| Sun Fire B10p SSL Proxy Blade Administration Guide |    
|
| Sun Fire B10p SSL Proxy Blade Administration Guide |
|
| A P P E N D I X A |
|
Security Primer |
This appendix provides a quick overview of the basic security concepts that are useful to the SSL proxy blade administrator, especially those new to the area of SSL security. We provide selected references at the end of the section for those who become more interested in the field of security.
The following topics are addressed:
A key component of secure communications is that of hiding the message using encryption. Only the intended recipient should be able to read the message. The two types of common encryption algorithms are symmetric encryption and public key encryption.
In symmetric encryption, the sender and the receiver share a binary or text key. The key is used together with an algorithm to encrypt and decrypt the messages. The size of the key in bits determines the strength of the security provided.
Popular symmetric encryption algorithms are DES (56 bit), triple DES (168 bit) and RC4 (64 and 128 bit). The numbers in parenthesis are the typical key sizes. The larger the key size in bits, the stronger the security against an attacker.
Public key encryption is an efficient way to exchange keys based on today's technology. In public key encryption, a key generation algorithm is used to generate a key pair, a public and private key. The public key can be made available freely to allow sender to encrypt messages intended for the owner of the private key. Only the private key can decrypt a message. The private key cannot be derived from the public key. In SSL, public key encryption is used only to exchange a randomly generated symmetric key. The reason is that using public key for the whole communication would be slower due to excessive computation.
Authentication verifies that the message has not been altered, and verifies the identity of the receiver or sender.
In SSL, an authentication mechanism is used to verify the identity of the server or client who provide a certificate that is digitally signed by a recognized certificate authority (CA). The integrity of the data is verified by signing each SSL bulk message.
The Secure Sockets Layer (SSL) is a protocol to exchange data securely. SSL uses the Internet (that is, TCP/IP), as its communication mechanism. Commonly used browsers like Netscape
, are equipped with SSL clients. Thus, the most popular version of SSL (SSL 3.0) is available on most PCs. SSL 3.0 is believed to be secure and commonly used for eCommerce. The latest version of SSL (SSL 3.1) also called TLS 1.0, is not widely deployed yet. The SSL proxy blade supports SSL 3.0 and TLS 1.0. Commonly used web servers like Sun ONE Web Servers and Apache Web Servers with mod-SSL, support SSL and are compatible with the SSL proxy blade.
When a Browser connects to a server securely, for applications such as sending a credit card number or viewing bank account or stock trade information, the HTTPS protocol is used to establish an SSL session with the server. This session establishment is called an SSL handshake and it is very computation intensive due to the use of public key encryption to exchange the symmetric keys that will be used to encrypt the data. The public key algorithms used in the handshake are RSA or Diffie-Hellman, among others.
Following the SSL handshake, there is encrypted data transfer. The SSL client in the browser encrypts the data and the SSL server on the Web server decrypts the data. The server response is encrypted by the server and decrypted by the browser. The data is not only encrypted, but also digitally signed. The most common symmetric encryption algorithms used by SSL are DES, triple DES (3DES), and RC4. The hash algorithms used for the signature are MD5 and SHA-1.
Some of the items that make SSL secure for communications are: (1) the keys are never sent unencrypted, (2) the identities of the sender and receiver can be verified, and (3) the integrity of each message is authenticated.
SSL accelerators come in two types: server side interface cards, and edge offload appliance systems. Both offload the SSL processing function from the server--the server side solution partially, and the offload appliance totally. The SSL proxy blade is a third-generation SSL acceleration system that provides performance in the thousands of handshakes per second. First and second generation devices operate from 200 to 600 SSL handshakes per second.
The figures of merit of SSL acceleration systems are listed below. Measuring these figures of merit might require a large number of clients and servers to provide sufficient load, and some figures lend themselves to interpretations depending on how the measurement is done and with what type of traffic. The following sections provide information about how to evaluate an SSL accelerator.
The number of sessions per second is the number of handshakes per second that the accelerator can process. It is somewhat connected with the number of encryption operations that the internal engine or chip can perform.
