What is SSL?
The HTTP protocol is vulnerable to interception by intruders since the data transferred from the web browser to the web server or between two systems is not encrypted but is transferred as plain text. In other words, HTTP protocol is not secure. However, the need has arisen to protect the information transferred between the user’s browser and web servers. Therefore, a more secure version of the HTTP protocol known as HTTPS was implemented, which is nothing more than a combination of HTTP + SSL/TLS. HTTPS ensures that any information transmitted over the network is encrypted and cannot be accessed by anyone.
SSL is the acronym for Secure Sockets Layer, the standard technology for keeping an Internet connection secure, as well as for protecting any confidential information sent between two systems. SSL is a higher-layer security protocol, working at the application layer. By operating at the application layer, SSL can provide the highly granular policy and access control required for secure remote access. SSL accomplishes this by ensuring that all data that is transferred between users and websites or between two systems is unreadable. It uses encryption algorithms to encrypt the data being transmitted and prevent anyone from reading it as it is sent over the connection.
In a couple of minutes, I will explain the most common SSL methods used by a BIG-IP LTM system. But first, I want to explain to you what a BIG-IP system is since it is not as well known as it should be.
What is a BIG-IP system?
A BIG-IP system is a set of application delivery products that work together to ensure high availability, performance enhancement, application security, and access control. One of the main functions of the BIG-IP system is to forward different types of protocol and application traffic to a target server. The BIG-IP system achieves this through its LTM (Local Traffic Manager) module, which can forward traffic directly to a pool of servers using a load-balancing method, or send traffic to a next-hop router, a group of routers, or directly to a selected node in the network.
Other modules available in the BIG-IP system provide critical functions such as applying security policies to network traffic, accelerating HTTP connections, and optimizing connections over a WAN network.
BIG-IP Local Traffic Manager (LTM) transforms your network into a flexible infrastructure for application delivery. It acts as a full proxy between users and application servers, creating a layer of abstraction to secure, optimize, and load balance application traffic. This gives you the flexibility and control to add applications and servers easily, eliminate downtime, improve application performance, and meet your security requirements.
SSL Methods for BIG-IP LTM
BIG-IP is built to handle SSL traffic in a load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are:
- SSL Offloading
- SSL Passthrough
- SSL Bridging
SSL Offloading
Let’s consider a scenario where you have a client and a web or application server, in typical client-server architecture. The connection is established over HTTPS (with SSL encryption). What you have probably never thought about is the level of resource consumption that these servers have to do to decrypt the requests from the clients, process them and re-encrypt them to send them back to the clients.
Using the SSL Offloading method, the BIG-IP system handles the decryption and re-encryption process. In this method, the client sends the traffic to BIG-IP encrypted. So the client traffic is decrypted by the BIG-IP and the decrypted traffic is sent to the server. The return communication from the server to the client is encrypted by the BIG-IP and sent back to the client. This saves the server the additional overhead of encryption and decryption. Now, all server resources can be fully utilized for other functions such as serving application content or other functions for which they were primarily intended.
To summarizing, SSL offloading on load balancers such as BIG-IP LTM is a capability they have to relieve a web server of the processing burden of encrypting and decrypting traffic.
SSL Passthrough
When load balancing encrypted web traffic, one of the main configuration choices is SSL passthrough. SSL passthrough is the action of passing data through a load balancer to a server without decrypting it. SSL passthrough keeps the data encrypted as it travels through the load balancer. So, the configuration of proxy SSL passthrough does not require the installation of an SSL certificate on the load balancer. SSL certificates are installed on the backend server because they handle the SSL connection instead of the load balancer.
In this case, it is the server that will perform the process of decrypting all incoming SSL traffic. Using SSL passthrough requires a higher processing unit on the part of the servers. This is why it is not recommended for larger deployments. It also restricts some capabilities of a load balancer. The SSL proxy pass-through does not inspect traffic or intercept SSL sessions on network devices before reaching the server, as it simply passes along encrypted data.
Let’s talk very briefly about the configuration on BIG-IP LTM related to this method. Since it’s just pass through, LTM cannot read the headers which introduce limitations on persistence. Only non-SSL information in the packet can be used to maintain persistence like source IP address, destination IP address. You should not add client SSL and server SSL profiles. You cannot use an HTTP profile, therefore you cannot optimize layer 7 traffic. Cookie persistency cannot be used.
Usually, this setup is used if the applications being served cannot consume decrypted traffic or when web application security is critical.
SSL Bridging
This term is also known as SSL Re-Encryption or SSL Full Proxy. In this method, the BIG-IP system receives the encrypted incoming traffic and decrypts it for traffic analysis purposes. But before sending it to the destination servers, it re-encrypts the connection. SSL bridging can be useful when the edge device performs a deep-packet inspection to verify that the contents of the SSL-encrypted transmission are safe, or if there are security concerns about unencrypted traffic traversing the internal network.
Key notes about SSL Bridging:
- Each site has a separate SSL session.
- Communication in each segment is secure.
- Servers are configured to listen on secure ports such as port 443.
- BIG-IP has the capability to read traffic content.
- All the persistence options can be applied.