beautypg.com

Tls termination – Amer Networks E5Web GUI User Manual

Page 440

background image

sent to a client at the beginning of a TLS session in order to establish the server's identity and
then be the basis for encryption. Certificates which are Certificate Authority (CA) signed can be
used on the server in which case a client's web browser will automatically recognize the validity
of the certificate.

Self-signed certificates can be used instead of CA signed certificates on the server. With
self-signed certificates, the client's web browser will alert the user that the certificate's
authenticity is not recognized and the user will have to explicitly tell the browser to accept the
certificate and continue.

Figure 6.7. TLS Termination

Advantages of Using cOS Core for TLS Termination

TLS can be implemented directly in the server to which clients connect, however, if the servers
are protected behind a Clavister Security Gateway, then cOS Core can take on the role of the TLS
endpoint. cOS Core then performs TLS authentication, encryption and unencryption of data
to/from clients and the transfer of unencrypted data to/from servers. The advantages of this
approach are:

TLS support can be centralized in the Clavister Security Gateway instead of being set up on
individual servers.

Certificates can be managed centrally in the Clavister Security Gateway instead of on
individual servers. Unique certificates (or one wildcard certificate) does not need to be
present on each server.

The encryption/decryption processing overhead required by TLS can be offloaded to the
Clavister Security Gateway. This be sometimes referred to as SSL acceleration. Any processing
advantages that can be achieved can, however, vary and will depend on the comparative
processing capabilities of the servers and the Clavister Security Gateway.

Decrypted TLS traffic can be subject to other cOS Core features such as traffic shaping or
looking for server threats with IDP scanning.

TLS can be combined with cOS Core server load balancing to provide a means to spread traffic
across servers.

Enabling TLS

Chapter 6: Security Mechanisms

440

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: