WebApp Sec mailing list archives

Re: key storage

From: Frank Knobbe <frank () knobbe us>
Date: Sat, 04 Sep 2004 16:26:28 -0500

On Sat, 2004-09-04 at 16:14, George Capehart wrote:

If the load balancers and the Web server(s) use IPSec among themselves, 
that would solve the problem, wouldn't it?


Heya George,

yeah, but have you seen this implemented somewhere? I haven't, and I
doubt you find that deployed often. Instead I see LB's terminating and
connecting to the web server farm in clear HTTP for intrusion detection
purposes. 

Perhaps the best solution would be three-tiered:

--HTTPS-->[LB]--HTTP-(monitored by IDS)-->[SSLproxy]--HTTPS-->[SERVER]

That just adds complexity, configuration mistakes, and devices that
could fail, but at least adds security by terminating data encrypted on
the web server while still having the public facing SSL certificate
isolated _and_ still being able to sniff the traffic with an IDS.

But SSL or IPSec, we again have the problem of key storage on the
server. :)   Can't have the cake and eat it too.... (but perhaps a
picture of the cake will do... nah, never mind ;)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: key storage, (continued)
- - RE: key storage Ajay (Aug 30)
- RE: key storage Brown, James F. (Aug 30)
- RE: key storage Scovetta, Michael V (Aug 31)
- RE: key storage Roman Fail (Aug 31)
  - RE: key storage Ajay (Aug 31)
  - Re: key storage George Capehart (Sep 02)
    - RE: key storage Mark Curphey (Sep 05)
    - RE: key storage Frank Knobbe (Sep 04)
    - RE: key storage Frank Knobbe (Sep 04)
    - Re: key storage George Capehart (Sep 04)
    - Re: key storage Frank Knobbe (Sep 04)
    - Re: key storage George Capehart (Sep 04)
- RE: key storage Michael Howard (Sep 01)
- Re: key storage Jason Coombs PivX Solutions (Sep 05)
  - Re: key storage Ajay (Sep 05)