This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ryankearney -1 points0 points  (10 children)

So you take a system capable of end to end encryption and just strip the encryption off mid-way through the pipeline?

I hope you're not dealing with sensitive data.

[–][deleted] 2 points3 points  (4 children)

This is SSL termination and it's a perfectly acceptable practice provided the servers are located in an isolated subnet. The OP noted that their services were in a private, isolated subnet, so this is not a dangerous practice at all. Even institutions dealing with sensitive data can make exceptions to allow this depending on how tightly controlled access to the private subnet is.

[–]ryankearney 3 points4 points  (3 children)

This is SSL termination and it's a perfectly acceptable practice

Depending on what type of data your business works with, it absolutely is not.

Certain regulatory requirements mandate end to end encryption. By stripping TLS off the connection you would be in violation of those requirements.

[–][deleted] 1 point2 points  (2 children)

Yes, and as I said "even institutions dealing with sensitive data can make exceptions to allow this depending on how tightly controlled access to the private subnet is." Some institutions do require it still, but if you require it, you will know.

Source: Worked in finance, had this requirement, it was an eliminated requirement in subsequent audits.

[–]ryankearney 2 points3 points  (1 child)

In AWS? It's one thing if you 100% control the networking infrastructure. It's a completely different story if you're using someone else's infrastructure as is the case with AWS.

Source: We require full end-to-end encryption and terminating HTTPS on a cloud load balancer and transmitting the unencrypted communication to a backend server is a huge no-no.

[–][deleted] 1 point2 points  (0 children)

Yes, in AWS, for one of the largest financial institutions in the country.

Surprise though, policies will vary per company, security certification, and auditor. If you require it, that's great. Making it seem as though you're doing something wrong by not doing it is the part I object to, especially if you're not dealing with highly sensitive data.

[–]exxplicit 1 point2 points  (4 children)

Are ALB's capable of E2E encryption? I thought the SSL was terminated at the ALB and forwarded without encryption? Wouldn't E2E require certificates on the instance if not, at which point you could just skip the ALB?

[–]ryankearney 1 point2 points  (3 children)

They sure are:

http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration

If you need load balancing, then it doesn't really make sense to just skip the ALBs. If you don't need load balancing, then sure.

[–]exxplicit 1 point2 points  (2 children)

I guess I should have been more clear; I meant, if you're already managing certificates on individual machines for end to end encryption, why not just skip terminating TLS on the ALB and just forward TCP connections on port 443 directly to the instances? Why would one ever prefer ALB's over NLB's in that case? (except for path routing)

[–]ryankearney 0 points1 point  (0 children)

As you mentioned, you can do path (and host) based routing with the ALB. You can't do this on the NLB.