Sunday, April 24, 2005

Using SSH to reduce connectivity overhead between servers

Lets say that a server hosted in one datacenter needs to connect with a server located in some other datacenter. For example, your application hosted in your own datacenter needs to send out SMS messages and so it might connect to the carriers gateway in their datacenter.

Usually, when you have this kind of connectivity requirements, you would use SSL encryption between servers to prevent data leak via sniffing. You would also setup a IP filtering or mutual authentication via certificates on both sides to prevent un-authorized connections.

Every time your application connects to the other server using a combo of mutual authentication and SSL, it is an expensive operation in terms of the CPU usage and time spent in the connection handshake.

How could you reduce this unnecessary overhead? If you setup a permanent SSH tunnel between your server and the other server, then the SSL connection handshake becomes just a one time cost. All your requests go to your local SSH end-point. SSH would encrypt all the data, send it over to the other server, decrypt it and present it for the other server to process. The only caveat being that you need an account on the other server to setup a permanent SSH tunnel between your and the other server.

Here is how you would setup the SSH tunnel:
ssh -L local_port:target_server:target_port

You just need to modify your application to send all its requests to the local_port on the local machine and it will automatically be forwarded to the target_server by the SSH tunnel.

SSH not only provides end-to-end encryption, it can also be setup to perform authentication using private/public key combo instead of passwords.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.