Practice Question Set 2 – Category: SEC – Infrastructure Security

[robin-cher]

Hi,

I have some doubts with this question and its answers.

A new security policy mandates that all communications between the company’s on-premises application servers and Amazon EC2 instances be encrypted in transit. The servers use custom proprietary protocols for their communication, and the EC2 instances must be placed behind a load balancer to improve availability and scalability.

The correct answer is: Offload the SSL termination to an SSL listener on a Classic Load Balancer (CLB). Use a TCP connection between the CLB and the EC2 instances.

The option that says (Which i picked): Route all of the traffic throughout a TCP listener on a Classic Load Balancer (CLB). Terminate the TLS connection on the Amazon EC2 instances is incorrect because if you have a TCP listener on a CLB then the SSL termination is on the load balancer, not on the underlying EC2 instances.

May i know why the correct answer is offloading SSL termination at the CLB? If that the case, the transmission between CLB –> EC2 instances will not be encrypted. Wouldn’t it fix the use case if we do a pass through via CLB, and allows the EC2 to offload the SSL instead?

I use AWS at a time where NLB is taking over CLB, so do correct me if i am wrong.

[Carlo-TutorialsDojo]

Hello robin,

Thanks for your feedback.

I agree. The question is all about end-to-end encryption. This can be done by configuring TCP passthrough on the CLB (set TCP as listener instead of HTTPS.)

We will correct this item.

Regards,

Carlo

• This reply was modified 3 years, 1 month ago by  Carlo-TutorialsDojo.