View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Linode NodeBalancer Fails PCI DSS Compliance Scan by Trustwave
Log in to Ask a Question

Linode NodeBalancer Fails PCI DSS Compliance Scan by Trustwave

development

First, we are big fans of Linode. We have been testing the API and all the goodies that Linode provide for awhile in the hope that we can migrate a mid-size client with PCI DSS compliance requirements on Linode from bare-metal LAMP stack hardware we host in the same data center as they do.

So we finally set up a NodeBalancer to terminate SSL for our web nodes and pointed a PCI scan from Trustwave.

We passed all their vectors except for one that we have no control over!

The scan shows that the TLS v1.0 protocol is supported by the NodeBalancer.

Has anyone here overcome this?

The only choice we have is to remove the nodebalancer and terminate SSL at the host level. This would mean that the awesome autoscaling code that we have been writing to bring nodes up and down behind the nodebalancer will be completely wasted. :(

We need a central load balancer to do the SSL stuff so that nodes can be added/removed as needed.

Of course, we can build our own load balancer using squid or nginx but the key benefit of a cloud provider is the ready-made tools and API. So I am very disappointed to face this issue.

Anyone else faced this issue?

4 Replies

What about using the NodeBalancer in TCP mode and terminating SSL on your hosts? Would that still be incompatible with your auto-scaling system?

Anyway, it would be really good to be able to control the NodeBalancer's SSL configuration (protocol version, ciphersuite, OCSP stapling, etc). Some of us have more stringent security requirements, whereas others may have to support a wider range of outdated devices and browsers. Since about a year ago, it is no longer possible for a single SSL configuration to satisfy both needs.

@hybinet – terminating SSL on nodes would work as we can turn off TLS v1 on node level, so it's a possible workaround. Of course, the best scenario is to be able to configure the nodebalancer's SSL cipher suite and protocols like you mentioned.

So for the time being, we filed a Risk Mitigation and Migration Plan with TrustWave as a stop-gap measure. It turns out that PCI DSS itself recommends doing so until 2016.

Thank you for taking them time to offer solutions. We are still very excited about Linode and the community is just awesome!

I would suggest you open a ticket on this. TLS 1.0 is vulnerable to POODLE and Linode should be at least planning to shut it down. Perhaps they have some plans in the works that they would share with you via a ticket or have some other options they'd have available.

@gig - I already created ticket and spoke to support before posting here. I even asked if it is OK to post about this here as it is my very first post!

Anyway, here is what I have done to pass PCI scan by Trustwave:

Since I was failing only for the TLS v1 issue and there is no way to get rid of it without taking over SSL at the node level, I went with Trustwave's advice and filed a Risk Mitigation Plan, which they accepted upon review.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct