AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of sunhux
sunhux
 asked on

SSL certs for server to server comms & install them on servers or WAF & pentesting them

a vendor is setting up on-prem internal servers for us:

vendor told us he needs SSL certs for the 5 servers

not for users to access but for server to server comms.


Q1:

Shall we use self-signed certs in this case & usually

for how long these certs should be valid (every 1-3

yearly or permanently)?


Q2:

Should these servers sit behind the WAF (or suppose 

these 5 URLs are not for users access but server to

server communications) or in front of the WAF?


Q3:

If they sit behind the WAF, shd the self-signed certs

be installed in the WAF or in the servers?  If they

sit in front of WAF, certainly the certs have to be

installed in the servers


Q4:

For penetration tests, we should test the 5 URLs (

vendor said they're for server to server comms),

through the WAF or position the penetration 

scanners directly on the servers without going

through WAF?




SSL / HTTPSNetwork SecuritySecurity
Avatar of undefined
Last Comment
btan
8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
David Favor
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sunhux
ASKER
>The practice is not be given such long period and 1-2 years are preferable.
In case we forgot to renew the certs & cause an outage due to forgetfulness,
we'll probably create certs with long expiry & set in calendar to renew it yearly
(even if the certs haven't expire)

>Q3: If they sit behind the WAF, shd the self-signed certs be installed in the WAF or in the
>servers? If they sit  in front of WAF, certainly the certs have to be installed in the servers.
>>Never, ever, ever... install certs on proxy/WAF machines.
In fact for our publicly accessible URLs, the web servers' certs are installed in our WAF
(with the web servers sitting behind the WAF) as we wanted the SSL to terminate on
the WAF.

>Q4: For penetration tests, we should test the 5 URLs (vendor said they're for server to server comms), through
>the WAF or position the penetration scanners directly on the servers without going through WAF?
We'll whitelist the scanner in the WAF if the servers sit behind the WAF: if there are issues that
the penetration tests found that the applications or web servers can remediate (esp OWASP top
ten vulnerabilities), we'll then apply remediations in the WAF & scan again to see if the WAF
mitigates it.

SOLUTION
btan
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent