LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: SSL Accelerator Card

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: SSL Accelerator Card
From: "Alexandre CASSEN" <alexandre.cassen@xxxxxxxxxxxxxx>
Date: Fri, 5 Oct 2001 08:41:32 +0100
Hi Ryan,

>Do you guys know whether this system is possible with LVS?
>
>                 ________
>                |        |
>                | client |<--Client using an SSL web application (port
>443)
>                |________|
>                    || CIP=eth0 x.x.x.15
>      SSL Traffic ->||
>                    ||      __________
>                    ||     |          |
>                    ||=====+ SSL NIC  |<--This SSL NIC is a F5 Big-IP
>SSL NIC
>                           |(VIP eth0)|
>                           |          |
>                    |------+ 100bt NIC|
>                    |      |(DIP eth1)|
>                    |      |__________|
>cleartext Traffic ->|  VIP=eth0 y.y.y.2/26
>                    |  DIP=eth1 y.y.y.130/26
>                    |
>                    |
>           -------------------
>           |                 |
>           |                 |
>     ______________    ______________
>    |              |  |              |
>    | realserver1  |  | realserver2  |<--Servers running over just port
>80.
>    |______________|  |______________|   They don't even see SSL traffic
>       RIP1=eth0         RIP2=eth0
>      192.168.1.11       192.168.1.12
>
>             all realservers
>         VIP=lo:110=y.y.y.2 #
>
>
>I am essentially trying to get around two things with this.
>
>#1. I don't want to have to use persistence with my SSL webservers. (We
>are having MAJOR problems with clients that use Tivoli reverse proxies
>and are running like 5,000 people through it...all of the traffic looks
>like it is coming from one client, so it all ends up on just one of the
>two boxes).
>
>#2. I want the traffic to be SSL secure between the client and the
>director, but after that, since the realservers are on the same local
>segment, I really don't care. I want to offload the SSL decryption from
>my webservers and have that handled by just one F5 big-IP SSL NIC).
>
>What do you think? Will it work? Does LVS have the means to do this?


All that you are discribing place the use of loadbalancing to layer7.
In fact if you want that the traffic between your loadbalancer & realserver
still uncrypted, you need act on the flow. By using SSL Accelerator card,
this impact that a piece of software drive crypt/decrypt over SSL stream
and forward clear stream to final realserver. This mean that you need a
layer7 piece of software that deal with loadbalancing decision because this
piece of software is the connections acceptor.

The biggest problem with that kind of architecture is that you have to deal
with layer7 overhead.... so the piece of software need to be kernel space
implemented.

There is work here on layer7 switching (ktcpvs), but currently only onto
clear stream. If you want active decrypt/crypt soft you need to wait
a little :) or start the devel your side :)


I didn't know that Big-IP provided SSL card ?
I only know Big-IP SSL accelerator 400/800....

I was interrested working on this problematic but SSL Card
(compaq AXL, cryptoswift, ...) are very very expensive hardware so....
The biggest problem with this layer7 design is that using hardware
SSL processing introduce an encryption/decryption bottleneck for the
whole virtual service provided...

Personaly if I have a work to start on it, will start with Compaq AXL300
http://www.compaq.com/products/servers/security/AXL300/
because they offer source code....devel linux support....still very
expensive.


Best regards,
Alexandre

Below a previous post on this subject:

----------[ Previous post :  07/06/01 16:24-FR ]----------

Hi all,

I am currently studying a solution to provide secure connection to our SMTP
gateway. Our topology can be sum up as follow :

-----------------------
      INTERNET
-----------------------
          |
  +----------------+
  | Network router |
  +----------------+
          |
     +---------+
     |   FW    |
     +---------+
          |
   +---------------+   +------------------+    +---------------+
   | Loadbalancer1 |===| Internal Network |====| Loadbalancer2 |
   +---------------+   +------------------+    +---------------+
          |                                              |
          |                                              |
  +----------------+                      +-------------------------------+
  | SMTP antivirus |                      |         MTA server pool       |
  |   Server pool  |                      | dealing internals SMTP server |
  +----------------+                      +-------------------------------+

In fact we have users all around the internet and we want to provide them a
secure access to their mailbox (reading & sending). All the connections
coming from the Internet pass through our antivirus stream. For instance,
if a user want to send a mail from the Internet using our MTA, the strean
is analysed by the antivirus to protect our internal network against
infected mails, SPAM, ... coming from Internet (even if user is granted in
our antivirus system).

If we use clear SMTP protocol all work fine. But (there is always a but :))
to secure the access we want to use secure SMTP connections to our Internal
SMTP server. So an Internet user configure his mail client to use SSL/TLS
over SMTP, so when he send mails from the internet the SMTP stream is
encrypted which prevent us against malicious SMTP sniffing.

The fact is that to scan stream for virus we need to deal with clear
streams. Our antivirus can not deal with encrypted SMTP connections, it is
not natively implemented. A solution can consist in using another SMTP
server pool that deal with encrypted connections. But if we implement that
the SMTP stream can not be scanned and potential infected mail can infect
all our internal network.

So the solution we can implement is a layer 7 switching. In our
Loadbalancer1 we creat two virtual services : first for plain SMTP acting
at layer 3 only loadblancing SMTP antivirus server pool, the second for
SSL/TLS secure port acting at layer 7.

Here it can be interresting : We use something like ktcpvs to loabbalance
secure SMTP connections. When a connection is coming from the Internet to
that virtual service, ktcpvs respond to the certificats exchange and deal
all the secure connection with the remote mail client. Then, when he
receive data from the remote mail client, the stream is decrypted and
forwarded to the SMTP antivirus server pool. So between Loadbalancer1 and
SMTP antivirus server, all the stream are clear and can be scanned without
any software update or expensive news dedicated hardware.

Do you thing ktcpvs is the right place to implement such a things ?
(Current version of ktcpvs have overhead but for the moment we do not have
many connections to deal with)

Best regards,
Alexandre






<Prev in Thread] Current Thread [Next in Thread>