NetScaler, as a leading load balancer, provides SSL offload and termination to large and small websites today. Due to increased security concerns, US NIST has recommended a transition to 2048-bit SSL certificates by end of 2010. To help our customers with this transition, we implemented significant enhancements in NetScaler release 9.2 to boost 2048-bit SSL Transactions per Second (TPS).
Moving from 1024-bit to 2048-bit certificates poses a significant challenge to the SSL infrastructure. Doubling the key size increases the computation required during key negotiation and can impact SSL TPS by up to 30x (compared to 1024-bit). The enhancements in NS9.2 allow NetScaler to improve this SSL transaction performance compared to previous releases.
nCore architecture delivers exceptional SSL performance
NetScaler 9.1 introduced the nCore architecture to take advantage of multiple processor cores available on the MPX hardware platforms. In NetScaler 9.2, the nCore architecture was extended to the SSL acceleration processors. This includes:
- Intelligent load balancing of SSL chips: Each MPX platform contains multiple SSL chips. The nCore architecture allows the packet engines to intelligently load balance the SSL operations among the chips available.
- Multiple queues per SSL chip: To better utilize the chip hardware capabilities, multiple SSL operations can be queued per chip.
- SSL card optimization: Citrix has worked with Cavium Networks to optimize the performance of SSL hardware to process larger RSA keys (2048-bit and 4096-bit).
Why transition to 2048-bit keys
SSL RSA with 1024-bit keys is the commonly deployed public key technology today. Security research has shown that 1024-bit RSA keys can be compromised in the near future using significant computing resources. The U.S. National Institute of Standards and Technology (NIST) issued Special Publication 800-57 in March 2007 recommending the use of 2048-bit RSA keys starting Jan. 1, 2011. With current technology and research, doubling the key length from 1024-bit to 2048-bit increases the computational complexity of breaking a key by close to a billion times. 2048-bit keys are expected to be secure till 2030.
Following this recommendation and Microsoft Windows security guidelines, Certificate Authorities (CAs) are migrating to 2048-bit SSL certificates for end users. Extended Validation (EV) certificates (in use at major ecommerce and financial sites) are already at 2048-bit strength. Starting the later half of 2010, CAs will enforce this requirement by issuing only 2048-bit certificates.
NetScaler 9.2 Security highlights
NS9.2 also contains significant security highlights related to SSL and other security modules in the NetScaler system. These include:
- OCSP support: Dynamically check for Certificate revocation by connecting to an OCSP responder. This is in addition to the standard Certificate Revocation List (CRL) mechanism.
- Subject Name Indicator (SNI) support: extension to TLS1.1 that allows the modern browsers to indicate the server name to which it is trying to establish a secure channel. This is very useful in Virtual hosting scenarios.
- Application Firewall CSRF support: The Application Firewall module added new defense against Cross-Site Request Forgery attacks.
- AAA Form-based SSO: The AAA module now supports auto-submission of credentials to backend web applications that use a HTML form to request user credentials.
- Availability – This enhancement is available by upgrading to NS9.2 Build 46.x on all current MPX platforms. Legacy platforms NS7000 and NS12000 do not support this optimization.