0

Related, but not the same question as Should SSL be terminated at a load balancer?.

Our web stack looks like:

  1. Web Server - IIS
  2. Load Balancer - NetScalar
  3. Firewall - Palo Alto
  4. CDN/WAF - Akamai
  5. End client

What is the best practice for ensuring security while having the minimal number of TLS encrypts/decrypts?

smdrager
  • 103
  • 3
  • 3
    You encrypt to protect the data in the channel. The question back to you is: what channels need protecting? – schroeder Apr 24 '18 at 19:45
  • The most secure way to handle traffic would be end-to-end encryption... ie. no termination mid-stream. Networking is more complex than that, though. But the rule of thumb should remain that you don't want to be decrypting traffic anywhere you don't give your complete trust. For example, if the information is sensitive, it probably shouldn't be decrypted by a CDN. – nbering Apr 24 '18 at 19:52
  • Subjective question will get opinionated answers. My opinion: If the data is important to you, then it should be SSL right to the web server, and be decrypted in as few places as possible on it's way there. SSL is cheap to implement these days. This is just common sense – caesay Apr 24 '18 at 20:18

1 Answers1

1

If your data is sensitive (more than regular personal data), you may want to use TLS all the way to the web server and decrypt in as few places as possible (ideally not at all). Especially CDN which you do not control should not be allowed to decrypt the data.

That being said, IMHO for most kinds of data, encrypting up to your firewall should be enough, as your local network should be protected. If it is not (you don't have adequate physicals defenses, like cameras, alarms, locks...), you may want to get some. Also all the equipment and networking (3,2,1) should be preferably in one locked room, where only few highly trusted employees have access, as physical access is often as dangerous as root privileges.

You still need to encrypt client to CDN and CDN to firewall (your building), but if your CDN is reputable, you can let it decrypt the data.

Peter Harmann
  • 7,778
  • 5
  • 20
  • 28
  • 1
    Even if a CDN is "reputable", it'll likely be distributing its session ticket key to all its servers which vastly increases risks if just one of them is compromised. – forest Apr 25 '18 at 01:12
  • 1
    @forest it is, but by reputable I also mean the CDN likely knows what it is doing. I would certainly never recommend allowing it for anything sensitive, but for forums, chat boards and stuff like that, it should be fine. – Peter Harmann Apr 25 '18 at 01:16