Having gone through our SSL Series on Elliptic Curve Cryptography and Perfect Forward Secrecy you should have a good understanding of these technologies and why they are important to your organization. Our last article demonstrated how to successfully implement ECC and PFS on a LineRate System. This article provides insight into how to verify the implementation of SSL with ECC+PFS on LineRate has been properly done. Specifically, the article will detail how to check for ECC SSL on the wire via WireShark and in the browser. Let's get started!
Testing the Client-side SSL
Confirming ECC+PFS cryptography
By browsing to https://ssloffload.lineratesystems.com, it is observed that the ECC secp384r1 curve is being used to secure the session. Figure 1 details the specific network configuration we now have. Note that ssloffload.lineratesystems.com is a private, RFC1918 address and will not work directly for you.
Figure 1: Detail network overview of the SSL/TLS Offload configuration with LineRate
Figure 2: Inspecting the ECC+PFS certificate for the HTTPS session
An investigation into the SSL negotiation details from the client to the LineRate systems shows that the ECDHE cipher suite is indeed used in combination with the secp384r1 ECC curve. A pcap of the SSL/TLS handshake has been included at the end of this article if you would like to investigate this process further. Figure 3 details the highlights of the SSL handshake negotiation detailing that the PFS is present (via the Elliptic Curve Diffie–Hellman Exchange, or ECDHE, cipher suite used) and the ECC Curve that was successfully negotiated is indeed secp384r1:
Figure 3: Ensuring ECC+PFS cryptography is chosen to secure the client's communication
Testing the server-side request
Confirming reverse proxying via HTTP (not HTTPS)
A network capture for the proxied request from the client to the web server can be seen below in Figure 4. Note that the communication is unencrypted while in the secure datacenter. This proves that the SSL Offload on the LineRate system has been successfully implemented, alleviating our internal servers of the cryptography burden. A pcap of the HTTP request has been included at the end of this article if you would like to investigate this HTTP request further.
Figure 4: Ensuring the SSL client request to the web server has been successfully offloaded on LineRate
Benefits of SSL offload via LineRate
Thus far, you should have a good understanding of Elliptic Curve Cryptography and Perfect Forward Secrecy and why it is important to your organization. An SSL Offload system has now been successfully implemented as well. LineRate offers a very competitve $ per SSL Terminations-per-second and can quickly and easily be help your organization implement an SSL Offloading system. Here are a few additional benefits LineRate offers:
Quickly deploy a more secure application
LineRate is a software-based product that can be quickly deployed on existing x86 bare metal hardware or in virtualized environments.
In fact, a production-ready SSL/TLS offload system can be setup in under an hour.
Simple key management
Configure a few LineRate systems versus hundreds of servers in a traditional SSL deployment
By placing SSL information on a few LineRate instances, security exposure to public key compromise is significantly reduced
Easily implement SSL in a non-SSL environment
Add security for end-users while allowing LineRate to talk to your internal network via unencrypted protocols
Of course, LineRate can facilitate encrypted communications with the application servers if desired
LineRate is a high-performance, software based solution that easily incorporates into your existing infrastructure. It can handle the high-throughput and high-connections required for a modern datacenter.
By offloading SSL with LineRate, resources on the servers that handle your application are freed up. This way your application servers can focus on handling your application rather than overhead of SSL.
Move over RSA: ECC crypto is here to stay! From this demonstration, it is easy to see that LineRate is a great way to quickly and easily deploy better performance and security with SSL. Take LineRate and test out its SSL Offloading capabilities for a spin!