Vulnerability Development mailing list archives

RE: IDS and SSL

From: "Dom De Vitto" <Dom () DeVitto com>
Date: Fri, 22 Mar 2002 08:45:44 -0000

Ditto, for Cisco CSS 11000's

They'll give you multi-site loadbalancing too...

Dom
 |-----Original Message-----
 |From: Jason Lewis [mailto:jlewis () packetnexus com] 
 |Sent: Thursday, March 21, 2002 8:17 PM
 |To: 'Oliver Petruzel'; 'zeno'; vuln-dev () securityfocus com; 
 |bugtraq () securityfocus com; webappsec () securityfocus com; 
 |focus-ids () securityfocus com
 |Subject: RE: IDS and SSL
 |
 |
 |C'mon Ollie, I am doing this now.  Instead of buying 
 |encryption cards for all my webservers, we threw a couple of 
 |Alteon iSD SSL accelerators onto our Alteon switches. 
  ||http://www.nortelnetworks.com/products/01/alteon/isdssl/index.
 |html
 |
 |These offload encryption and allow me to drop a NIDS next to 
 |the webservers, where all the traffic is un-encrypted.  I 
 |already had the Alteon infrastructure, and the iSD's won't 
 |work without them so YMMV.
 |
 |Granted, eventually we will see congestion, but the 
 |scalability of the SSL accelerators and the Alteons will make 
 |that a long range problem.  I think the iSD's an scale to 256 
 |with the Alteon's distributing the load.  Not to mention I 
 |save my webserver processing power for serving page not 
 |encyrption....different discussion though.
 |
 |Good network design will avoid those traffic problems.  If I 
 |have that much traffic into one datacenter, it is time to go global.
 |
 |Now, that isn't an excuse for NIDS.  I like HIDS for the 
 |drill down on each box.  I think the two can co-exist.  I 
 |like seeing what is on the wire, not just what made it to each server.
 |
 |Jason Lewis
 |http://www.packetnexus.com
 |It's not secure "Because they told me it was secure".
 |The people at the other end of the link know less
 |about security than you do. And that's scary.
 |
 |
 |//snip
 |Nothing short of a big road-block could monitor encrypted 
 |traffic prior to a host;  it's just not logically possible to 
 |examine the encrypted traffic without a big roadblock and 
 |certificate-sharing nightmare.. that is, on the wire 
 |atleast... with the exception of placing an IDS -ON- a 
 |VPN...and that still wont help with SSL specifically, and 
 |that would require SICK amounts of RAM/power to be anything 
 |close to efficient... SSL PROXY/IDS system? No way... same 
 |speed/RAM/bandwidth limitations... //snip
 |
 |

Current thread:

Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
  - RE: IDS and SSL Jason Lewis (Mar 21)
    - RE: IDS and SSL Dom De Vitto (Mar 22)
    - Re: IDS and SSL Jon (Mar 23)
    - RE: IDS and SSL Bojan Zdrnja (Mar 24)
    - RE: IDS and SSL Dom De Vitto (Mar 24)
    - RE: IDS and SSL Jason Lewis (Mar 24)
    - Re: IDS and SSL Florian Weimer (Mar 25)
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- Re: IDS and SSL me (Mar 22)