Re: Using SSL accelerators in firewalls

[Ryan Russell <ryan () securityfocus com>]

On Wed, 17 Jul 2002, Darren Reed wrote:

> There would seem to be a growing trend in using SSL accelerators not
> next to the web server but attached to a firewall so that it isn't
> https traffic that passes through but http.
>
> To me this screams out "bad design" as the end-to-end encryption is
> lost in the process and the security of transactions eroded.

So?  Where is the bad guy?  If the traffic is still encrypted when it goes
past him, then the crypto is still doing its job.  The obvious change is
that there's now this small length of wire where the traffic isn't
encrypted, somewhere on your DMZ.  This means that an attacker who has
compromised a machine on your DMZ can probably sniff the web traffic.  THe
machine that is mostly likely to be compromised is your web server, and
even if it's not, they can likely sniff the traffic between the web server
and the DB anyway, which is more to the point if they are trying to steal
stuff you need SSL to protect.

I.e. in my opinion, worrying about that short bit of unencrypted traffic
is worrying about a smaller problem when there are larger ones to worry
about.  (I consider a hostile on my DMZ a worse problem that having my
traffic sniffed.)

> What do others think?  Is this becoming a "done thing" that is more
> and more acceptable to corporates or is this just an isolated thing?

It's probably a done deal for anyone who has a significant amount of SSL
traffic to do.  It takes the CPU laod off the webservers, the SSL box
probably includes the HTTP load balancing feature you need anyway, and
your get your NIDS functionality back.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards