?
When traffic is sent via SSL security protocol to web servers, these servers have to encrypt and/or decrypt all the traffic in order to take appropriate action. This is CPU intensive and places a heavy strain on the web server, affecting its performance in application delivery. In SSL Offloading, this burden is “offloaded” or moved from the web server’s CPU to another device/computer that takes care of all encryption and decryption, freeing the web server to be utilized for other tasks.
As SSL offloaders can decrypt the data, intrusion detection systems, virus detection systems and the application layer firewall can analyze the incoming traffic more effectively and block suspicious data packets.
How Secure Sockets Layer Works?
SSL (Secure Sockets Layer) is a security protocol for establishing an encrypted link (channel) between a client and a server. Data sent between a client (browser) and server (web server) in plain text form can be eavesdropped. Encryption prevents eavesdropping or modification of the data, thus ensuring its integrity. SSL Certificates are issued by Certificate Authorities to specific domains and web servers, which serve as an authentication. SSL Certificates contain key pairs.
When a client (browser) attempts to connect to a SSL-secured website (web server) the browser seeks the identity of the web server. The web server authenticates itself by sending a copy of its SSL Certificate with its public key to the web browser. The browser now checks whether the SSL Certificate can be trusted. If it is positive then it replies with a message to the web server, and the web server replies with a digitally signed acknowledgement that initiates a secure SSL encrypted session. An "SSL handshake" is said to have taken place and the address bar of the website will display “https://”, a lock symbol and the address bar may also turn green in color.
What is SSL Acceleration?
SSL Acceleration is the process of using an SSL hardware accelerator for performing SSL offloading. The hardware accelerators are specialized Application Specific Integrated Circuits (ASIC) that are optimized for SSL acceleration. This accelerator does all of the encryption and decryption and relieves the stress on the web server allowing it to be utilized for other tasks. However, the accelerator performs only asymmetric cryptography operations, while the web server’s main processor performs all symmetric cryptography operations.
Types of SSL Offloading
There are two different techniques for SSL offloading - SSL termination and SSL bridging.
What is SSL Termination?
SSL termination refers to the process that occurs at the server end of an SSL connection, where the data traffic is decrypted, i.e. where it transitions from encrypted to unencrypted form.
What is SSL Bridging?
SSL bridging or SSL initiation is performed by a device at the edge of a network. It first decrypts SSL traffic and then re-encrypts, and then sends it to the Web server. This process also happens vice-versa - It also decrypts the encrypted response it receives from the Web server re-encrypts it and then sends it to the client (browser). SSL bridging is useful for performing deep-packet inspection of the data to verify if the SSL-encrypted data is safe and does not contain any malicious content. There are three types of SSL bridging possibilities - HTTPS-to-HTTPS bridging, HTTPS-to-HTTP bridging and HTTP-to-HTTPS bridging.
Security Implications of SSL Offloading
SSL offloading has significant advantages as it boosts the performance of Web servers, ensuring faster traffic between the client (customer) and the Web server.
However, the risk with typical SSL offloading is that the data traffic passes in unencrypted form when moving from off-loader to the Web server. This can be considered to be secure as this process takes place within the internal network of the enterprise, which would be protected by Firewalls. However, if this Firewall is located on the network edge, it carries more risk as the unencrypted data can be compromised.
Any client who connects to the Web server via SSL will believe that the data will travel in encrypted form throughout the journey to the server. They may not know that technologies such as SSL offloading are being used. If in the rare possibility there had been a breach and data had been compromised in transit between the SSL offloader and the Web server, the client may legally sue the enterprise if confidential or sensitive data had been compromised.
Features and Benefits of SSL Offloading
Encrypting and decrypting is a CPU intensive process. Offloading this process frees the Web server to focus on other processes. The overall process becomes more efficient, ensuring faster response from the Web server for any client query. SSL offloading can increase the security effectiveness because the device used can use more time and ward off SSL sniffing attacks and others. It can also increase application and website speed and can prevent you from needing more web servers to keep up. Contact us if you’d like to learn more.