SSL/TLS Offloading is a technique that improves the efficiency and performance of your network by offloading the SSL/TLS decryption from your application servers to a separate device. This process involves removing or reducing the SSL/TLS encryption strength from incoming traffic that an application server receives, thereby relieving or reducing the application server’s computationally intensive decryption burden.
SSL (Secure Socket Layer) and its successor, TLS (Transport Layer Security), are protocols that ensure the security of HTTP traffic and HTTP requests on the internet. However, the encryption and decryption of SSL/TLS are CPU intensive and can put a strain on application server resources. To balance these computing demands, SSL/TLS offloading moves the processing to a dedicated physical or virtual device.
In essence, SSL/TLS Offloading unloads the SSL/TLS decryption and encryption process from your application servers to a dedicated device, optimizing the application server’s performance. It is akin to having a dedicated translator who interprets and relays messages so the main speaker can focus on delivering the speech.
This method enhances application server efficiency, ensures a smoother user experience and frees up resources, boosting speed. Various tools for SSL/TLS offloading include SSL accelerators, Application Delivery Controllers (ADCs), Web Application Firewalls (WAFs) and software reverse proxies.
The process of SSL/TLS Offloading follows the steps below:
SSL/TLS Termination: The ADC or load balancer, acting as the SSL/TLS server, receives the request. SSL/TLS termination occurs at this point, where the load balancer decrypts the SSL/TLS traffic.
Server Response: The application server processes the request and sends the response back to the load balancer or ADC.
Request Routing: The decrypted data is then routed to the appropriate backend application server.
Re-encryption and Response: The load balancer re-encrypts the server’s response and sends it back to the client, maintaining a secure connection.
Client Request: The client sends an SSL/TLS-encrypted request to the application server.
THE SSL OFFLOADING PROCESS
Radware’s SSL/TLS offloading solution, Alteon ADC, provides a centralized solution for offloading traffic encryption/decryption processing for both inbound and outbound traffic. It acts as a central switching point for all perimeter network security modules, significantly reducing the latency of SSL/TLS encrypted traffic. Alteon enhances the efficiency and security of SSL/TLS traffic and provides flexible and transparent deployment with user privacy in mind.
Key features of Radware’s SSL/TLS Offloading approach:
Transparent Deployment: Radware’s solution eliminates the need to re-engineer the network or configure end-user clients to pass all traffic through a predefined SSL/TLS proxy.
Fast, Accurate and Simple SSL/TLS Visibility: Radware’s patented SSL/TLS inspection technology embedded in Alteon provides quick visibility into SSL/TLS traffic patterns, SSL/TLS handshake statistics, and valuable information into the root cause of SSL/TLS Inspection problems if and when they occur.
Flexible Security Policies: With URL class-based classification, organizations can ensure user privacy is kept (i.e., traffic to banking sites is not inspected) based on class.
Performance Optimization: Radware integrates SSL/TLS offloading into select application delivery products to improve application server optimization for greater accessibility and faster response times.
The main types of SSL Offloading are:
SSL Termination
SSL/TLS Termination, also known as SSL/TLS Offloading, is a process where the SSL/TLS load balancer sits on the edge, intercepts all incoming traffic, decrypts it and then passes on the traffic non-encrypted (or at a lower encryption strength) to the applications. This process relieves the application servers from the burden of encrypting/decrypting data sent via the SSL/TLS security protocol. Radware’s Alteon SSL/TLS solution provides a simple one-box solution for offloading traffic encryption/decryption processing for both inbound and outbound traffic. It acts as a central switching point for all perimeter network security modules, significantly reducing latency of SSL/TLS encrypted traffic.
SSL Bridging
SSL/TLS Bridging is a process where the SSL/TLS load balancer sits on the edge, intercepts all incoming traffic, decrypts it, re-encrypts it and then passes it to the application server. Radware’s Alteon and AppWall Bridge Mode functions as a Layer 3 transparent network device. All non-HTTP traffic is transparently forwarded to its destination. All HTTP traffic that is not defined to be secured is transparently forwarded to its destination.
SSL Tunneling
SSL/TLS Tunneling is a process where an SSL/TLS connection is created between the client and the server, and the data is transmitted over this secure connection.
Radware products and solutions support SSL/TLS Tunneling in several ways:
Alteon SSL/TLS Offload and SSL Inspection provides a simple one-box solution for offloading traffic encryption/decryption processing for both inbound and outbound traffic. It acts as a central switching point for all perimeter network security modules, significantly reducing latency of SSL/TLS encrypted traffic.
SSL/TLS Attack Mitigation from Radware is a patented, encrypted mitigation solution that supports all common versions of SSL and TLS and protects against all types of encrypted attacks.
DefensePro protects against SSL/TLS-based attacks, ensuring that hackers—many of whom have learned to exploit SSL/TLS tunnels to evade network intrusion prevention measures—can no longer exploit this unprotected pathway to launch DoS/DDoS attacks.
SSL Termination: Pros and Cons
PROS:
Reduced Server Load: SSL Termination helps speed the decryption process and reduces the processing burden on backend applications. This is because the application server doesn’t need to encrypt and decrypt all of the incoming and outgoing data.
Improved Server Speed: By offloading the computationally intensive work of encryption and decryption, SSL Termination can help organizations improve their server speed.
Simplified Certificate Management: SSL termination at the load balancer simplifies the management of SSL certificates.
Increased Connection Handling: SSL termination also allows your application to handle more connections at a time due to less compute cycles used for SSL/TLS encryption and decryption.