In most systems, the net handshakes per second is much lower than what the engine can provide because there is much more to an SSL handshake than a decryption operation. Thus, information about internal speed of encryption/decryption chips does not carry a direct connection to system performance.
SSL provides a method to resume a session that enables you to omit calculations already expected the first time. When the performance measurement includes a typical number of sessions, the result is a more favorable performance rating.
The SSL proxy blade supports an unusually high number of concurrent sessions, compared to other products in the market, due to its Packetized SSL technology, which enables optimized handling of SSL connection and session state. The net result is that the SSL proxy blade can support up to 64K concurrent sessions for each SSL proxy blade.
The SSL proxy blade performs especially well at bulk encryption. The Packetized SSL technology uses a low overhead TCP/IP non-proxy stack, and the SSL proxy blade handles bulk traffic in hardware, which avoids overloading of data busses. Bulk encryption in the SSL proxy blade is handled at near line speeds and the architecture is designed to scale to multigigabit speeds.
Software upgrades are a convenient feature of the SSL proxy blade that allows for secure updates and available feature upgrades. Because an SSL accelerator is a security product, an authenticated upgrade mechanism is used.
The Sun Fire B10p SSL proxy blade is classified as retail status.
Security is enforced by having sound security policies and best practices that are supported by the security features of the SSL proxy blade. The security features of the SSL proxy blade are described below.
User access control by means of a password ensures that unauthorized personnel will not affect the operation of the box.
The first action to make the SSL proxy blade more secure is to change all the passwords, for User, Administrator, and Security Officer. The User has only view privileges, security officer the password for it can be blank.
The configuration of the SSL proxy blade, including the services private keys, is securely stored in encrypted form inside the SSL proxy blade persistent memory. The key to decrypt the configuration, called the Configuration Key, is randomly generated by the SSL proxy blade; thus, this key is never accessible to any user, so, or any external entity. The configuration key is stored in a special memory area, which is cleared if the blade enclosure is tampered with. After tampering, the system loses all custom configuration such as keys, certificates, and services. This is one of the reasons that configuration backups are recommended. If tampering occurs, please contact your Sun services representative.
The configuration file of the SSL proxy blade contains all the information that can be configured in the unit. This includes certificates and associated private keys, service information, and network configuration parameters, among others.
The configuration should be backed up using the export config command. The export config command is only available to the so, and uses FTP to create an encrypted configuration file.
The so provides a Configuration Storage pass phrase every time the configuration is exported or imported. This Configuration Storage pass phrase determines the encryption key of the Configuration file. Thus, losing this pass phase will render the backups unusable. Also, knowledge of this pass phrase might enable a security expert to decrypt the configuration file, thus exposing the private keys.
The SSL proxy blade provides a high degree of system security, yet overall security still depends on secure management of relevant keys, in this case, the Configuration Storage pass-phrase.
Exporting the configuration from one SSL proxy blade unit allows its configuration to be copied by importing the configuration to another SSL proxy blade.
This section explains the ciphers supported by the SSL proxy blade.
The first number of the SSL ID corresponds to the protocol number, 0 for SSL3 and 1 for TLS1. The second number corresponds to the cipher indicated in the name column. The name of the cipher can be broken in sub fields as indicated below.
The level of cipher security for a service can be set through the CLI to high, medium, or low. These setting correspond to a specific list of ciphers that guarantee a minimum security level for the server.
|
Includes all Low security ciphers, except DES ciphers. |
|
The cipher is negotiated by the SSL endpoints. A configured service will only accept the particular cipher or accept negotiation to something equal or stronger.
The Export cipher enforces a maximum limit for the level of security in order to meet export laws.
If your intent is to set up security such that the connection is done with the highest security that the browser can support, then the cipher level that has this behavior is low.
The SSL proxy blade supports the following RSA key sizes in bits: 512, 1024, and 2048. The SSL proxy blade can generate and import keys and certificates that use these sizes. Currently, 1024 bit is the recommended level of security for commercial applications.
| Sun Fire B10p SSL Proxy Blade Administration Guide | 817-0826-11 |
|
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.