Radical changes in security have dramatic impact on load balancing. SSL/TLS is changing so rapidly that enterprises are forced to do a forklift upgrade of their hardware load balancers. However, with Avi's software load balancer, it’s as simple as a version update.
In this webinar, we will catch you up the latest SSL facts.
- SSL termination can be done with only software. And it has better security, scalability, and lower cost. That’s how Facebook and Google do it. Let’s see how.
- RSA and Elliptic-curve cryptography (ECC) have different implications for perfect forward secrecy (PFS), HTTP/2 and TLS 1.3 support. Let’s compare.
- SSL health score allows you to manage expiring certificates, automated certificate renewals, and notification alerts from a centralized control plane.
Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-4
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Adopting Modern SSL / TLS
1. Copyright Avi Networks 2018
Avi Tech Corner #4
Adopting Modern SSL / TLS
Nathan McMahon
Product Management
2. Copyright Avi Networks 2018
SSL / TLS Termination
• SSL termination has become synonymous with load balancing
• Legacy hardware load balancers are sized and purchased by SSL TPS
• HTTP/2 and HTTP/3 effectively mandate TLS encryption HTTPS
HTTPS
HTTP
3. Copyright Avi Networks 2018
Hardware Versus Software
TLS termination in software is:
• More secure
• More scalable
• Less expensive
Software based encryption is used by:
• The largest sites on the Internet
• Avi Vantage
Client
connection
encrypted
Server
connection
encrypted
Both sides
encrypted
Encryption is
between client
and server, no
decryption at Avi
4. Copyright Avi Networks 2018
RSA Versus ECC
• Elliptic Curve Cryptography is brand new, only about 33 years old
• Every browser supports Elliptic Curve Cryptography
• Avi supports both RSA and ECC
• A VS may be configured with both cert types at once
• The cert used is determined by the ordering of ciphers
• ECC is 2.5x better TPS performance
• ECC 256 bit key is equivalent security to an RSA 3k key
• ECC provides better support for Perfect Forward Secrecy
5. Copyright Avi Networks 2018
Perfect Forward Secrecy
Mitigate Man-in-the-Middle Attacks
• Better security by rotating the private key
• TLS 1.3 requires Perfect Forward Secrecy
• PFS will blind network monitoring solutions
TLS negotiated without forward secrecy TLS negotiated with forward secrecy
6. Copyright Avi Networks 2018
PFS Blinds Networking Monitoring Solutions
Maintain Network Visibility
• Avi provides very rich analytics
– 500 metrics per VS
– Billions of data points a day
• Avi can mirror traffic to an IDS or NPM
– Traffic can be encrypted using a new key
– Traffic can be sent unencrypted
HTTPS
HTTPS
HTTP
IDS / NPM
7. Copyright Avi Networks 2018
TLS Performance
PFS Performance
• PFS with RSA takes ~ 40% hit over non-PFS
• PFS with ECC takes ~ 15% hit over non-PFS
Scale
• Performance scales nearly linearly across CPU cores
• Performance scales nearly linearly across Service Engines
Cipher Key PFS
TPS per
Core
ECDH-ECDSA-AES256-SHA EC N 3000
ECDHE-ECDSA-AES128-GCM-SHA256 EC Y 2500
AES128-GCM-SHA256 RSA N 1000
DHE-RSA-AES128-GCM-SHA256 RSA Y 550
3x active/active Service Engines
2x CPUs per Service Engine
12 cores per CPU
------------------------------------------
3 * 2 * 12 * 2500 = 180,000 TPS
8. Copyright Avi Networks 2018
Certs / Keys
Securing Private Keys
• Keys are stored and encrypted in the Controller’s database – they are not stored on the SE
• Export of the private key can only be done by account with WRITE access
• Exporting a private key logs an event in the audit trail
• Private key is scrubbed in the GET API unless export_key = True
• Specify a passphrase to ensure key is not exportable in clear text
• HSMs are supported for FIPs compliance
9. Copyright Avi Networks 2018
SSL Termination
Automated Cert Renewal
• Soon to expire certs incur a security health score penalty
• Set Alerts to remind admins of expiring certs at 30 day, 7 day, 1 day intervals
• Automate certificate renewal via:
– Venafi
– CERT+
– Custom scripts via Security > “Certificate Management”
10. Copyright Avi Networks 2018
Hardware Versus Software
TLS termination in software:
• More secure Software allows for quick adoption of fixes and new TLS tech
• More scalable Software allows for incremental capacity scaling
• Less expensive Software leverages inexpensive x86 compute for better price/perf
11. Copyright Avi Networks 2018
Workshops: avinetworks.com/workshop
Webinars: 1 Million TPS
Webinars: Next webinar is on Kubernetes
avinetworks.com/webinars/
12. Copyright Avi Networks 2018
SSL Redirects
HTTP to HTTPS Redirect
• Via the HTTP application profile > Security > SSL Everywhere
– HTTP (port 80) and HTTPS (port 443) configured on the same VS
– Can include server redirect rewrites
– SSL Everywhere enables HSTS. This is recommended for production, but potentially dangerous for lab environments.
Leave disabled if you are unsure
• Via HTTP Request Policy
• Via DataScript
avi.http.redirect( "https://" .. avi.http.hostname() .. avi.http.get_uri() )
13. Copyright Avi Networks 2018
SSL Redirects
HTTP Strict Transport Security (HSTS)
• HSTS forces browsers to connect only via HTTPS for a period of time (usually 1 year)
• HSTS tells browsers to not connect if the cert is expired, wrong domain, or invalid
• HSTS is recommended for stable, production sites
• HSTS is not recommended for labs where certs are temporary or self-signed
• HSTS is enabled by via HTTP profile’s SSL Everywhere, and is enabled in the Secure-HTTP-Profile
• HSTS disabled does incur a Security Penalty on Avi and 3rd party SSL tools such as Qualys SSLlabs
14. Copyright Avi Networks 2018
SSL Redirects
Server Name Indication
• SNI often overlooked as it is labeled “Virtual Hosting” in the VS
• Single VIP can accept SSL requests for multiple TLS encrypted sites or domain names
• Similar to VS > Pool mapping, Avi uses a Parent VS > Child VS mapping
• Parent VS contains VIP information, SSL profile, and is a catchall for requests that do not match a child VS
• Child VS is mapped to a domain name, corresponding cert, and otherwise behaves as a normal VS
a.avi.com
b.avi.com
c.avi.com
10.1.1.1:443
Parent VS
Child VS
pool_a
pool_b
pool_c1
pool_c2
15. Copyright Avi Networks 2018
<marketing>
Bare Metal Virtualized Containers Public Cloud
CONTROLDATA
Service Engines
Controller
MESOS
Universal Solution
Both traditional and modern use cases
Automation
Highly programmable, Plug-n-Play
Built-In Predictive Analytics
Actionable insights key to automation
Separate
Control and
Data Plane
Manage as one,
not many devices