Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • What Is SSL Offloading?: SSL Acceleration SSL Termination

    Încărcat de

    syed_engr
    26 vizualizări2 pagini
    Off loading SSL Reverse proxy

    Titlu original

    SSL_Offloading

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Off loading SSL Reverse proxy

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    26 vizualizări2 pagini

    What Is SSL Offloading?: SSL Acceleration SSL Termination

    Încărcat de

    syed_engr
    Off loading SSL Reverse proxy

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 2

    Offload SSL encryption

    SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting
    traffic sent via SSL, the security protocol that is implemented in every Web browser. The
    processing is offloaded to a separate device designed specifically to perform SSL
    acceleration or SSL termination.

    What is SSL Offloading?


    When traffic is sent via SSL security protocol to web servers, these servers have to
    encrypt and/or decrypt all the traffic in order to take appropriate action. This is CPU
    intensive and places a heavy strain on the web server, affecting its performance in
    application delivery. In SSL Offloading, this burden is “offloaded” or moved from the web
    server’s CPU to another device/computer that takes care of all encryption and
    decryption, freeing the web server to be utilized for other tasks.
    As SSL offloaders can decrypt the data, intrusion detection systems, virus
    detection systems and the application layer firewall can analyze the incoming traffic
    more effectively and block suspicious data packets.

    Types of SSL Offloading


    There are two different techniques for SSL offloading - SSL termination and SSL
    bridging.
    What is SSL Termination?
    SSL termination refers to the process that occurs at the server end of an SSL
    connection, where the data traffic is decrypted, i.e. where it transitions from encrypted to
    unencrypted form.
    What is SSL Bridging?
    SSL bridging or SSL initiation is performed by a device at the edge of a network. It first
    decrypts SSL traffic and then re-encrypts, and then sends it to the Web server. This
    process also happens vice-versa - It also decrypts the encrypted response it receives
    from the Web server re-encrypts it and then sends it to the client (browser). SSL
    bridging is useful for performing deep-packet inspection of the data to verify if the SSL-
    encrypted data is safe and does not contain any malicious content. There are three
    types of SSL bridging possibilities - HTTPS-to-HTTPS bridging, HTTPS-to-HTTP
    bridging and HTTP-to-HTTPS bridging.

    Security Implications of SSL Offloading


    SSL offloading has significant advantages as it boosts the performance of Web servers,
    ensuring faster traffic between the client (customer) and the Web server.
    However, the risk with typical SSL offloading is that the data traffic passes in
    unencrypted form when moving from off-loader to the Web server. This can be
    considered to be secure as this process takes place within the internal network of the
    enterprise, which would be protected by Firewalls. However, if this Firewall is located on
    the network edge, it carries more risk as the unencrypted data can be compromised.
    Any client who connects to the Web server via SSL will believe that the data will travel
    in encrypted form throughout the journey to the server. They may not know that
    technologies such as SSL offloading are being used. If in the rare possibility there had
    been a breach and data had been compromised in transit between the SSL offloader
    and the Web server, the client may legally sue the enterprise if confidential or sensitive
    data had been compromised.

    Ref: https://securebox.comodo.com/ssl-sniffing/ssl-offloading/

    Encrypting and decrypting network traffic is a very CPU-intensive task for servers. The
    initial session setup in particular, demands the most of a CPU. The general purpose
    CPUs of server hardware will take a significant hit when a website migrates towards
    2048-bit or higher SSL keys.

    When upgrading from 1024-bit to 2048-bit keys, the CPU usage typically increases 4–7
    times. For 4096-bit keys, server CPUs are bound to reach their limits at typical volumes.
    The industry is quickly upgrading to 2048-bit keys; the minimum key length changed
    from 1024 to 2048-bit. Certificate Authorities (CAs) no longer provide certificates with
    key lengths smaller than 2048-bit.

    THREATS CAN HIDE IN ENCRYPTED SSL TRAFFIC


    To prevent cyber-attacks, enterprises need to inspect incoming and outgoing traffic for
    threats. Unfortunately, attackers are increasingly turning to encryption to evade
    detection. With more and more applications using encrypting data- in fact, today, NSS
    Labs predicts 75% of Web traffic will be encrypted by 2019 -organizations that do not
    inspect SSL communications are providing an open door for attackers to infiltrate
    defenses and for malicious insiders to steal sensitive data.

    S-ar putea să vă placă și