SSL accelerators are the missing link between load balancing
and secure socket layer transactions.
Tony Bourke special to HostingTech
As a result of the economic slowdown, the load balancer industry
has gone quiet and growth seems to have stopped. At least one
vendor has gone out of business, although the load balancing industry
seems to have fared slightly better than other Internet-related
industries. Within the market space, the SSL (Secure Sockets Layer)
accelerator business has been doing even better. Although SSL
accelerators perform separate functions than load balancers, their
functions are intrinsically linked.
SSL accelerators are network appliances that off-load the CPU-
(Central Processing Unit)-intensive encryption and decryption
associated with SSL from the servers. When a server is running
SSL by itself, a majority of the available CPUs are consumed with
just the cryptographic functions, leaving few resources for actual
server functions. With an SSL accelerator, the encryption functionality
is off-loaded, and the server is free to do its business unencumbered.
Marriage of convenience
The main benefit of combining load balancers and SSL accelerators is circumventing a bug in certain versions of Microsoft Windows and Internet Explorer. The bug affects the ability of the load balancer to differentiate between users and keep a particular user directed to a specific Web server. This feature is important for just about any site that involves users logging in, such as an e-commerce site with a shopping cart or a site that generates unique content based on the individual user. These applications are often called "stateful." Because of this, users need to have all their traffic directed to a single individual server for the entirety of their session in a process known as "persistence." For this to occur, the load balancers need to be able to differentiate between various users.
There are several methods available for load balancers to perform
this identification: source IP (Internet Protocol) address, session
cookie, and SSL session ID. The source IP address is no longer
a viable way to separate users because of service providers like
AOL, whose millions of customers appear to come from a small number
of IP addresses. Cookie-based persistence, in which a load balancer
reads a session cookie to distinguish between users, is the method
of choice for most sites because it is not affected by large providers
the same way that source IP addresses are; however, cookie-based
persistence does not work with SSL, because the cookie is encrypted
and therefore unreadable. For SSL traffic, the only reliable method
for persistence was, at one time, SSL session ID.
Although SSL is encrypted, every SSL connection has a session
ID that is not encrypted, which allows both sides of the connection
to know which encrypted transaction is in session. Load balancers
previously were able to use this unique session ID to differentiate
between users. Unfortunately, Microsoft has a bug in Windows
95, 98, and NT 4.0 (Windows ME, 2000, and XP are not affected)
that causes some versions of Internet Explorer (5.0 through
5.5) to renegotiate the SSL session ID every two minutes, thus
making the SSL session ID totally ineffective as a way to differentiate
SSL accelerators can solve this problem. Because they decrypt
traffic before it hits the Web servers, a load balancer between
the SSL accelerator and the Web server facilitates cookie-based
persistence. For this and other reasons, many load-balancing
vendors also have an SSL accelerator offering. Some load-balancing
vendors have even integrated SSL accelerator functionality into
their load balancing products, such as F5's BIG-IP (www.f5.com).
Not so fast
One myth of SSL accelerators is that because only one machine
(or one active machine in a redundant scenario) is performing
SSL acceleration, users do not need to pay for any more additional
SSL certificates. According to VeriSign (www.verisign.com),
which issues the majority of these certificates, a VeriSign
certificate license is required for each machine that serves
SSL traffic, not just the accelerator.
Pick a card
Similar to SSL accelerators are SSL cards. Rather than network appliances, they sit in PCI (Peripheral Component Interconnect) slots inside the servers themselves, off-loading the encryption functions from the general processor. This can be good for sites that only employ a few SSL servers, because a few cards might be cheaper than an appliance.
SSL cards were once fairly popular items, but the advantages of
SSL accelerators have started to win out. SSL cards address the
need to off-load the work of encryption, but, because the demarcation
point for the SSL traffic is the server itself, one cannot use
cookie-based persistence from a load balancer. The only option
for persistence is source-IP address.
SSL and load balancing are both critical technologies for today's
websites. SSL provides security for everything from password
authentication to online banking, and load balancing provides
scalability and redundancy. The two technologies complement
each other, and even tighter integration in the future seems