Encrypting Internal Systems

pma111
pma111 used Ask the Experts™
on
I would apperciate your feedback on a question relating to web developments standards and TLS/SSL. If we have an internal web app that is hosted on the internal network (172.??.??.?? - no outside connections), do we still need to ensure all connections, front end/back end, are encrypted by TLS/SSL? If so why and who is realistically going to be able to intercept it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you dont really have to if its on one subnet only and there are no complex routings in between, i.e b/w different departments.
insider threat is indeed a big issue and anybody having a sniffer can then see whats happening b/w the communication with the server.
I would suggest SSL again,
secondly you can also look to see if you trying to conform to any standard, if not then just leave it and simple O.S based security would do.

Author

Commented:
So it isnt to hard for someone internally to sniff unencrypted http packets and view the data? SSL sounds probably best bet for piece of mind? WHat are the free types of sniffers out there?
best one is wireshark :) you can do wonders with it....
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Thanks - Are there any geographical restraints though who could interally intercept unencrypted http data? Like do they need to be sat on the network somewhere on route from the user browsing the system and passing the data  - mitm - the web server itself?

Author

Commented:
Also noticed on the wireshark site:

Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

So it can decrypt https packets to? Is anything safe these days? Is there any point spending the $5k or whatever getting it all encrypted when someone could quite easily decrypt say this apps loging password into plain text?
well ,, its not that easy, you have to spend some time in order to decrypt things.. it indeed requires special knowledge.
the fact is that nothing is secure , but if it takes lets say 6 month to break some encryption,,, then yes its secure.. but everything can be broken.
if its all internal , then the only way is that if somebody hacks into your network or somehow hooks a sniffer into your network.
its really not that easy to just put up a sniffer and read everything... so you can still go ahead with SSL implementation.

Author

Commented:
Ok thanks, so there are no real geogrpahical restraints, if the sniffer is up on the network it could get the http packets regardless on who was (and wheer they were on the network) passing data to the web server.
potentially it can , but If you are using intelligent routers through out your networks / switches which usually is the case then traffic will only be sent to the nodes for whom it has been intended for by the sender.
if there are few hubs, which just do a broadcast or any other legacy devices which do a broadcast.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial