Vulnerability Development mailing list archives
Re: SSL & IDS
From: Dragos Ruiu <dr () KYX NET>
Date: Sat, 2 Sep 2000 11:45:58 -0700
That's interesting... because I'm seeing a lot of people get excited about load balancers from a variety of vendors, and terminating the SSL at some SSL acceleration HW on the load balancer and having the load balancers manage cookies, sessions, and other items. This is something that is universally regarded as a positive by a lot of the network designers and groups I do consulting for.... But it does have security implications that I think aren't being considered much yet. Goes to show that there is more to secure design than protecting from buffer overflows.... cheers, --dr On Sat, 02 Sep 2000, Ng Pheng Siong wrote:
On Fri, Sep 01, 2000 at 09:36:34AM +0200, Mikael Olsson wrote:You'll likely have to terminate the SSL connection on a reverse proxy machine in front of the web server and do your IDS sniffing after that reverse proxy.This seems a popular suggestion. Given the usual statistic that 80% (or 90% or whatever) of security compromises are internal jobs, deliberately terminating your SSL early and then having your app talk in the clear over your internal network is more dangerous than it is useful, IMHO. Cheers. -- Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps
-- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc
Current thread:
- Re: SSL & IDS Denis Ducamp (Sep 01)
- <Possible follow-ups>
- Re: SSL & IDS Ed Padin (Sep 01)
- Re: SSL & IDS Inno Eroraha (Sep 01)
- Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Dragos Ruiu (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
- Re: SSL & IDS Pluto (Sep 08)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS J Edgar Hoover (Sep 01)