In the world of secure web applications SSL, or its newer version TLS, reigns supreme. The reason for this is no rocket science, as these are supported right off your Internet browser, are flexible, and yet provide good security. There is an increasing number of websites and web applications that are moving to the security highway for various reasons. Although talking about the SSL ease and flexibilty at client's end is just one part of this story. The major part belongs to the server end where the website or web application resides. Now, these servers are good at doing their particular job and they usually don't have necessary hardware for doing SSL on the fly. Furthermore mostly these servers share their load with each other and are not the real device that faces client request directly.
The device that we are talking about is, not the router or the firewall, the loadbalancer. The role of a loadbalancer is to make sure that any single server doesn't gets overwhelmed with client request when others are free to work on it. This role places the loadbalancer in the sweet spot of taking care of the CPU intensive tasks, like encryption, and freeing the server of this, provided it has capability of doing it in a faster and better way. Cisco ACE uses dedicated hardware for SSL encryption, and thus is much faster at doing it.
There are three different ways of how ACE takes care of SSL.
SSL Termination:- SSL termination is the ACE terminology for deploying the ACE module as an SSL offload device. When configured for SSL termination, the ACE module terminates the SSL connection from the client, decrypts the request from the client, and sends it as plaintext to the real servers. Responses from the real server are received by the ACE in plaintext, encrypted, and sent back over the SSL connection to the client.
Back-end SSL:- Also known as SSL initiation, this is in which the interaction between the client and the ACE is in plaintext while the traffic between the ACE and the real servers is encrypted SSL traffic. In SSL Initiation the ACE module takes the role of the SSL client when dealing with the real servers.
End-to-end SSL:- End-to-end encryption combines SSL termination and SSL initiation in one ACE configuration. This deployment model is often used when highly sensitive data needs to be load balanced based on Layer 7 criteria but the data is not allowed to exist on any network segment as plaintext. In this scenario the data is only unencrypted within the ACE module.
Hi all, we've been using a hardware version of the ACI Simulator for quite some time and really grew fond of it for testing automation solutions we developed for our production fabric. Recently we decided to switch to VM. Our Production-Fabric runs o...
Hello, We would like to change the airflow direction (and thus the fan module) on a CISCO C3850-24-XS-S switch.Is it possible on this type of switch ? We have also seen that the CISCO C3850-48-XS-S had two fan modules (FAN-T3-R= & FAN-T3-F=)...
Hello ACI Gurus. I am currently migrating a two sets of Palo Alto Physical firewalls directly counted to old Cisco 6509 switches to ACI. The way current environment is communicating between ACI and legacy 6509 switches is via a L2 link with a S...