What Is SSL Passthrough?
SSL Passthrough is a network security method that sends encrypted SSL traffic directly from a load balancer to web servers without decryption. This process keeps data fully encrypted during transmission between the client and server.
SSL Passthrough provides high security because the load balancer does not need to handle SSL certificates or decrypt traffic. The load balancer forwards the encrypted data to its destination. This method works well for applications that require end-to-end encryption and strict security compliance.
SSL Passthrough uses fewer resources than SSL Termination because it skips the decryption and re-encryption steps.
How Does SSL Passthrough Work?
Here is a step-by-step overview of how SSL passthrough works:
1. Client Initiates SSL/TLS Handshake
A client, such as a web browser, initiates an SSL/TLS handshake with the destination server by sending an initial “ClientHello” message.
2. Traffic Passes Through Network Device
The encrypted handshake and subsequent request traffic passes through the network device configured for SSL passthrough. This could be a firewall, load balancer, proxy, etc.
3. Device Forwards Traffic to Server
The network device does not decrypt the traffic. It simply forwards the encrypted packets to the destination server based on the IP address and port number.
4. Server Responds and Completes SSL Handshake
The destination server receives the encrypted “ClientHello” message and responds with its handshake messages to establish an encrypted SSL/TLS session with the client.
5. Encrypted Application Data Flows Through Device
Once the SSL/TLS handshake is complete, the client and server can exchange encrypted application data through the SSL tunnel. This encrypted traffic passes through the network device undecrypted.
6. Traffic Reaches its Final Destination
The network device forwards the encrypted packets to and from the client and server so they reach their final destinations intact and secure. At no point is the traffic decrypted by the network device.
What are the Key Benefits of SSL Passthrough
SSL passthrough provides several key benefits:
- End-to-end encryption: Traffic remains encrypted between the client and server, preserving privacy and security.
- No performance impact: Decrypting and re-encrypting SSL traffic is CPU-intensive. SSL passthrough avoids this overhead.
- No certificate management: The network device doesn’t terminate SSL connections, so there are no client certificates to manage.
- SSL offloading: Passthrough allows downstream servers to offload CPU-intensive SSL encryption/decryption tasks.
- Compatibility: SSL passthrough works with both HTTPS websites and other SSL-encrypted protocols.
When to Use SSL Passthrough
Here are some everyday use cases where SSL passthrough is beneficial:
- Load balancers: SSL passthrough allows load balancers to distribute encrypted connections without decrypting traffic.
- Web application firewalls: WAFs can filter web traffic without decrypting HTTPS connections.
- DLP and malware inspection: Inspecting traffic for data leaks or malware is possible without full decryption.
- Legacy systems: Passthrough supports legacy systems that don’t support TLS decryption.
- No need to decrypt: If there is no need to analyze decrypted traffic, passthrough improves performance.
- Privacy requirements: When privacy standards prohibit decrypting traffic, passthrough becomes necessary.
How Network Devices Inspect Encrypted Traffic with SSL Passthrough
Although SSL passthrough keeps traffic encrypted, network devices can still gain visibility into encrypted sessions for security purposes:
- Monitor certificate metadata: Devices can analyze certificate authorities, validity periods, subject names, etc., without decrypting.
- View TLS handshake: The TLS handshake reveals ciphers and protocol versions used.
- IP and port details: Source and destination IP addresses and TCP ports provide insight into traffic patterns.
- Packet size and timing: Unusual changes in packet sizes or timing of encrypted traffic may indicate anomalies.
- Encrypted Traffic Analytics: Specialized techniques can identify malicious traffic by analyzing traffic patterns in encrypted streams.
- Block non-compliant traffic: Devices can block non-compliant SSL traffic without decrypting based on unauthorized ports, protocols, IPs, etc.
- Allow/block list policies: IP and domain allow/block lists can filter encrypted traffic to specific sites and applications.
