Boost Performance of Load Balancers for Better SSL Security

January 20, 2017 | By Comodo SSL

Enterprises are moving more and more, if not all, of their online traffic to encrypted form. The primary reason cited for encrypted connections being cyber security and privacy.

Encrypted traffic has become even more important with expanding business, more number of varied endpoints, and BYOD and mobile devices connected to the enterprise network. Ensuring encryption through SSL is the right option. However, the huge amount of encrypted traffic affects the network performance and slows down online transactions and critical applications.
 Boost Performance of Load Balancers for Better SSL Security

As encryption has become an absolute necessary, enterprises must implement strategies to ensure that necessary network speed is available always. Load balancers play an important role towards this goal. All encrypted data has to go past Load balancers when it travels for processing to the CPU of the Web server. Load balancers perform the “SSL Termination” process which involves SSL decryption of the data and sending the data in unencrypted form to the web servers. It would be very strenuous for the web server’s CPU if it had to perform all of the decryption process by itself as there are many other critical processes that have to be handled. Handling all processes would affect its overall performance. Load balancers take over the decrypting part, which acts as a big relief to the Web server.

There are many load balancing strategies and this blog takes a look at some of the most prominent strategies.

Perfect forward secrecy (PFS):

Many experts advocate PFS, as it has been observed that if the private key of the Web server gets compromised, then it could allow malicious entities to access the session keys used for encrypting data in earlier sessions. This can be used to previously sent data. To prevent this, PFS uses ephemeral session keys, where new session keys are generated and used for each individual session. If any hacking has taken place then it would affect only the data involved in that session.

Elliptic Curve Cryptography (ECC):

ECC involves smaller key sizes than RSA-based public-key cryptography, and hence places a lesser load on the Web server. The security provided by a 3072-bit RSA public key can be provided by just a 256-bit ECC-based public key. These software load-balancers offer a better price/performance ratio and are increasingly being adopted by large cloud service providers and web server handlers.

Real-time security

Security administrators can analyze the session data of the load balancers in real-time and monitor for SSL vulnerabilities such as DDoS attacks, invalid certificates, expired certificates, etc..,This would help them define the necessary security policies to address the vulnerabilities.
The load balancer functions as an additional tool in the defense of enterprise systems and data from cyber criminals.

ssl certificate

Posted in SSL

Be Sociable, Share!

Leave a Comment


* fields are mandatory