Vulnerability Development mailing list archives
Re: IDS and SSL
From: "Jon" <vandivee () midsouth rr com>
Date: Fri, 22 Mar 2002 22:47:15 -0600
Cisco has a new CSS/SSL product 30-90 days out, whereby the SSL card will be insertable to the CSS chassis. looks pretty cool..... Jon ----- Original Message ----- From: "Dom De Vitto" <Dom () DeVitto com> To: <jlewis () packetnexus com>; "'Oliver Petruzel'" <opetruzel () cox rr com>; "'zeno'" <bugtraq () cgisecurity net>; <vuln-dev () securityfocus com>; <bugtraq () securityfocus com>; <webappsec () securityfocus com>; <focus-ids () securityfocus com> Sent: Friday, March 22, 2002 2:45 AM Subject: RE: IDS and SSL
Ditto, for Cisco CSS 11000's They'll give you multi-site loadbalancing too... Dom |-----Original Message----- |From: Jason Lewis [mailto:jlewis () packetnexus com] |Sent: Thursday, March 21, 2002 8:17 PM |To: 'Oliver Petruzel'; 'zeno'; vuln-dev () securityfocus com; |bugtraq () securityfocus com; webappsec () securityfocus com; |focus-ids () securityfocus com |Subject: RE: IDS and SSL | | |C'mon Ollie, I am doing this now. Instead of buying |encryption cards for all my webservers, we threw a couple of |Alteon iSD SSL accelerators onto our Alteon switches. ||http://www.nortelnetworks.com/products/01/alteon/isdssl/index. |html | |These offload encryption and allow me to drop a NIDS next to |the webservers, where all the traffic is un-encrypted. I |already had the Alteon infrastructure, and the iSD's won't |work without them so YMMV. | |Granted, eventually we will see congestion, but the |scalability of the SSL accelerators and the Alteons will make |that a long range problem. I think the iSD's an scale to 256 |with the Alteon's distributing the load. Not to mention I |save my webserver processing power for serving page not |encyrption....different discussion though. | |Good network design will avoid those traffic problems. If I |have that much traffic into one datacenter, it is time to go global. | |Now, that isn't an excuse for NIDS. I like HIDS for the |drill down on each box. I think the two can co-exist. I |like seeing what is on the wire, not just what made it to each server. | |Jason Lewis |http://www.packetnexus.com |It's not secure "Because they told me it was secure". |The people at the other end of the link know less |about security than you do. And that's scary. | | |//snip |Nothing short of a big road-block could monitor encrypted |traffic prior to a host; it's just not logically possible to |examine the encrypted traffic without a big roadblock and |certificate-sharing nightmare.. that is, on the wire |atleast... with the exception of placing an IDS -ON- a |VPN...and that still wont help with SSL specifically, and |that would require SICK amounts of RAM/power to be anything |close to efficient... SSL PROXY/IDS system? No way... same |speed/RAM/bandwidth limitations... //snip | |
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)