What is SSL Offload?

SSL is an acronym that commonly refers to the two cryptographic Internet protocols—Transport Layer Security (TLS) and its predecessor, Security Sockets Layer (SSL). The purpose of SSL is to provide secure communications over a computer network, and SSL-encrypted data now accounts for about one-third of all Internet traffic.

Secure Socket Layer (SSL) is a commonly-used protocol that helps to ensure the security of HTTP traffic traveling across the Internet. SSL relies on public- and private-key encryption to encrypt communications between the client and server so that messages are sent safely across the network. By encrypting the transmission, sensitive information, such as a user's login ID for an online banking session, or perhaps a credit card number, is protected and kept out of the hands of potential hackers and criminal organizations.

You can ascertain whether or not a site is using SSL because the URL will say "https:" as opposed to just "http:" - the extra "s" indicates that SSL is being used to encrypt the data.

Threats Can Hide in Encrypted SSL Traffic

To prevent cyber-attacks, enterprises need to inspect incoming and outgoing traffic for threats. Unfortunately, attackers are increasingly turning to encryption to evade detection. With more and more applications using encrypting data- in fact, today, NSS Labs predicts 75% of Web traffic will be encrypted by 2019 -organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and for malicious insiders to steal sensitive data.

The Current State of Insecurity

Worldwide spending on information security will reach a staggering $86.4 billion in 2017 as organizations stack up firewalls around their network perimeters and inspect incoming and outgoing traffic with an array of products including secure web gateways, forensic tools, advanced threat prevention platforms, and more.

The European Union (EU) has enacted the General Data Protection Regulation (GDPR). Any organization that does business with residents of the EU must ensure they’re in compliance, lest they face heavy fines. GDPR is a set of mandatory regulations governing security breaches and businesses’ responses to them. It goes into effect May 25 and organizations not in compliance could face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher. Read more about the high price GDPR puts on security breatches.

SSL Offloading

Internet users today are much more alert about web security than just a few years ago; secured traffic exchange via encrypted http traffic is becoming the standard now for web sites and applications. While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt SSL traffic at high speeds. In fact, some security products cannot decrypt SSL traffic at all. SSL offload alleviates CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.

Encrypting and decrypting network traffic is a very CPU-intensive task for servers. The initial session setup in particular, demands the most of a CPU. The general purpose CPUs of server hardware will take a significant hit when a website migrates towards 2048-bit or higher SSL keys.

When upgrading from 1024-bit to 2048-bit keys, the CPU usage typically increases 4–7 times. For 4096-bit keys, server CPUs are bound to reach their limits at typical volumes. The industry is quickly upgrading to 2048-bit keys; the minimum key length changed from 1024 to 2048-bit. Certificate Authorities (CAs) no longer provide certificates with key lengths smaller than 2048-bit.

SSL Inspection

SSL inspection offers organizations a powerful load-balancing, high availability and SSL decryption solution. Using SSL inspection, organizations can:

  • Analyze all network data, including encrypted data, for complete threat protection
  • Deploy best-of-breed content inspection solutions to fend off cyber attacks

How A10 Networks Can Help

Unfortunately, many traditional network security products aren’t designed to inspect SSL traffic. As a result, attackers have leveraged SSL encryption to sneak past security controls. A10 helps organization eliminate this potential blind spot in their defenses by providing SSL inspection.

The A10 Application Delivery Controllers (ADCs) have dedicated, powerful hardware for managing secured traffic and high-volume traffic peaks that enable the A10 ADC to handle many Connections per Second (CPS). It is also possible that new customers in a web hosting environment may suddenly demand SSL certificates with 4096-bit keys. The ADC must be highly flexible to meet such demands effectively.

To ensure that the load balancer delivers optimal performance, the A10 Thunder Series appliances have integrated ASIC chipsets for dedicated encryption/decryption capabilities, featuring the industry-leading Cavium NITROX® Security Processor chipsets. This ensures the AX Series Advanced Core Operating System (ACOS) and multi-core CPUs are free from bulk SSL transactions, and ready for other load balancing instructions.

Thunder SSLi, with its powerful SSL security processors, can significantly improve the performance of your critical business applications and services by managing multiple secure connections simultaneously with exceptional SSL Connection Per Second rates. Connection Per Second (CPS) measures the number of new HTTP connections (1 HTTP request per TCP connection, without TCP connection reuse) within 1 second.

With SSL acceleration hardware, Thunder SSLi has near parity performance for the upgrade to 2048-bit key sizes, and has the extreme power needed to handle 4096-bit keys at high performance production levels.

 

For environments where higher encryption standards are required, the A10 ADCs prove to be the right solution. Even when upgrading to 4096-bit keys, the SSL hardware acceleration cards provide unprecedented performance, making 4096-bit keys viable and cost effective for production use.