Explaining SSL on F5 BIG-IP LTM Load Balancer

Explaining SSL on BIG-IP

Review of SSL Concepts: -

SSL (or Source Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This encrypted link ensures that all data exchanged between the web server and browsers remains private and integral SSL is an industry standard that is widely used.

Before a web server can create an SSL connection it must have an SSL certificate. You can either create this certificate yours self (known as self-signed cert) or you can obtain one from a certificate authority. The encryption uses a pair of keys (a private key and public key), encrypting the data with the public key and decrypting it with the private key.

 Encrypting and decrypting SSL traffic has a significant impact on server performance. Tests have shown that packet processing time can increase 20 to 30 times. To minimize this many people install SSL acceleration cards on their servers. SSL accelerator card performs the work of data encryption and decryption in hardware, rather than software. This approach takes a huge load off the server’s CPU.

SSL Termination

We realized with the online shopping cart application BIG-IP cannot impact data that is encrypted. With out the ability to read the data in a packet, BIG-IP cannot perform cookie persistence. To solve this problem,

 BIG-IP can terminate the SSL session. In other words, the BIG-IP virtual server can act as the end point for the client SSL session. It can decrypt the data, instead of relying on the actual server.

Advantage of SSL Termination

1. SSL termination allows for cookies persistence and i rules processing despite the client traffic being SSL.
2. SSL termination also enhance performance by offloading the SSL traffic from the web servers and performing it on BIG-IP. Thus Pool members only have to process encrypted traffic.
3. Because BIG-IP contains an SSL accelerators card the SSL key exchange and bulk encryption are performed in hardware. This of course enhances performance, but also saver money. There is no need to to purchase separate SSL accelerator cards for each of your servers.
4. And finally, having BIG-IP terminate client SSL traffic makes it possible to centralize the management of your SSL certificates in one place-both a time and money saver.

Traffic Flow : Client SSL

 Let’s take a look at how SSL termination works. We will first examine an incoming client message. Note that BIG-IP relies on the client SSL profile properties to determine how it should handle incoming SSL requests.

A client indicates an SSL connection to the virtual server. BIG-IP acts as the server for the SSL negotiations, establishes an SSL session with the client, and then decrypts the packet.

BIG-IP establishes a separate TCP connection to the appropriate pool member that does not use SSL.

The Pool member processes the request, and then sends an encrypted response back to BIG-IP.

BIG-IP then re-encrypts the server response and sends it back to the client.

Server side Security

But what if your site has a requirement for encryption every where on the network.

Using SSL termination on the client side enhances performance and simplifies management, but it leaves packets on the server side unencrypted. If server side encryption is priority, you may want to use.

BIG-IP’s sever-side SSL initiation in addition to the client side SSL termination. Because this approach increase BIG-IP processing time, we recommend using it only if encryption is needed every where but you also need BIG-IP to examine the data in unencrypted format.

Traffic flow: Server SSL

    Just as in the previous example,

A client initiates an SSL connection to the virtual server, BIG-IP acts as the server for the SSL negotiations establishes an SSL session with the client, and then decrypts the traffic.

BIG-IP then processes the traffic and, unlike the previous example, BIG-IP initiates another SSL connection with the server using a different SSL certificate and key. This time BIG-IP acts as the client. Note that BIG-IP relies on the server SSL profile to define this behavior.

The Pool member receives the encrypted traffic, decrypts it, processes the request, encrypts the response, and sends the response back to BIG-IP.

BIG-IP decrypts the response, then re-encrypts the response with the client certificate, and sends it back to the client.

Again the only reason to use both client and server SSL profiles as if you need the data encrypted everywhere but you need BIG-IP to examine the data unencrypted for something like HTTP cookie persistence or I rules processing.

SSL Acceleration

As started earlier, when server encrypt and decrypt SSL traffic, their performance is negatively affected. Installing SSL accelerator cards is often the solution. Depending on the model, BIG-IP contains one or more of these cards, which allows BIG-IP to use hardware for performing the SSL key exchange and bulk crypto work. The table shown here lists the maximum transactions per second supported by each BIG-IP platform these numbers are current as of September 2009.Because F5 networks continuously improves the performance of its products, these number will change over time.