Re: Using SSL accelerators in firewalls

[Ryan McBride <mcbride () countersiege com>]

On Wed, Jul 17, 2002 at 02:18:33PM +1000, Darren Reed wrote:
> There would seem to be a growing trend in using SSL accelerators not
> next to the web server but attached to a firewall so that it isn't
> https traffic that passes through but http.
>
> To me this screams out "bad design" as the end-to-end encryption is
> lost in the process and the security of transactions eroded.
>
> What do others think?  Is this becoming a "done thing" that is more
> and more acceptable to corporates or is this just an isolated thing?

I've seen it in several production environments, and I believe it's
becoming increasingly common.

- It allows you to place a network IDS in a position where you can sniff
  the http traffic and look for application layer attacks.

- It allows you to do load balancing, caching, and application layer
  filtering with an intermediate box or boxes that you couldn't do on a
  raw SSL stream.

Yes, there the drawback of a potential loss of confidentiality on the
unencrypted segment, but if the system is carefully architected (network
segment for this purpose only, good filtering, etc) the risks can be
minimized. If they compromise your webserver, they can get the traffic
anyways - in the cases of webserver software with poor security
engineering,  the intermediate box can actually improve security by
blocking some classes of attacks.

-Ryan

-- 
Ryan T. McBride, CISSP - mcbride () countersiege com
Countersiege Systems Corporation - http://www.countersiege.com
PGP key fingerprint = 8BA0 A58C 5038 9157 59C3  F9E6 6DDA 6611 BF4C 776B
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards