WP Inspecting SSL traffic from the cloud

Archive

Inspecting SSL Traffic from the Cloud

Inspecting SSL Traffic from the Cloud

One of the first things that we always get asked is: how do you handle my SSL or HTTPS traffic?

Well, inspecting SSL traffic is a must when it comes to website security. Most, if not all, websites that generate revenue online rely on SSL to secure the traffic between their visitors and web servers. This is common practice that is also mandated by the payment card industry (PCI) Council.

When we set off to design our SSL approach, we tried to focus on three main aspects:

  1. How to maintain the connection integrity while the traffic is flowing through Incapsula’s servers while also inspecting the SSL content (to thwart attacks)
  2. How to maintain the same user experience for visitors when they come to a customer’s website
  3. How, with all these constraints, can the setup process be as fast and effortless as possible

Connection Integrity

We need to terminate customer SSL traffic and inspect it, prior to re-encrypting it and transmitting it to the customer’s website. Hence, both connections, to and from Incapsula, need to be secured using SSL.

User Experience

The SSL certificate should contain the identifying information of the customers’ domain. This creates the exact same experience that an “on premise/host based reverse proxy” provides – so end users don’t notice any difference.

Quick and Easy Setup

We tried to avoid the ‘standard approach’ that other Web Application Firewalls (WAF) use. This typically entails uploading the certificate to the WAF, which in a SaaS delivery model, would be very cumbersome and error prone.

So, What Did We Come Up With?

We used a special kind of SSL certificate, called a SAN certificate that allows us to proxy multiple SSL websites from a single SSL certificate. We need this special cert because otherwise, we would have to maintain a unique IP address in each of our datacenters for every website that we safeguard. With the shortage of IP V4 addresses, this would have been a nightmare (and also costly for us and our customers). We also tried to create a very simple and fast setup process so that customers could be up and running behind Incapsula in as little time as possible.

To accommodate this, we partnered with one of the leading SSL providers and tailor-designed a fully automated way of provisioning SSL website’s on Incapsula. When a customer adds an SSL protected website to Incapsula, we automatically detect this and start the three step SSL provisioning process:

  1. A request is dispatched from Incapsula to our cert provider asking to add the requested domain to the list of domains that Incapsula’s certificates can decrypt.
  2. Our cert provider sends a verification email to the domain owner, asking them to grant Incapsula with the authority to proxy their SSL traffic.
  3. Once the customer approves this request, our cert provider issues Incapsula with a new certificate that also includes the newly added domain.

The provisioning process is then complete and the customer is able to make their DNS changes so that traffic will start flowing through Incapsula.

We hope this sheds some light over this not-so-easy-to-understand process. As always questions, comments and suggestions are welcome.

The Incapsula Team