SSL Offloading: Relieve SSL Burden and Improve Connection Performance

Security Socket Layer (SSL) based encryption is a method to secure HTTP traffic by encrypting data that is sent over the network and requiring decryption of this data on the receiving end. The constant encryption and decryption of data is a compute-intensive process that hogs up the web server, thus rendering it slow.

SSL Offloading as the name suggests is the process of removing the encryption and decryption needs from a web server to an alternative server so that the webserver is free to handle other incoming traffic, without having to sacrifice security. Often there is a dedicated server that handles SSL encoding, thus freeing up the webserver to handle important application delivery demands.

What is SSL Offloading?

The SSL, or Secure Sockets Layer, cryptographic protocol secured network traffic during the early days of the Internet. Security vulnerabilities in SSL eventually led to it being superseded by the improved Transport Layer Security (TLS) protocol. The process of balancing requests to ensure the smooth running of web servers retained the name SSL offloading, despite the change in the cryptographic protocols used.

In an environment without SSL offloading, web traffic gets passed from the browser to the webserver after a handshake between browser and web server. A session key from the browser is passed to the gateway, which is then encrypted using the website’s public key. Once it reaches the server, the session key gets decrypted with the website’s private key. Data that goes between the server and browser is encrypted using the session key.

How SSL Offloading Works

While TLS/SSL encryption has been robust, its processing-intensive nature requires mitigation in the form of SSL offloading, which requires another device to sit between the web browser making the requests and the server handling them. Thus, SSL encryption and decryption are removed from the gateway and transferred to the separate device that is designed for this purpose. The device can be a proxy server or a load balancer that resides on different hardware or it can be a separate server on the same device that hosts the webserver.

By removing the burden of SSL processing from the gateway, resources are freed up to assign connections to the correct server quicker. Load balancers that have clear access to HTTP traffic can easily perform advanced tasks such as reverse proxying, traffic regulation, and cookie persistence.

SSL Offloading Within a Load Balancer

SSL offloading on a load balancer is becoming a must-have feature, and these load balancers are also known as SSL load balancers. It is a load balancer that can encrypt and decrypt data sent via HTTPS, which employs the SSL protocol to encrypt data sent across the network.

Types of SSL Offloading

There are two types of SSL offloading, namely, SSL termination and SSL bridging.

SSL Termination

In SSL termination, the web browser sends requests to the load balancer via an HTTPS connection, which then forwards the requests to the webserver using an unencrypted connection. After receiving the request, the webserver transmits unencrypted data back to the load balancer, which then encrypts the data and sends it back to the browser.

Thus, SSL termination means that all encryption and decryption is performed on the load balancer and not on the server itself. With web servers performing less workload, requests are serviced faster and traffic between browser and server moves much more efficiently.

However, the unencrypted connection between the load balancer and web server leaves SSL termination open to potentially harmful attacks. The sharing of the web server’s private key with the load balancer is also a potential attack vector. Even worse, users are not alerted when the connection is compromised, leaving them unaware until it is too late.

SSL Bridging

When using SSL Bridging, requests are sent from the webserver to the load balancer via HTTPS. The load balancer checks the requests to ensure that they have not been compromised along the way. Once sure that the request is safe, the load balancer encrypts the data again and forwards it on to the webserver, which then sends back the data, still encrypted, back to the load balancer and on to the browser.

The Benefits of SSL Offloading

There are several benefits offered by SSL offloading:

· It frees up your application servers to focus on their core operations by offloading extra chores.

· It reduces the amount of resources used by such application servers.

· It can also assist with HTTPS inspection, reverse-proxying, cookie persistence, traffic control, and other tasks, depending on the load balancer you’re using.

The last point is the most important: SSL offloading can help with traffic inspection in some instances. Encryption is crucial, but it has one fundamental flaw: attackers may lurk in your encrypted traffic.

While data remains secure all throughout SSL bridging, the work of ensuring that requests have not been compromised is offloaded from the webserver. Therefore, SSL bridging does not have that big of an impact on web server processing as SSL termination.

SSL Offloading with Parallels RAS

Parallels® Remote Application Server (RAS), with its High Availability Load Balancing (HALB) capability, is an excellent SSL offloading solution, as it improves performance and gets connections on the fast lane.

Parallels RAS HALB intelligently distributes connections to gateways. This software tool sits between the Parallels RAS gateways and the user to perform effective network load balancing. While a typical load balancer checks for the availability of a server before routing an RDP connection, Parallels HALB adds an additional layer of redundancy by also checking the available gateways when routing traffic.

Parallels HALB not only ensures the continuity of a connection but is able to offload inbound SSL connections from the gateway and decrypt the traffic at the HALB level, relieving the burden of the SSL decryption process from the gateway. The HALB appliance can also be set in pass-through, which means connections are encrypted when sent to the gateways and then decrypted there.

Parallels HALB is easy to deploy, configure and use, with SSL offloading configured during the setup process. With Parallels RAS, this flexibility ensures that you do not have to worry about users experiencing slow connection times, whether a connection is encrypted or not.

Download the Trial