Introduction
SSL accerlation
One of the first methods used to address the SSL performance problem was the hardware accelerator. This is a card that plugs into a PCI slot or SCSI port and contains a co-processor that performs part of the SSL processing, relieving the load on the Web server’s main processor. SSL hardware accelerators are made by a number of vendors.
SSL offloading
The term “offloading,” however, is generally used to describe an appliance or a completely separate computer that performs all SSL processing, so that the SSL load is taken off of the Web server completely.
SSL offloaders can greatly enhance the effectiveness of intrusion detection systems, virus detection systems, etc. These systems are unable to detect attack signatures and virus signatures that are contained in data that’s SSL encrypted, but the offloader can decrypt the data so the IDS, virus software or application layer firewall can examine its contents and block suspicious packets.
There are two basic ways of doing this: the offloader can perform SSL termination or SSL bridging (sometimes called SSL initiation).
An SSL offloader that acts as an SSL terminator decrypts the SSL-encrypted data and then sends it on to the server in an unencrypted state, so that the server does not have to perform decryption and the burden on its processor is relieved.
The unencrypted data may pass through an IDS, virus detection system and/or application layer firewall on its way to the server.
SSL termination increases the performance at the server level, but also poses a security problem: data is traveling from the offloader to the server without the protection of encryption.
There is a method for allowing inspection of SSL-encrypted data before it reaches the server to prevent application layer attacks hidden inside, without compromising the end-to-end security of the data. Microsoft calls this technology SSL bridging. Other vendors use different terminology; for example, SonicWall calls it SSL initiation.
Regardless of the name, here’s how it works: the application layer aware firewall intercepts and decrypts SSL-encrypted traffic, examines the contents to ensure that it doesn’t contain malicious code, then re-encrypts it before sending it on to the server. Although the data is temporarily in a decrypted state at the firewall, it is protected when it is sent across the network.
However, this means that the server will have to decrypt the data again, thus negating the performance advantage of SSL offloading.
Reference
http://www.windowsecurity.com/articles-tutorials/web_server_security/SSL-Acceleration-Offloading-Security-Implications.html
http://www.techrepublic.com/article/solutionbase-understanding-how-ssl-bridging-works/