Web Hosting
Home > Articles > Web Hosting Related > Speeding up security

SSL accelerators are the missing link between load balancing and secure socket layer transactions.

Tony Bourke special to HostingTech | tbourke@hostingtech.com

As a result of the economic slowdown, the load balancer industry has gone quiet and growth seems to have stopped. At least one vendor has gone out of business, although the load balancing industry seems to have fared slightly better than other Internet-related industries. Within the market space, the SSL (Secure Sockets Layer) accelerator business has been doing even better. Although SSL accelerators perform separate functions than load balancers, their functions are intrinsically linked.

SSL accelerators are network appliances that off-load the CPU- (Central Processing Unit)-intensive encryption and decryption associated with SSL from the servers. When a server is running SSL by itself, a majority of the available CPUs are consumed with just the cryptographic functions, leaving few resources for actual server functions. With an SSL accelerator, the encryption functionality is off-loaded, and the server is free to do its business unencumbered.

Marriage of convenience
The main benefit of combining load balancers and SSL accelerators is circumventing a bug in certain versions of Microsoft Windows and Internet Explorer. The bug affects the ability of the load balancer to differentiate between users and keep a particular user directed to a specific Web server. This feature is important for just about any site that involves users logging in, such as an e-commerce site with a shopping cart or a site that generates unique content based on the individual user. These applications are often called "stateful." Because of this, users need to have all their traffic directed to a single individual server for the entirety of their session in a process known as "persistence." For this to occur, the load balancers need to be able to differentiate between various users.

There are several methods available for load balancers to perform this identification: source IP (Internet Protocol) address, session cookie, and SSL session ID. The source IP address is no longer a viable way to separate users because of service providers like AOL, whose millions of customers appear to come from a small number of IP addresses. Cookie-based persistence, in which a load balancer reads a session cookie to distinguish between users, is the method of choice for most sites because it is not affected by large providers the same way that source IP addresses are; however, cookie-based persistence does not work with SSL, because the cookie is encrypted and therefore unreadable. For SSL traffic, the only reliable method for persistence was, at one time, SSL session ID.

Although SSL is encrypted, every SSL connection has a session ID that is not encrypted, which allows both sides of the connection to know which encrypted transaction is in session. Load balancers previously were able to use this unique session ID to differentiate between users. Unfortunately, Microsoft has a bug in Windows 95, 98, and NT 4.0 (Windows ME, 2000, and XP are not affected) that causes some versions of Internet Explorer (5.0 through 5.5) to renegotiate the SSL session ID every two minutes, thus making the SSL session ID totally ineffective as a way to differentiate between users.

SSL accelerators can solve this problem. Because they decrypt traffic before it hits the Web servers, a load balancer between the SSL accelerator and the Web server facilitates cookie-based persistence. For this and other reasons, many load-balancing vendors also have an SSL accelerator offering. Some load-balancing vendors have even integrated SSL accelerator functionality into their load balancing products, such as F5's BIG-IP (www.f5.com).

Not so fast
One myth of SSL accelerators is that because only one machine (or one active machine in a redundant scenario) is performing SSL acceleration, users do not need to pay for any more additional SSL certificates. According to VeriSign (www.verisign.com), which issues the majority of these certificates, a VeriSign certificate license is required for each machine that serves SSL traffic, not just the accelerator.

Pick a card
Similar to SSL accelerators are SSL cards. Rather than network appliances, they sit in PCI (Peripheral Component Interconnect) slots inside the servers themselves, off-loading the encryption functions from the general processor. This can be good for sites that only employ a few SSL servers, because a few cards might be cheaper than an appliance.

SSL cards were once fairly popular items, but the advantages of SSL accelerators have started to win out. SSL cards address the need to off-load the work of encryption, but, because the demarcation point for the SSL traffic is the server itself, one cannot use cookie-based persistence from a load balancer. The only option for persistence is source-IP address.

SSL and load balancing are both critical technologies for today's websites. SSL provides security for everything from password authentication to online banking, and load balancing provides scalability and redundancy. The two technologies complement each other, and even tighter integration in the future seems likely.

Web HostingWeb Hosting


Web Host

web hosting related articles