[openssl-dev] F5 termination of TCP connection

Krzysztof Kwiatkowski krzysiek at leeds.pl
Mon Jun 1 20:59:36 UTC 2015


Yes, obviously security of the connection ends on offloading device with 
all consequences.

I agree that having TLS end-to-end is great but quite hard to do it with 
OpenSSL if you need full-duplex connection. So in my case I have SSL 
till F5. One connection may trigger many transactions inside my intranet 
and here I can't afford half-duplex. So we offload SSL on F5 and just 
make sure everything behind F5 is super secure (but not ssl).

Kris


On 06/01/2015 07:30 PM, Jeffrey Walton wrote:
> On Mon, Jun 1, 2015 at 12:56 PM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
>> On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote:
>>
>>> Yes, that's exactly what we do in our configuration. We have 24 servers
>>> with rather high workload. SSL is offloaded on F5 load balancer and
>>> servers behind load balancers receive decrypted traffic.
>>>
>>> I'm not aware of any performance issues. And in fact it's quite good
>>> idea as server itself doesn't need to know anything about TLS/SSL
>>> protocol.
>> ...  And the network connecting the load balancers to the backend
>> servers is completely physically secured, has no untrusted devices
>> connected to it anywhere, and all the backend servers completely trust
>> each other to avoid snooping or interfering with each others' traffic
>> ... right?
> +1.
>
> I've seen financial institutions use T1 or T3 framing between data
> centers as the only protection (and not IPSec or TLS). Their thinking
> was no one could really tap the copper or fibre, so it was not a
> problem. If someone did tap the it, then the signal could not be
> used/interpreted without special equipment, so it was not a problem
> again.
>
> I've also seen malware burrow in within the security boundary at
> financial institutions. The malware was more than happy to leave the
> databases alone and sniff the traffic to avoid IDS. And the malware
> will encrypt its outgoing payload on the way to its dead-drop, so the
> data gets encrypted eventually :)
>
> Jeff
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>



More information about the openssl-dev mailing list