SSL Passthrough Support on Network Devices
Many types of network devices now support SSL passthrough capabilities:
- Next-gen firewalls: Leading NGFWs from Cisco, Palo Alto, Fortinet, Check Point, and more support passthrough.
- Load balancers: Solutions like F5 BIG-IP, Citrix NetScaler, HAProxy, NGINX, and others offer SSL passthrough.
- Proxies: Forward and reverse proxy servers like Squid, Apache Traffic Server, NGINX, and Varnish can be configured for passthrough.
- WAN optimization: WAN optimization controllers from vendors like Riverbed and Silver Peak allow passthrough.
- DLP solutions: Data loss prevention tools such as Symantec DLP and Digital Guardian enable SSL passthrough.
- Web application firewalls: WAFs like Imperva, Akamai Kona, Citrix NetScaler, and Barracuda Web Application Firewall allow passthrough.
How to Implement SSL Passthrough on Network Devices
There are a few key steps involved in implementing SSL passthrough on network devices:
1. Obtain Server Certificate and Key
The server’s public certificate and private key need to be installed on the network device to facilitate forwarding encrypted traffic to the server.
2. Configure SSL Passthrough Policy
Create a policy defining traffic that will be passed through versus decrypted. Traffic can be matched based on ports, source/destination IP, content type, etc.
3. Enable on Load Balancer VIP
For load balancers, enable passthrough on the virtual IP address associated with the destination servers. This ensures traffic is passed through.
4. Verify Certificate Trust
Ensure clients trust the server certificate presented by the network device before the traffic reaches the real server.
5. Test Functionality
Test that clients can establish SSL connections that are successfully passed through to the servers. The network device should not show up as an intercepting proxy.
What are the Drawbacks of SSL Passthrough
While SSL passthrough is helpful in many cases, there are some potential drawbacks and issues to be aware of:
- Lack of visibility: Not decrypting traffic limits the visibility of malicious activity over SSL.
- Troubleshooting difficulties: It’s harder to troubleshoot and pinpoint issues with encrypted traffic.
- Reliance on external decryption: Decryption is pushed to the server, increasing compute overhead.
- Certificate mismatches: Clients may receive certificate warnings if the server cert is not correctly passed through.
- No advanced threat detection: Advanced threats within encrypted traffic go undetected.
- Industry compliance: Some industry compliance standards may require full SSL inspection.
How to Decrypt SSL Traffic While Preserving Privacy
If full SSL traffic decryption is needed, there are techniques network devices can use to decrypt traffic in a more privacy-preserving manner:
- Perfect Forward Secrecy support: Enables decryption of ephemeral cipher suites that use unique session keys.
- Selective decryption: Only decrypt traffic from specific sites or applications instead of everything.
- Re-encryption: Re-encrypt sessions after inspecting the decrypted traffic.
- Root certificate insertion: To avoid warnings, insert a trusted root certificate on client devices.
- Anonymous certificate replacement: Replace client-issued certificates with anonymous ones during decryption.
- Audit logs: Strictly audit admin access to decrypted traffic to ensure proper oversight.
- Restrict access: Limit which users/devices can see decrypted traffic with access controls.
- Encryption standards: Use the most vigorous encryption standards available (TLS 1.3, AES, etc.)
What are the Alternatives to SSL Passthrough
For organizations that need to decrypt SSL/TLS traffic for inspection, there are some alternatives to consider:
- Full SSL/TLS decryption: Decrypt all traffic, inspect it, and then re-encrypt. This method gives full visibility but has potential privacy impacts.
- SSL/TLS intercepting proxy: Use a forward proxy to decrypt traffic. This method is simple to implement but risks certificate warnings.
- Man-in-the-middle decryption: Intercept traffic by masquerading as the destination server. Allows inspection but raises trust issues.
- Agent-based decryption: Install agents on endpoints to decrypt traffic locally and forward it to a collector. This method is more complex but avoids device mismatches.
- API-based integration: Leverage integrations with cloud access security broker and secure web gateway vendors to decrypt web traffic.
