SSL Offloading – Relieve SSL Burden and Improve Connection Performance

Security Socket Layer (SSL) based encryption is a method to secure HTTP traffic by encrypting data that is sent over the network and requiring decryption of this data on the receiving end. The constant encryption and decryption of data is a compute intensive process that hogs up the web server, thus rendering it slow. 

 SSL Offloading as the name suggests is the process of removing the encryption and decryption needs from a web server to an alternative server, so that the web server is free to handle other incoming traffic, without having to sacrifice security. Often there is a dedicated server that handles SSL encoding, thus freeing up the web server to handle important application delivery demands.  

SSL Offloading

The SSL, or Secure Sockets Layer, cryptographic protocol secured network traffic during the early days of the Internet. Security vulnerabilities in SSL eventually led to it being superseded by the improved Transport Layer Security (TLS) protocol. The process of balancing requests to ensure smooth running of web servers retained the name SSL offloading, despite the change in the cryptographic protocols used.

In an environment without SSL offloading, web traffic gets passed from the browser to the web server after a handshake between browser and web server. A session key from the browser is passed to the gateway, which is then encrypted using the website’s public key. Once it reaches the server, the session key gets decrypted with the website’s private key. Data that goes between the server and browser is encrypted using the session key.

While TLS/SSL encryption has been robust, its processing-intensive nature requires mitigation in the form of SSL offloading, which requires another device to sit between the web browser making the requests and the server handling them. Thus, SSL encryption and decryption are removed from the gateway and transferred to the separate device that is designed for this purpose. The device can be a proxy server or a load balancer that resides on different hardware or it can be a separate server on the same device that hosts the web server.

By removing the burden of SSL processing from the gateway, resources are freed up to assign connections to the correct server quicker. Load balancers that have clear access to HTTP traffic can easily perform advanced tasks such as reverse proxying, traffic regulation, and cookie persistence.

Types of SSL Offloading

There are two types of SSL offloading, namely, SSL termination and SSL bridging.  

SSL Termination  

In SSL termination, the web browser sends requests to the load balancer via an HTTPS connection, which then forwards the requests to the web server using an unencrypted connection. After receiving the request, the web server transmits unencrypted data back to the load balancer, which then encrypts the data and sends it back to the browser.  

Thus, SSL termination means that all encryption and decryption is performed on the load balancer and not on the server itself. With web servers performing less workload, requests are serviced faster and traffic between browser and server moves much more efficiently.  

However, the unencrypted connection between load balancer and web server leaves SSL termination open to potentially harmful attacks. The sharing of the web server’s private key with the load balancer is also a potential attack vector. Even worse, users are not alerted when the connection is compromised, leaving them unaware until it is too late.  

SSL Bridging  

When using SSL Bridgingrequests are sent from the webserver to the load balancer via HTTPSThe load balancer checks the requests to ensure that they have not been compromised along the way. Once sure that the request is safe, the load balancer encrypts the data again and forwards it on to the web server, which then sends back the data, still encrypted, back to the load balancer and on to the browser.  

While data remains secure all throughout SSL bridging, the work of ensuring that requests have not been compromised is offloaded from the web server. Thus, SSL bridging does not have that big of an impact on web server processing as SSL termination.  

Parallels RAS, with its High Availability Load Balancing (HALB) capability, is an excellent SSL offloading solution, as it improves performance and gets connections on the fast lane. 

SSL Offloading with Parallels HALB

Parallels RAS offers High Availability Load Balancing (HALB) that intelligently distributes connections to gateways. This software tool sits between the Parallels RASgateways and the user to perform effective network load balancing. While a typical load balancer checks for the availability of a server before routing an RDP connection, Parallels HALB adds an additional layer of redundancy by also checking the available gateways when routing traffic.

Parallels HALB not only ensures the continuity of a connection but is able to offload inbound SSL connections from the gateway and decrypt the traffic at the HALB level, hence relieving the burden of the SSL decryption process from the gateway. The HALB appliance can also be set in pass-through, which means connections are encrypted when sent to the gateways and then decrypted there.

Parallels HALB is easy to deploy, configure, and use, with SSL offloading configured during the setup process. With Parallels RAS, this flexibility ensures that you do not have to worry about users experiencing slow connection times, whether a connection is encrypted or not.

Download the trial to start using Parallels RAS and HALB. 


References

What Is SSL Offloading? | www.techwalla.com

SSL Offloading | f5.com

What is SSL and what are the benefits of SSL Offloading? |  www.excitingip.com

Configuring SSL offloading in Exchange 2013 | technet.microsoft.com