Flowmon

Publishing & Securing Legacy Applications

04/06/21

In the previous blog post, we discussed load balancing essentials and methods of traffic distribution among the real servers. When you publish an application with Kemp LoadMaster you can add lots of extra capabilities on top of the basic load balancing.

In this post we’re going to look at ways of securely publishing legacy applications using the LoadMaster Edge Security Pack (ESP) and SSL Acceleration features.

SSL Offloading allows you to securely encrypt traffic using the HTTPS protocol between the user and the LoadMaster even if the application servers cannot cope with the latest encryption standards or only support HTTP. This allows you to have secure communication over the internet with legacy applications.

ESP uses a similar design to add authentication to the application. You are able to setup different authentication methods with your Users and the Loadmaster even if your application doesn’t support it or is using insecure methods such as Basic Authentication.

These features can replace the need for expensive and complicated VPN solutions while maintaining security. Recently, we took this concept even further with our Zero Trust Access Gateway approach that provides a more secure and resilient option to access critical company applications.

LoadMaster user authentication scheme

Figure 1 – The LoadMaster’s role in legacy application user authentication

SSL Offloading

SSL Offloading works by placing the SSL certificate on the load balancer. LoadMaster is then able to negotiate secure connections with end-user devices while using connections that are unencrypted to the application servers. By terminating the encrypted traffic in this way, you can provide secure public connections even if the internal communications are not. Terminating the SSL connection also allows LoadMaster to apply other content services like caching, compression and Web Application Firewall (WAF) to the traffic.

SSL offloading configuration

Figure 2 – SSL Offloading configuration on LoadMaster

Edge Security Pack

When setting up edge security you may use different authentication methods on the client-side and server-side connections. A common setup uses form-based authentication for the client connections and basic authentication for the server side. You are also able to authenticate users even if your servers don’t support any type of authentication as shown in the screenshot below. By separating the client-side connections from the server-side connections LoadMaster gives you complete flexibility in how end users connect and authenticate.

ESP configuration

Figure 3 – Edge Security Pack configuration

ESP also supports single-sign-on (SSO) across multiple applications and advanced authentication protocols such as Kerberos Constrained Delegation, NTLM, SAML and Open ID Connect (OIDC). These advanced protocols can be challenging to configure on every application server but by using LoadMaster you can configure and manage them easily from one place. SAML and OIDC are important protocols for integration with 3rd-party identity providers such as Azure AD. LoadMaster also supports integration with DUO, a common multi-factor authentication provider.

Network Telemetry & Traffic Encryption

LoadMaster’s Network Telemetry feature goes beyond the application workload itself by monitoring all traffic on network interfaces. Therefore you can get insight into service traffic such as Kerberos or NTLM communication with Microsoft infrastructure or any other authentication-related traffic initiated by LoadMaster on behalf of the user. This gives additional benefit when troubleshooting network or application-related issues. In case of SSL offloading without re-encryption, where LoadMaster terminates encrypted user sessions and traffic between the LoadMaster and real servers is not encrypted, full application metadata visibility is available. This includes HTTP hostname, URL, HTTP method and others.

LoadMaster real servers communication

Figure 4 – List of communications between a LoadMaster and two real servers including additional metadata

On the other hand, it can be useful to understand the use of encryption as pertains to SSL/TLS version and cipher suite. Such information is extracted from encrypted traffic when encryption is established and the information is exposed to the network. As the example below shows, we understand that our users run TLS 1.2 and TLS 1.3 version only, which corresponds to best practice.

TLS version statistics

Figure 5 – Statistics of TLS version and cipher suite in use

Outside of traffic related to application workload, various service protocols are essential for proper application delivery such as DNS, NTP or SSH. Overview of such protocols and relevant details is not important only from troubleshooting standpoint but can help to audit security measures and reveal potential attacks. That is just another benefit of using LoadMaster Network Telemetry with Flowmon.

Communications services used

Figure 6 – List of communications including information about various services used

Summary

Together SSL Offloading and ESP authentication allow your legacy applications to be securely published to the internet. By publishing your application with LoadMaster you are now able to encrypt and authenticate your user traffic over the Internet without upgrading or changing your application servers at all. This is much simpler than complex VPN solutions and simple for end users to access. When using ESP you introduce another layer of protection against a variety of attacks on web applications or vulnerabilities in application servers. Anyone who wants to interact with the application itself, including the attacker, needs to properly authenticate via ESP first. Once you have SSL Offloading in place, you’re also able to access many other features of LoadMaster such as caching, compression and WAF. All the network traffic related to application workloads as well as service traffic can be monitored and analyzed using Flowmon combined with LoadMaster’s traffic monitoring and network telemetry export.