We are currently trying to decide on how best to do SSL traffic in our environment. We have an externally facing Apache proxy server that is responsible for directing all traffic into our environment. It is also doing the SSL work for the majority of our servers.
There are one or two IIS servers in particular that are doing their own SSL, but they are also behind the proxy.
I'm wondering, is SSL to the proxy good enough? It would mean that traffic within our network is identifiable, but is that such a big deal?
That depends on the traffic. If the traffic is sensitive enough to warrant SSL to the proxy I would err on the side of caution and maintain an SSL connection end-to-end. If you are dealing with information like Credit Card transactions then you don't have a choice.
If a host within your network is compromised then there is a possibility that the traffic could be sniffed and captured. Again the level of risk depends on the information being transmitted. Weigh the risk versus the added overhead and complexity that deploying end-to-end SSL would entail.
I agree with @sdanelson; BUT if I am reading this correctly, I would also ensure SSL/TLS transactions go through a firewall and make it the destination for the SSL traffic from the client. Then forward, or proxy, the requests to the internal system. This would help to lessen a man-in-the-middle attack.