Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Fri, 22 Mar 2002 08:45:44 -0000
Ditto, for Cisco CSS 11000's They'll give you multi-site loadbalancing too... Dom |-----Original Message----- |From: Jason Lewis [mailto:jlewis () packetnexus com] |Sent: Thursday, March 21, 2002 8:17 PM |To: 'Oliver Petruzel'; 'zeno'; vuln-dev () securityfocus com; |bugtraq () securityfocus com; webappsec () securityfocus com; |focus-ids () securityfocus com |Subject: RE: IDS and SSL | | |C'mon Ollie, I am doing this now. Instead of buying |encryption cards for all my webservers, we threw a couple of |Alteon iSD SSL accelerators onto our Alteon switches. ||http://www.nortelnetworks.com/products/01/alteon/isdssl/index. |html | |These offload encryption and allow me to drop a NIDS next to |the webservers, where all the traffic is un-encrypted. I |already had the Alteon infrastructure, and the iSD's won't |work without them so YMMV. | |Granted, eventually we will see congestion, but the |scalability of the SSL accelerators and the Alteons will make |that a long range problem. I think the iSD's an scale to 256 |with the Alteon's distributing the load. Not to mention I |save my webserver processing power for serving page not |encyrption....different discussion though. | |Good network design will avoid those traffic problems. If I |have that much traffic into one datacenter, it is time to go global. | |Now, that isn't an excuse for NIDS. I like HIDS for the |drill down on each box. I think the two can co-exist. I |like seeing what is on the wire, not just what made it to each server. | |Jason Lewis |http://www.packetnexus.com |It's not secure "Because they told me it was secure". |The people at the other end of the link know less |about security than you do. And that's scary. | | |//snip |Nothing short of a big road-block could monitor encrypted |traffic prior to a host; it's just not logically possible to |examine the encrypted traffic without a big roadblock and |certificate-sharing nightmare.. that is, on the wire |atleast... with the exception of placing an IDS -ON- a |VPN...and that still wont help with SSL specifically, and |that would require SICK amounts of RAM/power to be anything |close to efficient... SSL PROXY/IDS system? No way... same |speed/RAM/bandwidth limitations... //snip | |
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)