Strategy: Terminate SSL Connections in Hardware and Reduce Server Count by 40%

This is an interesting tidbit from near the end of the Packet Pushers podcast Show 15 – Saving the Web With Dinky Putt Putt Firewalls. The conversation was about how SSL connections need to terminate before they can be processed by a WAF (Web Application Firewall), which inspects HTTP for security problems like SQL injection and cross-site scripting exploits. Much was made that if programmers did their job better these appliances wouldn't be necessary, but I digress.

To terminate SSL most shops run SSL connections into Intel based Linux boxes running Apache. This setup is convenient for developers, but it's not optimized for SSL, so it's slow and costly. Much of the capacity of these servers are unnecessarily consumed processing SSL.

Load balancers on the other hand have crypto cards that terminate SSL very efficiently in hardware. Efficiently enough that if you are willing to get rid of the general purpose Linux boxes and use your big iron load balancers, your server count can be decreased by 40%. Client performance will also be greatly increased because SSL excelerators are faster at SSL than generic boxes.

Developers don't like this option because they don't trust load balancers. These devices are out of their control and are difficult to debug, provision, and test. But if you already have or are considering load balancing appliances and you can work out the trust issues, a whole lot of CPU can easily be reclaimed.