Re: [openssl-dev] F5 termination of TCP connection

Mon, 01 Jun 2015 14:22:51 -0700

Yes, obviously security of the connection ends on offloading device with all consequences.
I agree that having TLS end-to-end is great but quite hard to do it with OpenSSL if you need full-duplex connection. So in my case I have SSL till F5. One connection may trigger many transactions inside my intranet and here I can't afford half-duplex. So we offload SSL on F5 and just make sure everything behind F5 is super secure (but not ssl). 

Kris


On 06/01/2015 07:30 PM, Jeffrey Walton wrote:

On Mon, Jun 1, 2015 at 12:56 PM, Daniel Kahn Gillmor
<d...@fifthhorseman.net> wrote:

On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote:


Yes, that's exactly what we do in our configuration. We have 24 servers
with rather high workload. SSL is offloaded on F5 load balancer and
servers behind load balancers receive decrypted traffic.

I'm not aware of any performance issues. And in fact it's quite good
idea as server itself doesn't need to know anything about TLS/SSL
protocol.

...  And the network connecting the load balancers to the backend
servers is completely physically secured, has no untrusted devices
connected to it anywhere, and all the backend servers completely trust
each other to avoid snooping or interfering with each others' traffic
... right?

+1.

I've seen financial institutions use T1 or T3 framing between data
centers as the only protection (and not IPSec or TLS). Their thinking
was no one could really tap the copper or fibre, so it was not a
problem. If someone did tap the it, then the signal could not be
used/interpreted without special equipment, so it was not a problem
again.

I've also seen malware burrow in within the security boundary at
financial institutions. The malware was more than happy to leave the
databases alone and sniff the traffic to avoid IDS. And the malware
will encrypt its outgoing payload on the way to its dead-drop, so the
data gets encrypted eventually :)

Jeff
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev






















					Reply via email to