SSL all the way thru webserver and websphere

Hello All,

I have been recently researching about security and how to implement it correctly in our environmnent. Here is the scenario,

browser connect thru https -----> F5 (termnate SSL) ---http---> Apache 2.2 (http) ---http--> WebSphere Portal (http)

\

\/

Case 1. In between making a connection from f5 to apache, the authentication happens in the cloud with a product that does 2 factor authentication

Case 2. User is not in the highly protected flow therefore redirect to Oracle Access Manager to get credential.

Either way, the end result is a cookie being inserted to the browser is used within all throughout the session.

Also note: When running a trace, all the request goes thru https.

And first of all, I apologize for my lack of knowledge in this topic, I am still learning this and gathering information. My questions are:

1. Is it a security problem that the connection between f5 to Apache is unencrypted. Though this is an internal network and the network team are doing some security on their side. Is that going to be enough? Can anyone within the internal network sniff the packet and steal the information. (intentionally or unintentionally). Same goes with the connection between Apache and Websphere Portal.

2. A follow up question, though it is good to have ssl all the way thru, it is just taxing and I am concern about the performance hit.

3. On the scenario above, when I say case 2, even though I see https and again f5 is offloading the ssl, when I run a trace (live http header) in particular, I see a clear text username and password when I login. That is my real concern.

I have many other follow up question that I can come up w/ can anyone pls help me figure this out?

Thanks,