Timeline for Do I need to encrypt connections inside a corporate network?
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 26, 2018 at 14:56 | comment | added | symcbean | If the OP is responsible for the security of a multi-national corporation which does not use encryption, then they really should be planning to setup a proper CA capability.Even if you go out and buy a corporate CA rather than using xipki, openca or similar, the costs are for the staff to operate it - but we know nothing about the scale of the operation - "corporate network" doesn't tell us whether it is 3 hosts or 3000. The "couple of hours effort" I cited above was the cost for me to setup a CA covering 80 sites and around 300 devices. | |
| Jun 26, 2018 at 13:20 | comment | added | Dan | @MaciejPiechotka You're missing (deliberately ignoring?) the sheer complexities of scale and global redundancy etc. Nobody is saying it's impossible or even a bad idea, but what it isn't is a part time project for anyone on the Infrastructure desk. Proper, well deployed PKI at scale is something that needs proper architecture and design and a well thought out deployment. Certificates expire, intermediate CA's expire, the CRL needs distributing and so on and so forth. Pushing certs is one tiny part of spinning up a global infra. There's no "ready solution" for this at all. | |
| Jun 25, 2018 at 7:18 | comment | added | Maja Piechotka | @JohnDeters Except there are ready solution for that. Most corporate networks use for example AD which allows pushing CA certs onto clients. I would expect it to be harder for small organizations where there are more things that are ad-hoc. | |
| Jun 22, 2018 at 18:44 | comment | added | John Deters | @Gargravarr, you can do this when your organization is fairly small. But the poster used the phrase "corporate network", which implies a larger number of machines. The ability to successfully manage all of them drops off as the number of machines in the network grows. The overall cost includes handling issues like certificates expiring and how many people will experience an outage when they do. Or the risk of what happens to the company when the one PKI expert leaves, and the boss tries to take over his or her duties and makes a mess of things. That is neither "cheap" nor "free". | |
| Jun 22, 2018 at 18:24 | comment | added | Gargravarr | @JohnDeters with some planning, it can be set up quite cheaply or even for free, and with minimal invasiveness, and rolled out incrementally. I built a self-signed CA internally, which means I can add servers as necessary, then distribute a single public key to trust (which can be revoked easily) and all my systems are then running over HTTPS. | |
| Jun 21, 2018 at 21:02 | comment | added | symcbean | Yes, it costs a HUGE amount to compete with existing commercial providers. It costs very little to set up the software (a couple of hours effort). Deploying across your estate shouldn't cost much - if you have lots of machines then you should have automated deployment tools. Revocation can be a bit tricky - but unlikely to be required on a small scale. | |
| Jun 21, 2018 at 18:53 | comment | added | John Deters | "How much would it hurt to implement TLS?" You have to stand up a certificate authority, distribute your internal Root CA cert to all computers, operate a system to refresh certificates every time they expire, and configure every sensitive service and server to use your certs. Or maybe you could hook all the machines up to get and install certificates from Let's Encrypt!. Ultimately, it could cost quite a bit. | |
| Jun 21, 2018 at 15:04 | history | answered | symcbean | CC BY-SA 4.0 |