Firewall Wizards mailing list archives
RE: Using SSL accelerators in firewalls
From: "Ian Peters" <ian () ianpeters net>
Date: Wed, 17 Jul 2002 15:40:15 +0100
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Paul Robertson Sent: 17 July 2002 14:47 On Wed, 17 Jul 2002, Darren Reed wrote:There would seem to be a growing trend in using SSL accelerators not next to the web server but attached to a firewall so that it isn't https traffic that passes through but http. To me this screams out "bad design" as the end-to-end encryption is lost in the process and the security of transactions eroded.End-to-end encryption is both a good and a bad thing...What do others think? Is this becoming a "done thing" that is more and more acceptable to corporates or is this just an isolated thing?It's definitely becomming a "done thing," sometimes for performance, and other times for "increased security"- that is being able to do NIDS on the decrypted data stream. I'm not sure that there's all that much delineation between the ammount of trust necessary to go to the border of a company and the ammount of trust of doing SSL directly to an IIS box.
As an aside, there is a method for NIDS to inspect SSL traffic, but it is limited and relatively (in NIDS terms) processor expensive. Namely, _if_ the SSL key exchange is being performed courtesy of RSA, and _if_ the NIDS is given the private key of the servers public/private keypair, then the NIDS can follow the transaction, tracking state, decode the premaster secret as it goes past, and compute the master secret accordingly. This isn't (I think) too hard to do in a passably okay manner, by basically hacking ssldump. The decoded traffic can then be tested as would normal traffic, and additionally tests could be made on the ssl handshaking etc. I'm working on this for my own NIDS, and may also do it for snort (when time allows). The performance hit is potentially huge though, due to the overhead in the actual decryption, and the complexity of the connection tracking required (a great deal more complex than simple TCP tracking, and look how long that took to arrive!). It must also be considered whether a NIDS is trusted enough for it to have a copy of the key material. Out of interest - does anyone have any idea what proportion of SSL key exchanges are basic RSA, and what are diffie-hellman? Just a thought, Ian ian () ianpeters net _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls David Pick (Jul 17)
- Re: Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls Carson Gaspar (Jul 22)
- Re: Using SSL accelerators in firewalls Ryan McBride (Jul 17)
- Re: Using SSL accelerators in firewalls Scott Walker Register (Jul 17)
- Re: Using SSL accelerators in firewalls Paul Robertson (Jul 17)
- RE: Using SSL accelerators in firewalls Ian Peters (Jul 17)
- Re: Using SSL accelerators in firewalls Fabio Pietrosanti (naif) (Jul 17)
- Re: Using SSL accelerators in firewalls Ryan Russell (Jul 17)
- <Possible follow-ups>
- Re: Using SSL accelerators in firewalls miha (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- Re: Using SSL accelerators in firewalls Dana Nowell (Jul 17)