Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

SSL certs for server to server comms & install them on servers or WAF & pentesting them

a vendor is setting up on-prem internal servers for us:

vendor told us he needs SSL certs for the 5 servers

not for users to access but for server to server comms.


Q1:

Shall we use self-signed certs in this case & usually

for how long these certs should be valid (every 1-3

yearly or permanently)?


Q2:

Should these servers sit behind the WAF (or suppose 

these 5 URLs are not for users access but server to

server communications) or in front of the WAF?


Q3:

If they sit behind the WAF, shd the self-signed certs

be installed in the WAF or in the servers?  If they

sit in front of WAF, certainly the certs have to be

installed in the servers


Q4:

For penetration tests, we should test the 5 URLs (

vendor said they're for server to server comms),

through the WAF or position the penetration 

scanners directly on the servers without going

through WAF?




ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

>The practice is not be given such long period and 1-2 years are preferable.
In case we forgot to renew the certs & cause an outage due to forgetfulness,
we'll probably create certs with long expiry & set in calendar to renew it yearly
(even if the certs haven't expire)

>Q3: If they sit behind the WAF, shd the self-signed certs be installed in the WAF or in the
>servers? If they sit  in front of WAF, certainly the certs have to be installed in the servers.
>>Never, ever, ever... install certs on proxy/WAF machines.
In fact for our publicly accessible URLs, the web servers' certs are installed in our WAF
(with the web servers sitting behind the WAF) as we wanted the SSL to terminate on
the WAF.

>Q4: For penetration tests, we should test the 5 URLs (vendor said they're for server to server comms), through
>the WAF or position the penetration scanners directly on the servers without going through WAF?
We'll whitelist the scanner in the WAF if the servers sit behind the WAF: if there are issues that
the penetration tests found that the applications or web servers can remediate (esp OWASP top
ten vulnerabilities), we'll then apply remediations in the WAF & scan again to see if the WAF
mitigates it.

SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial