Wednesday 28 August 2019

SSL/TLS traffic processing methods on an ADC


Application Delivery Controller is the device in the network which takes care of all application content delivery aspects to the clients accessing it. Example of ADC is Application Load Balancer which is used to load balance application traffic coming from clients to best available server so that single web server is not overwhelmed with the request and then get crashed. To have a secured session we use SSL/TLS certificates for CIA (confidentiality, integrity and availability). All the traffic coming from client PC towards the ADC is encrypted with these SSL certificates for security. Mostly ADC is used for decrypting the data coming from clients and pass them in clear text to web application servers for processing. Advantage of this being extra load for certificate process on webserver is take care by ADC itself. To process encrypted data we need to offload certificates on the ADC and then create Client/Server SSL Profile for the same. By default ADC device does destination NAT on inbound data to forward it to best available web server. A VIP is configured on ADC to listen traffic coming from clients on an IP address and port number combination.

Following are the 3 SSL traffic processing methods. They are detailed in below diagrams with explanation.

SSL/TLS Offloading

SSL/TLS Bridging

SSL/TLS Pass-through







Diagram Traffic Flow – Client PC is shown where user is currently using his web browser to access web server via an ADC device. We are not using Source NAT on ADC device on inbound traffic and hence server will see source IP address of client in received packet. Server can have http port 80 or https port 443 service running for accessing a web site.

Example – Consider the following IP address for each objects as: Client IP – 100.1.1.1, VIP – 10.1.1.1 and Server IP – 192.168.1.1.



SSL/TLS Offloading

In this method, encrypted traffic coming from clients is intercepted on ADC, for this we need to create Client SSL profile and then after data is sent in clear text to webservers.



Configuration Objects required on ADC:

VIP with http profile, Webserver SSL certificate and Client Side SSL profile.



Traffic flow connections will be as below:

100.1.1.1:53258 <---------> 10.1.1.1:443

100.1.1.1:53258 <---------> 192.168.1.1:80



Advantages of SSL Offloading:

·         SSL Certificate processing is done by ADC, there is no load for same on back-end web servers as they are processing data in clear text.

·         Any modification can be done on ADC for inbound HTTP GET request from client as ADC can see data in clear text for advanced functionalities like using iRules on VIP.



Disadvantages of SSL Offloading:

·         Internal communication from ADC to back-end webserver is in clear text and can be eavesdropped.


SSL/TLS Bridging

In this method, encrypted data coming from clients is decrypted first in ADC. ADC then sees data in clear text and then again encrypts the data and send it to backend webservers.



Configuration Objects required on ADC:

VIP with http profile, Webserver SSL certificate, Internal CA SSL certificate Server Side SSL profile and Client Side SSL profile.



Traffic flow connections will be as below:

100.1.1.1:53258 <---------> 10.1.1.1:443

100.1.1.1:53258 <---------> 192.168.1.1:443



Advantages of SSL Bridging:

·         Any modification can be done on ADC for inbound HTTP GET request from client as ADC can see data in clear text for advanced functionalities like using iRules on VIP, between client and server side.

·         Internal data communication from ADC to webservers is encrypted and hence secured.



Disadvantages of SSL Bridging:

·         More load on webservers as they have to process SSL certificates along with client request data.

·         More processing required in ADC as SSL certificated have to be processed twice, which can lead to latency.




SSL/TLS Pass-through

In this method encrypted data coming from client is intercepted by ADC but it cannot see the data as it is in clear text and then ADC forwards the original data in encrypted format directly to webservers.



Configuration Objects required on ADC:

VIP with http profile.



Traffic flow connections will be as below:

100.1.1.1:53258 <-------> 10.1.1.1:443

100.1.1.1:53258 <-------> 192.168.1.1:443



Advantages of SSL Pass-through:

·         It is most secured method in terms of data processing as encrypted client connection is directly forwarded to Webservers, ADC cannot see data in clear text.



Disadvantages of SSL Pass-through:

·         ADC cannot see data like HTTP GET request in clear text and hence cannot perform advanced processing capabilities like using iRules on VIP.

·         More load on webservers as they have to process SSL certificates along with client request data.


No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...