Re: Using SSL accelerators in firewalls

["Fabio Pietrosanti (naif)" <naif () blackhats it>]

On Wed, Jul 17, 2002 at 02:18:33PM +1000, Darren Reed wrote:
> There would seem to be a growing trend in using SSL accelerators not
> next to the web server but attached to a firewall so that it isn't
> https traffic that passes through but http.
>
> To me this screams out "bad design" as the end-to-end encryption is
> lost in the process and the security of transactions eroded.
>
> What do others think?  Is this becoming a "done thing" that is more
> and more acceptable to corporates or is this just an isolated thing?

The fact is that modern firewall need to implement as many feature as possible
to survive on this market and with an SSL accellerator they can:

- Say that the performance of their webserver behind their firewall will increase!!!

- Implement content filtering on https connections

- Implement various way of authentication trough client-side certificate,
  login and password, etc,etc on https connection ( Woah!! ) :)

- Use Network Intrusion Detection also on https connection!!! ( you sniff the
  connection in clear behind the firewall )

So i think that it's much more a "marketing" reason than a technical reason.

Think... how big is the SSL Accellerator market? Very little, so why don't
integrate it with the Firewall that will ever exists in a infrastructure with
ssl accellerator! 

-- 

Fabio Pietrosanti ( naif )
E-mail: naif () blackhats it - naif () sikurezza org
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
 "Hacking is the future of security research" R.Power, CSI 
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards