Saturday, August 7, 2021

TLS proxy: Pros and cons of SW based solution vs dedicated device.

Hi there,

I was not sure if I should post this in the cybersecurity group or here, as security is involved. I would be happy to read your advice about a setup.

Sorry if you think this is not the right place for this post.

We have a bunch of devices at the field level that will send data to the cloud by means of HTTPS connections with X.509 based authentication. Only outgoing communication from the field level firewalls to external networks is allowed.

Due to company regulations there cannot be a direct connection between the field level and internet, so we are going to send the data first to a DMZ, where a TLS proxy will forward the data to the cloud.

The thing is, that we cannot decide yet which TLS proxy solution would be the cleanest in terms of performance and security.

On one hand we thought about a SW based TLS proxy installed in one of our servers. Either as native application or as a container. It is the cheapest one, but the proxy is as secure from threats as the server is and we don't know how adding more software will affect the stability of our server.

On the other hand, we have been offered one of these "IoT gateways". They act as a broker, being a HTTPS server on the side facing the field level and a HTTPS client on the side facing our internet firewall. The box has a simple, closed proprietary OS. The initial investment is higher, but it looks more secure as it is a dedicated box and its hardening looks simpler.

I look forward to see your views about both options.



No comments:

Post a Comment