Monitoring SSL Traffic: The ExtraHop Benefit

How does SSL / TLS traffic monitoring ensure that specific web servers encrypt traffic and use at least 2048-bit SSL certificates?


The Problem

A large web services hosting company configured their load balancers to offload SSL and TLS encryption from their backend web servers. By doing so, they reduced the computational overhead of encryption from those servers and cut costs by consolidating expensive SSL certificates. In this configuration, requests from the Internet arrived via HTTPS but were decrypted by the load balancer so that logged-in sessions could be identified and routed to the appropriate web server.

However, some of their customers had stipulated—due to their traffic's sensitive nature—that their traffic be re-encrypted after the load balancing. The company needed an easy way to verify that the traffic for these customers was re-encrypted and that the servers used an SSL certificate with the appropriate key size.

Desired Outcome

  • Verify that traffic between the load balancer and the backend servers is encrypted for customers who require it.
  • Ensure that SSL keys in use are at least 2048 bits in size.
  • Continuously monitor SSL traffic to ensure it complies with client requirements.

However, some of their customers had stipulated—due to their traffic's sensitive nature—that their traffic be re-encrypted after the load balancing. The company needed an easy way to verify that the traffic for these customers was re-encrypted and that the servers used an SSL certificate with the appropriate key size.


The Solution

Because the hosting company knew which customers required encrypted connections from the load balancer to the backend server, their IT operations team created a custom activity group on their ExtraHop platform for the servers dedicated to these customers. The team then created a new alert to fire whenever non-encrypted HTTP traffic exceeded a predefined threshold. This way, the hosting company would be informed if those servers did not encrypt connections as the security policy stipulated. The team also used the ExtraHop platform to see what size keys the devices in the activity group used. They discovered that two of the backend servers for a particular customer were still configured to use older 1024-bit SSL keys. While these keys were still valid, they didn't meet the new minimum key-size requirement. IT Operations generated new keys for those backend servers and confirmed on the ExtraHop platform that all servers requiring 2048-bit keys now used them. The team also set an alert to fire if the servers used SSL keys under 2048 bits.

User Impact

The ExtraHop platform enabled the web services hosting company to efficiently ensure they met client requirements. Without the ExtraHop platform, the company would have to manually check the web servers dedicated to these clients each time there was a configuration change or an upgrade. A system administrator would have to confirm that each of these servers was configured to communicate over an encrypted connection only and used an SSL key that met requirements. The administrator would then need to run a packet capture to confirm the behavior.

Contact us Try our free online demo