Is there any security risk if we install SSL Certificate at the load balancer instead of the servers?

Question

hi! i'm doing a bit of research on this, so is there any security risk if we have the SSL certificate installed at the load balancer instead of the server? and what is the industry best practice to install SSL certificates? on server, load balancer, or ADC?

thanks a lot!

Answer 1

This is probably better off on serverfault, but I'll give it a shot here.

There's no increased security risk in putting an SSL certificate on the load balancer, assuming the load balancer is configured correctly and won't serve up the private key. This risk exists on any server, load balancer or not, a new OS compromise or attack might, although it's unlikely, allow that to happen.

However depending on how you do it traffic behind the load balancer could be sent unencrypted, if the load balancer only talks HTTP to the content servers. So you need to configure the forwarded connections to use HTTPS as well, either using internal certificates and your own CA, or by installing the externally face HTTPS cert on the content servers (and you'll need to do this if you're aiming for PCI compliance).

Remember there's also a load risk, encryption is expensive, and by putting the cert on the load balancer it increases the, errr, load, on it. If the load balancer is already over stretched this may be the final straw. If you're looking at lots of transactions then you tend to see a hardware SSL device sitting before the load balancer which takes care of the SSL traffic, then talks HTTP to the load balancer, which talks HTTP to the content servers. (Again this needs to be HTTPS if you are aiming for PCI compliance)

Answer 2

Here are the implications I could think of:

• Unless you re-encrypt the traffic between the SSL accelerator and the final server, traffic on the internal network will be in clear text. That could cause other security flaw to become more dangerous. Depending on what your legal and contractual requirement are regarding the data you're transferring, it might be unacceptable.
• You will lose te ability to use X509 certificate to identify the clients. This could be a problem or not depending on what you're doing.

As for certificate management, you're storing the private key on the SSL accelerator instead of the server. This could actually be an advantage because if the web server gets compromised, the attacker will still have no access to the private key themselves and therefore will not be able to steal them.

Answer 3

thanks for the reply :) i have one more question, if there is any changes in SSL, and suppose it was set up in the SSL accelerator or load balancer does that mean one time update only? in the contrary that if it resides in each server, would have to make changes to all servers? thanks

Answer 4

There are many levels of load balancing. You don't have choice but to put cert in the load balancer in most popular configurations.

For example, if you are proxying the HTTP traffic in the load balancer, it has to terminate the SSL connection so it must have the cert.

Normally, the load balancer lives in the secure zone so you don't have to use SSL between balancer and your server. If that's not the case, you can use SSL again but you defeat the purpose of the SSL acceleration feature on most switches.