Web Server to App Server HTTP/HTTPS?

Andy .
Andy . used Ask the Experts™
on
The web application in my organizations uses Apache web server that load balance across Application servers (Tomcat instance). There are two Apache (Web server) instances that route the traffic to 4 Application server instance.

The HTTPS traffic coming to the application terminates at the Web server layer, and then communication between Web server and App server is over HTTP. My assumption is that Web server and App-server communicates over HTTP and not over HTTPS.

However lately in a discussion with my IS team I came to know that Web server communication to App server over HTTP is not considered secure, and Web server should instead communicate to App server over HTTPS.

I would like to know your views on how generally this works in your organization?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary PattersonVP Technology / Senior Consultant

Commented:
From a pure information security perspective, it just depends on the nature of the data being exchanged.  If there is anything confidential in it, or credentials exchanged in the clear, then the internal traffic should be encrypted: private networks get compromised, and insiders snoop.

Also, because of the complexity of classifying and the need to continually audit the security classification level of changing applications and data, many organizations are opting for an "encrypt everything" strategy - since this is generally less work than trying to investigate and classify each application and/or transaction type individually.
Web server should instead communicate to App server over HTTPS

They would be correct..
Encrypt-Everything, you're playing with Pandora's box on this one
Fractional CTO
Distinguished Expert 2018
Commented:
1) My assumption is that Web server and App-server communicates over HTTP and not over HTTPS.

You'll have to check your config or run netstat -pluten looking for ports listened to by each App, so using 443 will usually indicate HTTPS being used.

2) Web server communication to App server over HTTP is not considered secure

Technically true + if your App is only listening on localhost (127.0.0.1) then someone would have to hack into your physical machine to have access + if they get this far running HTTPS will be meaningless, as they'll have access to all data.

3) My practice is to run HTTPS on every service + connect every service to a public IP to make debugging more flexible.
Distinguished Expert 2018

Commented:
The HTTPS traffic coming to the application terminates at the Web server layer, and then communication between Web server and App server is over HTTP. My assumption is that Web server and App-server communicates over HTTP and not over HTTPS.
That is correct. Unless you've set up things to communicate over HTTPS, then it won't be HTTPS. Rather than assume, let me ask: are both the web and app servers inside of your firewall?

However lately in a discussion with my IS team I came to know that Web server communication to App server over HTTP is not considered secure, and Web server should instead communicate to App server over HTTPS.
That is pretty much a true statement. Unless there is a reason that you cannot do so, you should encrypt traffic between servers And those reasons should be documented, along with the IS organization being involved to make a proper determination. Business owner is also going to have to be willing to absorb whatever risk may come out of it.

I would like to know your views on how generally this works in your organization?
The answer is too variable. Different organizations, different policies.... and that's without even knowing what the application you're talking about does, or what kind of information it holds.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial