What is SSL Offloading?

What is SSL Offloading?

Secure Socket Layer (SSL) is an acronym that commonly refers to the two cryptographic Internet protocols’ Transport Layer Security (TLS 1.3, TLS 1.2, etc.) and its predecessor, Security Sockets Layer (SSL). The purpose of SSL is to provide secure communications over a computer network, and data with SSL encryption now accounts for about one-third of all Internet traffic.

Secure Socket Layer (SSL) is a commonly-used protocol that helps to ensure the security of HTTP traffic traveling across the Internet. SSL relies on public- and private-key encryption to encrypt communications between the client and server so that messages are sent safely across the network. By encrypting the transmission, sensitive information, such as a user’s login ID for an online banking session, or perhaps a credit card number, is protected and kept out of the hands of potential hackers and criminal organizations.

You can ascertain whether or not a site is using SSL because the URL will say “https:” as opposed to just “http:” – the extra “s” indicates that SSL is being used to encrypt the data.

SSL Offloading Defined

Internet users today are much more alert about web security than just a few years ago; secured traffic exchange via encrypted http traffic is becoming the standard now for web sites and applications. While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt Secure Socket Layer (SSL) traffic at high speeds. In fact, some security products cannot decrypt SSL traffic at all. SSL offloading alleviates CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.

Encrypting and decrypting network traffic is a very CPU-intensive task for servers. The initial session setup in particular, demands the most of a CPU. The general purpose CPUs of server hardware will take a significant hit when a website migrates towards 2048-bit or higher Secure Socket Layer (SSL) keys.

When upgrading from 1024-bit to 2048-bit keys, the CPU usage typically increases 4-7 times. For 4096-bit keys, server CPUs are bound to reach their limits at typical volumes. The industry is quickly upgrading to 2048-bit keys; the minimum key length changed from 1024 to 2048-bit. Certificate Authorities (CAs) no longer provide certificates with key lengths smaller than 2048-bit.

Threats Can Hide in SSL Encryption

To prevent cyberattacks, enterprises need to inspect incoming and outgoing traffic for threats. Unfortunately, attackers are increasingly turning to encryption to evade detection. With more and more applications using encrypting data- in fact, today, NSS Labs predicts 75% of Web traffic will be encrypted by 2019 -organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and for malicious insiders to steal sensitive data.

The Current State of Insecurity

Worldwide spending on information security will reach a staggering $86.4 billion in 2017 as organizations stack up firewalls around their network perimeters and inspect incoming and outgoing traffic with an array of products including secure web gateways, forensic tools, advanced threat prevention platforms, and more.

The European Union (EU) has enacted the General Data Protection Regulation (GDPR). Any organization that does business with residents of the EU must ensure they’re in compliance, lest they face heavy fines. GDPR is a set of mandatory regulations governing security breaches and businesses’ responses to them. It goes into effect May 25 and organizations not in compliance could face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher. Read more about the high price GDPR puts on security breatches.

What is SSL Inspection?

SSL inspection offers organizations a powerful load balancing, high availability and SSL decryption solution. Using SSL inspection, organizations can:

How A10 Networks Can Help with SSL Offloading?

Unfortunately, many traditional network security products aren’t designed to inspect SSL traffic. As a result, attackers have leveraged SSL encryption to sneak past security controls. A10 helps organization eliminate this potential blind spot in their defenses by providing SSL inspection.

The A10 Application Delivery Controllers (ADCs) have dedicated, powerful hardware for managing secured traffic and high-volume traffic peaks that enable the A10 ADC to handle many Connections per Second (CPS). It is also possible that new customers in a web hosting environment may suddenly demand SSL certificates with 4096-bit keys. The ADC must be highly flexible to meet such demands effectively.

To ensure that the load balancer delivers optimal performance, the A10 Thunder Series appliances have integrated ASIC chipsets for dedicated encryption/decryption capabilities, featuring the industry-leading Cavium NITROX® Security Processor chipsets. This ensures the AX Series Advanced Core Operating System (ACOS) and multi-core CPUs are free from bulk SSL transactions, and ready for other load balancing instructions.

Thunder SSLi, with its powerful SSL security processors, can significantly improve the performance of your critical business applications and services by managing multiple secure connections simultaneously with exceptional SSL Connection Per Second rates. Connection Per Second (CPS) measures the number of new HTTP connections (1 HTTP request per TCP connection, without TCP connection reuse) within 1 second.

With SSL acceleration hardware, Thunder® SSL Insight (SSLi®) has near parity performance for the upgrade to 2048-bit key sizes, and has the extreme power needed to handle 4096-bit keys at high performance production levels.

For environments where higher encryption standards are required, the A10 ADCs prove to be the right solution. Even when upgrading to 4096-bit keys, the SSL acceleration (hardware) cards provide unprecedented performance, making 4096-bit keys viable and cost effective for production use.

Learn more about A10 Networks’ SSL inspection/TLS inspection solutions today.


Mike Thompson
April 8, 2016

About Mike Thompson

Mike is in the office of the CTO at A10 Networks. As principal architect for application delivery controller (ADC), cloud and security products, Mike is involved with research, development and strategy for the technology groups. He has spoken at DEFCON, Interop, NANOG, Internet Society and more. With an engineering career that spans 20 years, Mike is an authority on network design, application delivery, cloud architecture and security. A long-time proponent of open-source initiatives, his leadership and networking acumen have been trusted in many industries, including financial technology, service provider and the enterprise. READ MORE