Question
Is encryption required on shared private networking?
So I need to scale out my web application, but I need to ensure the data between my droplets stays private. All the tutorials on Digital Ocean only describe setting iptables to limit who can access you droplets. My question is, shouldn’t encryption be used for communication between nodes as well as iptables? So that no third party droplet can eaves drop on the conversation between nodes? I don’t see that discussed at all as a best practice. If it isn’t needed, can someone fill me in as why this wouldn’t be needed. My biggest concern is SSL on MySql kills performance by between 15-25% and if someone can tell me it isn’t needed that would be great.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
I am not sure if its needed, don’t know the infrastructure. But an article has been posted earlier about this:
https://www.digitalocean.com/community/questions/private-networking-for-databse-server-or-public-network
Thanks @CrypticDesigns, it sounds like from that post that encryption wouldn’t be needed for confidentiality. I am just curious is they are saying that there is no way for a man-in-the-middle attack via arp poisoning (http://www.shortestpathfirst.net/2010/11/18/man-in-the-middle-mitm-attacks-explained-arp-poisoining/) or a similar attack.
@microleaks From a security standpoint, my answer would be: it depends. If you’re passing data between any network that is confidential and/or private, whether the network is, itself, public or private, and you have customers or clients that depend on and demand that you to keep said data secured, the performance hit is secondary. You should be able to lighten the load by making better use of caching, whether it’s elsewhere in the application, or in a way that you cache the non-private aspects of the data, while bypassing the cache for everything else (i.e. credit card numbers).
Depending on your needs, a 1-2GB instance would be perfect for either Memcached and/or Redis. You could even go as far as using a combination of either with Varnish or similar.
Please vote here for enhanced security:
https://digitalocean.uservoice.com/forums/136585-digitalocean/suggestions/3574245-use-vlans-for-private-networking-between-droplets