Firewall Wizards mailing list archives
Re: Using SSL accelerators in firewalls
From: Ryan McBride <mcbride () countersiege com>
Date: Wed, 17 Jul 2002 09:09:37 -0400
On Wed, Jul 17, 2002 at 02:18:33PM +1000, Darren Reed wrote:
There would seem to be a growing trend in using SSL accelerators not next to the web server but attached to a firewall so that it isn't https traffic that passes through but http. To me this screams out "bad design" as the end-to-end encryption is lost in the process and the security of transactions eroded. What do others think? Is this becoming a "done thing" that is more and more acceptable to corporates or is this just an isolated thing?
I've seen it in several production environments, and I believe it's becoming increasingly common. - It allows you to place a network IDS in a position where you can sniff the http traffic and look for application layer attacks. - It allows you to do load balancing, caching, and application layer filtering with an intermediate box or boxes that you couldn't do on a raw SSL stream. Yes, there the drawback of a potential loss of confidentiality on the unencrypted segment, but if the system is carefully architected (network segment for this purpose only, good filtering, etc) the risks can be minimized. If they compromise your webserver, they can get the traffic anyways - in the cases of webserver software with poor security engineering, the intermediate box can actually improve security by blocking some classes of attacks. -Ryan -- Ryan T. McBride, CISSP - mcbride () countersiege com Countersiege Systems Corporation - http://www.countersiege.com PGP key fingerprint = 8BA0 A58C 5038 9157 59C3 F9E6 6DDA 6611 BF4C 776B _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls David Pick (Jul 17)
- Re: Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls Carson Gaspar (Jul 22)
- Re: Using SSL accelerators in firewalls Ryan McBride (Jul 17)
- Re: Using SSL accelerators in firewalls Scott Walker Register (Jul 17)
- Re: Using SSL accelerators in firewalls Paul Robertson (Jul 17)
- RE: Using SSL accelerators in firewalls Ian Peters (Jul 17)
- Re: Using SSL accelerators in firewalls Fabio Pietrosanti (naif) (Jul 17)
- Re: Using SSL accelerators in firewalls Ryan Russell (Jul 17)
- <Possible follow-ups>
- Re: Using SSL accelerators in firewalls miha (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- Re: Using SSL accelerators in firewalls Dana Nowell (Jul 17)