cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Services using IPSEC

We have some services coming along that have been mooted to use IPSEC to protect them in transit. The underlying protocol will be HTTP, but this means the TCP packets will be encrypted.

Will we be able to monitor this with DCRUM?

Cheers

6 REPLIES 6

chris_v
Dynatrace Pro
Dynatrace Pro

The short answer is no.

The long answer....

DCRUM can't decrypt IPSec so will never be able to see the HTTP traffic.

Additionally, because IPSec is a tunnelling protocol, we won't even be able to distinguish the HTTP traffic from any other traffic that is also IPSec encrypted (the tunnel could be carrying anything else as well).

If it could be guaranteed only the HTTP traffic you were interested in was the only content of the tunnel, you could set up monitoring of the IPSec tunnel traffic. And report on it as if it were the HTTP traffic only. But you'd only see bytes/packets/and basic timing (round trip), no operations/pages would be possible.

Thanks Chris

Was the answer I was expecting but at least I can go back and tell them that we can't meet their monitoring requirements if they use IPSEC.

Cheers

ulf_thornander3
Inactive

Hi

Gary, perhaps if you are asking them a bit more in depth. Do they have access beyond the IPSec termination Point?

http://www.omnisecu.com/security/ipsec/ipsec-tunnel-mode.php

Then you can place the AMD inside the termination point and you will be fine.

Ulf raises a good point. I didn't consider all possible ways of deploying IPSec.

- IPSec VPN, remote users use IPSec for secure access into a corporate network, typically the VPN access point/router will terminate the IPSec and the rest of the network can be monitored as usual.

- IPSec WAN, corporate network protects it's inter-site Wide Area Network links with IPSec between routers, again the internal network (data centre) is fine to monitor. Much like the VPN option above.

lastly

- IPSec end-to-end, clients and servers negotiate all communications with IPSec protection, this one we can't do much about.

Well put Chris - sorry if I was being a bit too brief 🙂

jeroen_hautekee
Dynatrace Guide
Dynatrace Guide

Hi,

even in cases 1 and 2, the question remains valid I think.

I would like to be able to chart together the fact that the tunnel was broken, or being rekeyed/renegotiated and try to correlate this to client/server packet loss/retransmits/tcp_window events deeper down into the datacenter.