What are the Best Practices for SSL Passthrough
Here are some best practices to follow when implementing SSL passthrough:
- Identify traffic that requires passthrough versus decryption. Overusing passthrough reduces visibility.
- Limit passthrough policies to necessary ports and destinations only. Avoid wide-open policies.
- If using a load balancer, enable passthrough on the VIP-facing clients, not the server-side pool interface.
- Use root certificate insertion on clients for internal traffic to avoid SSL warnings.
- Use publicly signed certificates for external traffic and enable OCSP stapling for certificate validity.
- If decrypting, enable Perfect Forward Secrecy support and re-encrypt sessions after inspection.
- Mask any decrypted session identifiers or cookies that could identify users before re-encrypting.
- Strictly limit access to decrypted traffic through access controls and auditing.
SSL Passthrough Improves Performance and Privacy
SSL passthrough allows network devices to forward encrypted traffic without negatively impacting performance or end-user privacy. Passthrough and focused decryption policies provide optimized security, visibility, and trust. As encryption usage grows and new standards like TLS 1.3 evolve, SSL passthrough will remain essential for balancing performance needs with security and compliance requirements.
- Perfect Forward Secrecy support: Enables decryption of ephemeral cipher suites that use unique session keys.
- Selective decryption: Only decrypt traffic from specific sites or applications instead of everything.
- Re-encryption: Re-encrypt sessions after inspecting the decrypted traffic.
- Root certificate insertion: To avoid warnings, insert a trusted root certificate on client devices.
- Anonymous certificate replacement: Replace client-issued certificates with anonymous ones during decryption.
- Audit logs: Strictly audit admin access to decrypted traffic to ensure proper oversight.
- Restrict access: Limit which users/devices can see decrypted traffic with access controls.
- Encryption standards: Use the most vigorous encryption standards available (TLS 1.3, AES, etc.)
Final Thoughts
In summary, SSL passthrough is a crucial technology that enables secure data transmission, allowing encrypted traffic to pass through load balancers without decryption. This method preserves the end-to-end encryption between clients and servers, enhancing security and performance.
By understanding how SSL passthrough works, businesses can implement it effectively to protect sensitive information while optimizing their network infrastructure.
Overall, SSL passthrough is essential for maintaining secure communications in today’s digital landscape.
Frequently Asked Questions About SSL Passthrough
Here are some frequently asked questions about SSL passthrough:
What is the difference between SSL passthrough and SSL offloading?
SSL offloading refers to decrypting traffic on the network device and sending unencrypted traffic to the server. SSL passthrough keeps traffic encrypted end-to-end. Offloading reduces server overhead while passthrough maintains privacy.
Does SSL passthrough impact network performance?
No, SSL passthrough improves performance by not decrypting traffic. This avoids the significant CPU overhead of decryption/encryption on the network device.
Can SSL passthrough inspect traffic for threats?
Analyzing the encrypted traffic metadata and flow patterns allows for limited inspection, but full content inspection requires decryption.
Does SSL passthrough cause certificate warnings?
If properly implemented, it shouldn’t. To avoid trust issues, the network device re-signs server certificates with its own CA.
Can SSL passthrough work with HTTPS traffic?
SSL passthrough works seamlessly with HTTPS websites and other SSL/TLS-encrypted application traffic.
Is SSL passthrough recommended over decryption?
It depends on the specific use case. Passthrough preserves privacy and performance, while decryption enables full traffic inspection. The best practice is to selectively use each method based on risk, compliance, and performance needs.
What are the security risks of SSL passthrough?
The main risk is the lack of visibility into encrypted traffic, which could allow malicious activity to go undetected. Proper security policy design is essential.
Does SSL passthrough support modern cipher suites like ECDHE?
Yes, SSL passthrough is transparent to the cipher suite negotiated between the client and server, including elliptic curve cipher suites.
Can SSL passthrough work with HTTP/2 traffic?
Yes, SSL passthrough will forward HTTP/2 traffic encrypted inside a TLS tunnel without issues.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
