Offload SSL encryption

SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting
traffic sent via SSL, the security protocol that is implemented in every Web browser. The
processing is offloaded to a separate device designed specifically to perform SSL
acceleration or SSL termination.

What is SSL Offloading?

When traffic is sent via SSL security protocol to web servers, these servers have to
encrypt and/or decrypt all the traffic in order to take appropriate action. This is CPU
intensive and places a heavy strain on the web server, affecting its performance in
application delivery. In SSL Offloading, this burden is “offloaded” or moved from the web
server’s CPU to another device/computer that takes care of all encryption and
decryption, freeing the web server to be utilized for other tasks.
As SSL offloaders can decrypt the data, intrusion detection systems, virus
detection systems and the application layer firewall can analyze the incoming traffic
more effectively and block suspicious data packets.

Types of SSL Offloading

There are two different techniques for SSL offloading - SSL termination and SSL
bridging.
What is SSL Termination?
SSL termination refers to the process that occurs at the server end of an SSL
connection, where the data traffic is decrypted, i.e. where it transitions from encrypted to
unencrypted form.
What is SSL Bridging?
SSL bridging or SSL initiation is performed by a device at the edge of a network. It first
decrypts SSL traffic and then re-encrypts, and then sends it to the Web server. This
process also happens vice-versa - It also decrypts the encrypted response it receives
from the Web server re-encrypts it and then sends it to the client (browser). SSL
bridging is useful for performing deep-packet inspection of the data to verify if the SSL-
encrypted data is safe and does not contain any malicious content. There are three
types of SSL bridging possibilities - HTTPS-to-HTTPS bridging, HTTPS-to-HTTP
bridging and HTTP-to-HTTPS bridging.

Security Implications of SSL Offloading

SSL offloading has significant advantages as it boosts the performance of Web servers,
ensuring faster traffic between the client (customer) and the Web server.
However, the risk with typical SSL offloading is that the data traffic passes in
unencrypted form when moving from off-loader to the Web server. This can be
considered to be secure as this process takes place within the internal network of the
enterprise, which would be protected by Firewalls. However, if this Firewall is located on
the network edge, it carries more risk as the unencrypted data can be compromised.
Any client who connects to the Web server via SSL will believe that the data will travel
in encrypted form throughout the journey to the server. They may not know that
technologies such as SSL offloading are being used. If in the rare possibility there had
been a breach and data had been compromised in transit between the SSL offloader
and the Web server, the client may legally sue the enterprise if confidential or sensitive
data had been compromised.

Ref: https://securebox.comodo.com/ssl-sniffing/ssl-offloading/

Encrypting and decrypting network traffic is a very CPU-intensive task for servers. The
initial session setup in particular, demands the most of a CPU. The general purpose
CPUs of server hardware will take a significant hit when a website migrates towards
2048-bit or higher SSL keys.

When upgrading from 1024-bit to 2048-bit keys, the CPU usage typically increases 4–7
times. For 4096-bit keys, server CPUs are bound to reach their limits at typical volumes.
The industry is quickly upgrading to 2048-bit keys; the minimum key length changed
from 1024 to 2048-bit. Certificate Authorities (CAs) no longer provide certificates with
key lengths smaller than 2048-bit.

THREATS CAN HIDE IN ENCRYPTED SSL TRAFFIC

To prevent cyber-attacks, enterprises need to inspect incoming and outgoing traffic for
threats. Unfortunately, attackers are increasingly turning to encryption to evade
detection. With more and more applications using encrypting data- in fact, today, NSS
Labs predicts 75% of Web traffic will be encrypted by 2019 -organizations that do not
inspect SSL communications are providing an open door for attackers to infiltrate
defenses and for malicious insiders to steal sensitive data.