I was reading the section below of the EJBCA documentation and I'm very interested to learn about the peer system and the standalone deployment of the RA/VA, so I wanted to get more information about the security reasons behind these kind of setups.
On the other hand, common domain security models have the following requirements: 1- All connections must be by mutually authenticated TLS. 2- The CA must be behind a firewall allowing only outgoing connections due to VAs and RAs most often residing in lower security domains in order to be accessible to clients. While the first requirement is easy to solve, the second one poses some issues with the connections modeled above.
In short it has to do with network security and segmentation and not with the security of mTLS itself. A CA is one of the most central security components of an infrastructure, and it is often desired to have it as isolated as possible on the network. Not enabling any incoming connections to the CA is one piece of protection that minimizes the risk that any network component, such as a network stack in an OS, or the TLS stack of a server, can be attacked if there were to appear any vulnerabilities i those.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I was reading the section below of the EJBCA documentation and I'm very interested to learn about the peer system and the standalone deployment of the RA/VA, so I wanted to get more information about the security reasons behind these kind of setups.
https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/peer-systems
Can you please give an example of these domain security model ?
Why mTLS with a proper Access Rule configuration to the EE Profiles, CAs ... etc is not enough to protect the CA ?
Regards
Last edit: abu veight 2022-12-21
I would be glad to continue the discussion at GitHub.
https://github.com/Keyfactor/ejbca-ce/discussions
In short it has to do with network security and segmentation and not with the security of mTLS itself. A CA is one of the most central security components of an infrastructure, and it is often desired to have it as isolated as possible on the network. Not enabling any incoming connections to the CA is one piece of protection that minimizes the risk that any network component, such as a network stack in an OS, or the TLS stack of a server, can be attacked if there were to appear any vulnerabilities i those.