This week I realised that I had the option to log into an EqualLogic Web Management Portal with either HTTP or HTTPS. It got me thinking what effect that has on the Encrypt Communication checkbox during login.
EqualLogic login prompt running Firmware 5.x
Under default configuration of an Equallogic array you have the option to use/select Encrypt Communication during login. This can be changed and you can force the use of this option.
Under Group configuration select the Administration tab. You will see that Web access is enabled and under GUI access that the checkbox for Allow only secure communication is unticked. Ticking this box will force the use of Encrypt Communication during login. You will then notice that Web access will change to Secure Only.
The above screenshot is running on Firmware 6.x. On Firmware 5.x the checkbox is called Allow only secure SSL communication. Oddly enough once enabled on either firmwares this won’t prevent the use of HTTP access to the Web Management Portal.
Now when attempting to login you will have to use Encrypt Communication. Under Equallogic PS Series 5.x Firmware you have to select the checkbox. If you don’t you will receive an error when attempting to login.
Under PS Series Firmware 6.x the checkbox will be selected by default and greyed out. So you won’t get the above message.
As mentioned above, HTTP web access is still possible along with HTTPS. So what’s going on here?!?! Hence the reason for this post…
So I fired up Wireshark to watch communication between my PC and the EqualLogic Array. I first tried accessing the Web Management Portal with HTTPS and logging in using the Encrypted Communication checkbox. I then tried again but this time using Encrypt Communication. No surprise here, both times all traffic was encrypted right from sign-in.
Next I accessed the Web Management Portal using HTTP, not using Encrypt Communication, and signed in. Looking through the Wireshark logs I could see my username and password in plaintext (certainly not recommended). Again using HTTP to access the Portal I enabled Encrypted Communication and signed in. This time looking through the Wireshark logs I could see my sign-in details were encrypted and all subsequent information as well.
From what I can see going on here is that the EqualLogic Web Management Portal is a Java Applet. When loaded a connection is established over port 3002 on Firmware 5.x and Port 3003 on Firmware 6.x. When Encrypt Communication is selected during sign-in, SSL encryption is handled by the Java Applet. When not selected during sign-in SSL encryption is determined by whether you use HTTP or HTTPS and relies on the browser securing communication.
So if using HTTPS to access the Management Portal you’ve relatively sure your communication is secure but you can’t guarantee other admins are doing the same. The safest thing to do is always enable the checkbox in the Administration tab Allow only secure communication. By enabling this option you can be sure that whether administrators use HTTP or HTTPS all communication to the EqualLogic Array will be secure.