Thursday, March 13, 2008

SSL Encryption in ITM 6.1

Many people are under the impression that since during ITM 6.1 installs you are asked for an encryption key that encryption is turned on. Nothing is further from the truth.

The only time encryption is turned on is when the IP.SPIPE protocol is enabled between two components. So if I use IP.SPIPE between my HUB and Remote TEMS, that communications is encrypted. However, if I use IP.PIPE between my agents the Remote TEMS - that data is not encrypted - begging the question: What's the point of using encryption is one place but not another.

Does that mean that the encryption key is never used, nope. Apparently the keys do get exchanged internally, but no one can tell me exactly how, when or why.

If you are going to use encryption, IP.SPIPE, use it on everything (TEPS, HUB, Remote, Agents) otherwise there is a gaping hole in your security.

Also, beware that we have seen 20 - 25% performance hits when enabling IP.SPIPE because of the extra encryption overhead.

No comments: