The F5 LTM device is built to handle SSL traffic in load
balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set
up on LTM device are
- SSL Offloading
- SSL Re-Encryption
- SSL Passthrough
Typical load balancing infrastructure setup would be
Client--->F5 LTM---->Servers hosting applications i.e. client traffic
will be directed to a load balancer like F5 which in return (using complex algorithm)
send the traffic to an appropriate server.
SSL Offloading - In this method the client traffic to F5 is
sent as encrypted. Instead of the server decrypting and re-encrypting the
traffic LTM would handle that part. So the client traffic is decrypted by the
LTM and the decrypted traffic is sent to the server. The return communication
from the server to client is encrypted by the LTM and sent back to the client.
Thus sparing the server additional load of encryption and decryption. All the
server resources can now be fully utilized to serve the application content or
any other purpose they are built to do.
SSL Offloading
|
Note -
- The communication between the server LTM and server is in clear txt.
- Servers are setup to listen on unsecure ports ex Port 80.
- Since the LTM decrypts the HTTP traffic it has now the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)
SSL Re-Encryption - In this method the LTM will re-encrypt
the traffic before sending it to the servers. Client sends encrypted traffic to
LTM, LTM then decrypts it and before send it to the servers or pool members
re-encrypts it again. This method is generally used to satisfy the requirement
of traffic to be encrypted between the LTM and Servers as well. This
requirement might be put in place for additional security or prevent intrusion
from within the network. When this method is used the servers will also have to
decrypt and encrypt the traffic.
SSL Re-Encryption |
Note –
- The communication between the server LTM and server is secure.
- Servers are setup to listen on secure ports ex Port 443.
- Since the LTM initially decrypts the HTTP traffic it still has the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied same as SSL Offloading. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)
SSL Pass through - As the name suggests the LTM's will just
pass the traffic from client to servers absolving itself from any SSL related
workload. Instead of forwarding SSL handshakes and connections to the servers
directly it will just pass the client traffic to the servers. Usually this
setup is used if the applications being served are anti SSL proxy or cannot
consume decrypted traffic.
SSL Pass Through |
Note -
- Since it’s just pass through LTM cannot read the headers which introduces limitations on persistence. Only non SSL information in the packet can be used to maintain persistence like source ip address, destination ip address.
No comments:
Post a Comment