What is the use case for using TLS on an internal network?

See the note in the bottom center of this classic slide:

NSA intercepting Google traffic, writing "SSL added and removed here" with a smiley

This is from a leaked NSA slide deck. Tapping internal traffic is not rocket science, the only real requirement is that someone is targeting you. If there is something of value going over the cable, something potentially worth encrypting, then you may also assume that someone might be going after it sooner or later.

That's why we encrypt internal traffic: physical cables are not always to be trusted. A guest in a waiting room having access to the internal network (due to missing or misconfigured (V)LANs) is not uncommon, or someone who is trusted but whose device is infected, or someone who physically breaks in, or a single compromised server that can intercept other servers' traffic... there are a lot of scenarios in which encryption helps, also on internal networks. You should also ask yourself: is the least privileged person with physical (or network) access allowed to learn the most sensitive data that the network transports? If not, encryption is what ensures they can't intercept it.

Do you know where your physical cables run and whether all those places are guarded at all times? Is ARP spoofing disabled in every LAN you have? VLAN hopping mitigated? No WPA2-PSK WiFi anywhere? Intermediate firewalls and routers have 2FA enabled and are not hacked? Are all of the implemented measures tested? Did I not forget anything? From my experience, each of these measures is in use only in a minority of companies, and very few will have it all.

Setting up the encryption is typically easy these days. If you're only talking about your own data, then you can take the risk for yourself. But when there are other people (colleagues or even customers) at risk, you really should enable it.


The only use case i can think of is if you have untrusted users on the network...

This, but the problem is that you have untrusted users who you don't even know are users on the devices on network. This includes:

  • Botnet nodes on compromised IoT junk
  • Developers of whatever sketchy apps you installed on your phone or PC
  • Attackers who've already compromised an actual server on your network, possibly a low-value one where security was overlooked
  • Physical attackers who discretely connected a device to an ethernet jack somewhere
  • Neighbors/wardrivers who guessed/brute-forced your wifi password
    • And any of the above using their devices
  • Etc.

A fundamental principle of security is that the network layer is always untrusted. If you follow this you will save yourself a lot of trouble.


With TLS enabled for internal services, you are reducing the risk against threats such as:

  • Sensitive data disclosure through sniffing attacks against a malicious insider or an external attacker who already has a foothold inside your network
  • Man-in-the-Middle attacks through rogue servers which can easily spoof the identify of an unauthenticated server (TLS gives you authenticity besides confidentiality*) which can then escalate to greater attack scenarios
  • Unauthorised alterations of data in transit, which can cause serious damage if the data being sent is part of some administrative command (TLS also gives you the data integrity security service)
  • Probably others that I can't think of right now...

* Assuming that it is not a self-signed TLS certificate and some sort of establishment of trust exists, such as an internal PKI.

As always, it's a risk-based approach. If you think the above threats are not far-fetched for your network/organisation, then I would recommend implementing TLS where possible internally. If for any reason this will add a layer of complexity that would outweight the gained benefits (as the risk of such threats materialising is deemed as low), then don't.