What is SSL Offloading?
The Cost of Encryption
Encryption, in the form of Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), is the key to ensuring the security and integrity of internet communications. The problem with encryption is that encrypting and decrypting data requires a considerable investment of processor cycles for each connection.
Another consequence of encryption is that because encrypted communications are private, it isn’t possible to detect payloads such as malware and undesirable content “in flight.” But having every server decrypt and examine every request they receive then encrypt their responses involves significant processing and management overheads.
The SSL Offloading Advantage
The answer to these issues is SSL offloading: the use of a solution that acts as a gateway and can use specialized hardware to accelerate SSL encryption and SSL decryption. The gateway system, typically called an application delivery controller (ADC), which typically also provides load balancing, becomes the front end for a server or cluster of servers.
For example, when a client initiates an encrypted data exchange, the ADC manages the setup of the SSL session and decodes the incoming client communications and, when the server responds, encrypts the outgoing replies. Because application delivery controllers are optimized to handle encryption and decryption as fast as possible, as well as reducing server processing loads, it also decreases network latency.
Using application delivery controllers to offload the SSL processing overhead from the servers is the primary goal but they can also inspect communications for security threats such as malware and phishing and prevent the transmission of sensitive data such as credit card or social security numbers.
Types of SSL Offloading
Two of the most common types of SSL offloading are:
- With SSL bridging or proxying, the application delivery controller handles SSL session initiation and decrypts the client requests then re-encrypts the requests before passing them on to the servers and vice versa when the server replies to the client. The ADC would generally use this mode to enable inspection of traffic by security devices as well as performing functions like header insertion etc.
- SSL termination is where, as with bridging, the ADC handles SSL session initiation and decrypts the client requests but then passes them on to the server without adding SSL encryption. When the server replies, the ADC encrypts the response before forwarding it to the client. This mode completely offloads the operations of encryption and decryption, enabling servers to function at peak performance.
In both cases, the application delivery controller can inspect and filter communications. The value of SSL bridging is that it allows for communications on untrusted internal networks and while it doesn’t reduce the encryption/decryption overhead on the servers, it does remove the inspection and filtering overheads.
How A10’s SSL Offloading Solutions Can Help
A10 Networks’ Thunder® Application Delivery Controller (ADC) is available in both hardware and software form factors; select hardware platforms also offer advanced security processors for dedicated SSL offload functions. As well as SSL offloading, our cost-effective and industry-leading products also provide deep packet inspection, filtering, load balancing, and traffic shaping.
SSL Offloading Articles and Assets of Interest
- Clearing the SSL Inspection Confusion
- Faster, More Affordable Than Citrix & F5 ADC SSL Offloading
- TLS 1.3 – Status, Concerns & Impact
- Thunder® Application Delivery Controller (ADC) (Data Sheet)
- SSL Insight and Load Balancing for Check Point (Solution Brief)
- Securing Your Data Center With An ADC (Infographic)