CONS:
Security Concerns: After SSL termination, unencrypted traffic is sent between the load balancer and the backend applications on the local area network. However, to alleviate this concern, administrators can choose to re-encrypt the traffic at the load balancer at a lower cipher strength before sending it to the applications.
Additional Compute Power: Some load balancers provide the ability to use a self-signed SSL between the load balancer and application servers. This provides a secure connection but requires more compute power.
As shown above, though SSL Termination has its advantages in terms of reducing the application server load and reducing latency of transactions for clients and users.
SSL Bridging and Tunneling: Enhanced Security Measures
SSL/TLS Tunneling
SSL/TLS Tunneling involves a client that requires an SSL/TLS connection to a backend service or secure server via a proxy server. This proxy server opens the connection between the client and the backend service and copies the data to both sides without any direct interference in the SSL/TLS connection.
SSL/TLS Bridging
SSL/TLS Bridging is a process where a device, usually located at the edge of a network, decrypts SSL/TLS traffic and then re-encrypts it before sending it on to the applications. This process can be useful when the edge device performs deep-packet inspection to verify that the contents of the SSL/TLS-encrypted transmission are safe, or if there are security concerns about unencrypted traffic traversing the internal network.
Key Security Aspects of SSL/TLS Tunneling
- End-to-End Encryption: In SSL/TLS Tunneling, the data is only decrypted at the client or the server and never at the proxy server. This ensures that the data remains secure during transit.
- No Eavesdropping: The proxy server in SSL/TLS tunneling cannot access the transaction between the client and the server as it is encrypted. This means that no eavesdropping is possible, either from the proxy server or from third parties.
Key Security Aspects of SSL/TLS Bridging
- Deep-Packet Inspection: SSL/TLS bridging allows for deep-packet inspection, which can help identify and block potential threats hidden in SSL/TLS-encrypted traffic.
- Internal Network Security: By re-encrypting the traffic before it traverses the internal network, SSL/TLS bridging helps maintain the security of the internal network.
Both SSL/TLS Bridging and Tunneling offer enhanced security measures. SSL/TLS Bridging allows for deep-packet inspection and maintains the security of the internal network, while SSL/TLS Tunneling ensures end-to-end encryption and prevents eavesdropping.
SSL/TLS Offloading provides several crucial benefits:
Cost-Effectiveness: SSL/TLS offloading can be a cost-effective solution, especially for organizations with multiple servers or a need for high-performance SSL/TLS processing.
Improved Server Performance: SSL/TLS offloading reduces the processing burden on servers by moving SSL/TLS encoding/decoding functions away from busy web servers to specialized devices. This allows the web servers to dedicate important CPU resources to other application processing tasks, which can improve performance.
Increased Scalability: By offloading SSL/TLS processing to a dedicated device, the server’s resources are freed up, enabling it to handle a larger number of client requests.
Enhanced Security: SSL/TLS offloading devices often include advanced security features and capabilities. They can perform tasks such as SSL/TLS certificate management, client authentication, and traffic inspection, providing an additional layer of security for the server and the network.
When combined, SSL offloading and load balancing can significantly improve network performance and security. By offloading the computationally intensive processes of SSL/TLS encryption and decryption to a dedicated device or load balancer, backend servers can process requests more efficiently. This reduces the computational burden on the applications, improves their response times, and enhances overall application performance.
In terms of security, SSL offload devices often include advanced security features and capabilities. They can perform tasks such as SSL certificate management, client authentication, and traffic inspection, providing an additional layer of security for the server and the network.
Radware’s Unique Approach
Radware uses specific technologies to achieve this optimization. Our SSL/TLS offload solutions, including Alteon and AppWall, are designed to increase an organization’s application delivery and security efficiency. These solutions offer SSL/TLS offload options, as well as a host of other SSL Inspection features to provide effective application acceleration and availability capabilities.
The SSL/TLS offload device in Radware’s solutions can be placed in front of multiple servers or in a load balancing setup, distributing the SSL/TLS workload efficiently across the server infrastructure. This shift in server resources can help businesses save costs by maximizing the utilization of servers and eliminating the need to buy additional hardware.
Moreover, Radware’s solutions also offer centralized, tamper-resistant SSL/TLS certificates/key protection management that can meet your regulatory or compliance needs. This offloading occurs transparently to the end user and ultimately leads to a better user experience.
Radware offers a range of solutions designed to optimize SSL/TLS offloading. These solutions are designed to improve application server optimization for greater accessibility and faster response times, which translates into improved network performance optimization and fewer data communication delays.
Alteon SSL/TLS Offload
Radware’s Alteon solutions offer SSL/TLS offload options, as well as a host of other features to provide full “business-aware” application acceleration and availability capabilities. These solutions are designed to increase an organization's application delivery efficiency.
SSL/TLS Inspection, Offloading and Acceleration with Alteon
Alteon SSL/TLS Inspect acts as a central switching point for all perimeter network security modules, significantly reducing latency of SSL/TLS encrypted traffic. Security managers can easily chain and provision security services with highly granular policy options per user profile, with simple out-of-the box wizards. Alteon SSL/TLS Inspect supports scalable and flexible security services deployment and reduces overall security solution costs via offloading decryption and re-encryption of SSL/TLS encrypted traffic.
Radware’s Patented SSL/TLS Inspection Technology
Radware’s patented SSL/TLS inspection technology embedded in Alteon and combined with its transparent traffic steering functionality offers a high capacity, advanced and flexible SSL/TLS traffic inspection solution that is simple to deploy.