1 / 19

2048-bit Keys & Value of SSL Offload

2048-bit Keys & Value of SSL Offload. Agenda. Change in Best Practices Implications Performance Impact Preparation for Migration to 2048-bit keys Size accordingly, whether terminate on: Servers, or Offload to BIG-IP Advantages of SSL Offload Next Steps.

brinda
Download Presentation

2048-bit Keys & Value of SSL Offload

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2048-bit Keys & Value of SSL Offload

  2. Agenda • Change in Best Practices • Implications • Performance Impact • Preparation for Migration to 2048-bit keys • Size accordingly, whether terminate on: • Servers, or • Offload to BIG-IP • Advantages of SSL Offload • Next Steps

  3. Key Length Guidance/Best Practices Recommends transition to 2048-bit key lengths by Jan 1st 2011 Special Publication 800-57 Part 1 Table 4 • Microsoft uses and recommends 2048-bit keys Per the NIST guidelines for all servers and other products • Red Hat recommends 2048+ length for keys using RSA algorithm

  4. Result: Issuing Certificate Authorities only issue 2048-bit certificates • VeriSign Started focusing on 2048-bit keys in 2006; complete transition by October 2010 Indicates their transition is to comply with best practices as recommended by NIST • GeoTrust Clearly indicates why it transitioned to ONLY 2048-bit Keys in June 2010 • Entrust – also indicates why it transitioned • GoDaddy "we enforce a new policy where all newly issued and renewed certificates must be 2048-bit“ • Extended Validation (EV) required 2048-bit keys on 1/1/09

  5. Implications of Migration to 2048-bit Certs • Industry Average: 5x reduction in SSL TPS • 20% of 1024-bit SSL TPS performance • Same processing impact regardless of where processed • Need to re-assess capacity for 2048-bit certs • Know SSL TPS requirements • Assess current & needed capacity • Additional Considerations: • Software-only or virtualized ADC don’t perform for 2048-bit • FIPS or other security/encryption requirements require additional hardware • Type of traffic impacts benefit of session reuse

  6. Performance Impact SSL Termination on Application Server vs BIG-IP • Additional Considerations: • 2048-bit keys NOT good fit for Software-only or for virtualization • Any additional security/encryption requirements, such as FIPS, require additional hardware • Type of traffic impacts benefit of session reuse

  7. F5 Advantages for SSL Offload • Streamlines & Consolidates Management • Placing certificates on BIG-IP requires fewer certificates on servers • Use EM to collect TPS history for sizing • BIG-IP Flexibility – Use 2048-bit keys, but retain 1024-bit keys to Backend Servers • Put larger keys on BIG-IP and maintain 1024 keys to Applications Servers for end-to-end encryption • BIG-IP Specialized Hardware for SSL Offload • Price performance advantage of BIG-IP is HUGE! • F5 provides the highest SSL thruput in the industry with high availability, with redundant power and sharing of the workload across blades in VIPRION, even if one fails

  8. Centralized Certificate Management Placing certificates in BIG-IP requires fewer certificates

  9. EM Streamlines Certificate Management Quantifies TPS & Specifies certificate expiration

  10. Flexibility to NOT modify applicationsComply with end-to-end encryption requirements 2048-bit key 1024-bit key BIG-IP LTM App Servers • Decrypt 2048-bit keys on BIG-IP • Re-encrypt with 1024-bit keys to the servers Solution • Scale end-to-end encryption • Flexibility to process 2048-bit keys on the BIG-IP LTM and leverage 1024-bit keys to the backend servers. • Removes need to modify applications to support 2048-bit keys.

  11. BIG-IP Hardware Line-up High performance meets high value BIG-IP 3900 Quad core CPU 8 10/100/1000 + 4x 1GB SFP 1x 300 GB HD + 8GB CF 8 GB memory 15K TPS (1024) 3K TPS (2048) 3.8 Gbps max software compression 4 Gbps L7 Traffic BIG-IP 3600 BIG-IP 1600 Dual core CPU 8 10/100/1000 + 2x 1GB SFP 1x 160 GB HD + 8GB CF 4 GB memory 10K TPS (1024) 2K TPS (2048) 1 Gbps max software compression 2 Gbps L7 Traffic Dual core CPU 4 10/100/1000 + 2x 1GB SFP 1x 160GB HD 4 GB memory5K TPS (1024) 1K TPS (2048) 1 Gbps max software compression 1 Gbps L7 Traffic

  12. BIG-IP Hardware Line-upPlatforms for unified application delivery BIG-IP 8900 BIG-IP 8950 BIG-IP 11050 BIG-IP 6900 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory 58K TPS (1024) 12K TPS (2048) 8 Gbps max hardware compression 12 Gbps L7 Traffic 2 x Dual core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory 25K TPS (1024) 5K TPS (2048) 5 Gbps max hardware compression 6 Gbps L7 Traffic 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory 100K TPS (1024) 20K TPS (2048) 48 Gbps max software compression 42 Gbps L4 Traffic 40 Gbps L7 Traffic 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory 56K+ TPS (1024) 11.2K+ TPS (2048) 12 Gbps max software compression 20 Gbps L7 Traffic

  13. Q&A

  14. Next Steps: Quantify SSL TPS and Assess Options for 2048-bit keys Migration • Obtain a complete picture of how many SSL transactions per second currently processing • Enterprise Manager provides usage numbers to determine average and peak SSL TPS • Calculate expected 2048-bit impact • Divide current device’s 1024-bit SSL TPS capacity by 5 to obtain device’s 2048-bit SSL TPS capacity • Compare result to current SSL TPS processing • Assess options for cost-effectively processing 5x computations on: • Servers • BIG-IP

  15. Migration to 2048-bit Keys: Example of Options To From OR OR * Based on F5 internal testing. Assumes $7K for typical 64-bit server & excludes load balancing between these servers. Load balancing included in BIG-IP.

  16. Q&A

  17. SSL Processing/Handshake Domain

  18. SSL Offload Value Proposition + DNSSEC F5 BIG-IP GTM Request Processing: • TMOS receives request on the DNS listener IP • TMOS sends request to GTM module • GTM applies GSLB rules • GTM returns response • TMOS checks if original request included +DNSSEC • If a normal DNS request, TMOS responds normally • If a DNSSEC request, TMOS signs the response • DNSSEC Response 1 DNS Query DNS Query for WIP GTM Module TMOS 3 Optional: +DNSSEC 2 GTM DNS Response 4 5 DNS Server Load Balancing 6 DNS Response 7 Real-time DNSSEC Signing OR 8 DNSSEC Response F5 Patent Pending Hardware Cryptography Optional FIPS Key Storage

More Related