Embedded Appliances for SSL Offload: Data Encryption/Decryption and Inspection at Multi-Gigabit Speeds
SD-WAN at Scale

By Jon Kyi – Hardware Design Engineer

3 October 2018

Worldwide spending on information security reached a staggering $86.4 billion in 2017 as organizations stack up firewalls around their network perimeters and inspect incoming and outgoing traffic with an array of products including secure web gateways, forensic tools, advanced threat prevention platforms, and more.

To prevent cyber-attacks, enterprises need to inspect incoming and outgoing traffic for threats. Unfortunately, attackers are increasingly utilizing encryption to evade detection. With more and more applications using encrypted data- in fact, today, NSS Labs predicts 75% of Web traffic will be encrypted by 2019 -organizations that do not inspect encrypted communications are providing an open door for attackers to infiltrate defenses and for malicious insiders to steal sensitive data.

SSL Overview

Secure Socket Layer (SSL) is a commonly-used protocol that helps to ensure the security of HTTP traffic traveling across the Internet. SSL relies on public- and private-key encryption to encrypt communications between the client and server so that messages are sent safely across the network. By encrypting the transmission, sensitive information, such as a user's login ID for an online banking session, or perhaps a credit card number, is protected and kept out of the hands of potential hackers and criminal organizations.

Specifically, SSL has long been used to secure Web-based transactions to enable e-commerce and online banking. Over time, the simplicity that SSL provides has made it the perfect vehicle to migrate many applications to a Web-based model for new online services like viewing medical records, ordering prescriptions, filing federal, state, and local tax returns and other government uses. In addition, new cloud-based and enterprise applications such as Salesforce.com, Exchange, Sharepoint and most of the web-based email applications on the market such as Gmail, Yahoo, Zimbra etc.

SSL Offload and Inspection

While SSL solves many security problems, encrypting sensitive transactions can allow them to pass through security measures unchecked. This fact is exacerbated because SSL-encrypted communications constitute a significant and growing percentage of the traffic in enterprise LAN and WAN.

Today, in most cases, enterprises and services providers permit encrypted communications, but only through software-based SSL proxies that allow the IT organization to examine and inspect SSL-encrypted content before entering or exiting the enterprise. These proxies provide the opportunity to examine the contents of network traffic, yet still offer encryption prior to leaving the enterprise.

Unfortunately, traditional software-based SSL proxies create additional problems that become trade-offs to the security benefits that they offer. They are inserted into the network path and create congestion as the performance of the network appliance fails to keep pace with the rate of expansion of network capacity and bandwidth at Gigabits/second and beyond. The network I/O, memory and CPU utilization of these systems that process SSL in software all strain at these new performance levels. As a result, these network proxies are rated for use by some amount of aggregate bandwidth or a number of users, sessions and/or flows. When any of these metrics are exceeded, the SSL proxy system becomes a bottleneck that can only be relieved by adding capacity with yet another SSL proxy system. The solution in ensuring the confidentiality and protection of SSL traffic balances performance, control and security.

Embedded Appliances with SSL Offload Processing

A new class of SSL proxy is entering the market that provides many of the benefits of existing SSL proxies, yet also removes (or mitigates) the negative impacts that are currently associated with them. These embedded appliances with SSL offload processing devices are deployed in the IP network where encrypted SSL traffic can be inspected as plaintext before it enters (or exits) the LAN, WAN or data center.

Embedded appliances with SSL offload processing see all network traffic, not just SSL, and, thereby, require line-rate network performance and the ability to cut-through non-SSL flows. The embedded appliance SSL processing offload solution provides great performance at both the network and application levels as well as multiple-interface support for applications to tap into SSL streams. By providing applications with access to the plaintext in SSL streams, the transparent proxy enables IT managers to implement policy control and regulate network users—often necessary to achieve compliance.

Interface Master Technologies’ embedded network appliances with hardware-based SSL acceleration enable high-performance proxy functionality for Secure Sockets Layer (SSL) network communications, providing applications with access to the plaintext in SSL-encrypted connections. Beyond industry-leading performance, the Interface Masters appliance-based SSL proxy both increases network security and significantly minimizes deployment and operational costs by removing costly user and network configuration. The embedded appliance with SSL acceleration was designed for security and network appliance manufacturers, enterprise IT organizations and system integrators to provide industry-leading performance at a fraction of the cost of other solutions. Without compromising any aspect of enterprise or government-regulated compliance, the embedded appliances with SSL acceleration allow network appliances to be deployed with the highest levels of flow analysis while still maintaining multi-gigabit, line-rate network performance..

Interface Masters Technologies’ embedded network appliances are scalable network security platforms capable of providing the hardware/software foundation for SSL offload processing. The Interface Masters appliances feature off-the-shelf server hardware technologies to enable fully integrated network security appliances support high-performance threat protection including real-time memory and deep packet inspection capabilities.  The embedded appliance platform portfolio also includes foundational software and open interfaces for management and orchestration, which simplifies operation and enables easier integration. From a deployment perspective, the Interface Masters platforms can be equipped to support network security appliance deployments in enterprise, small-business or branch office environments.

Interface Masters Technologies has for over 20 years been providing off-the-shelf innovative networking solutions with customization services to OEMs, Fortune 100 and startup companies. We are headquartered in San Jose, California in the heart of Silicon Valley where we proudly design and manufacture all of our products.  Based on MIPS, ARM, PowerPC and x86 processors, Interface Masters appliance models enable OEMs to significantly reduce time-to-market with reliable, pre-tested and pre-integrated appliance solutions that can meet the most challenging networking requirements.

Copyright © 2018 | Interface Masters Technologies