Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using SSL accelerators in firewalls

From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Wed, 17 Jul 2002 14:12:02 -0400
OK, so I take it you either don't do online banking or you believe that
your account database is hosted on the web server? :-).  If the DB is not
hosted on the web server, then how much privacy / data security did that
end-to-end browser to web server SSL socket REALLY provide?  (Of course, if
it IS hosted on the web server, run do not walk to a new bank. ;-)

Seriously, just because the SSL tunnel ends at the firewall does NOT make
it less secure than other implementations in the field.  You really have to
look at the overall picture.  Take two banks, one uses SSL to the web
server and naked database I/O.  The other uses SSL to the firewall, places
a firewall interface, the web server, and the DB engine on a different
physical segment than all other hosts, encrypts (hardware VPN to allow
IDS?) the links between the firewall and the web server and encrypts the
link between the web server and the database.  Are you REALLY telling me
that the SSL connection to the web server with naked DB I/O is more secure
in your opinion?

Taking one piece of a system out of context and making overall system level
ASSUMPTIONS about global security is not terribly productive.  Note that
assumption is derived from assume and as you probably well know, there is
the obvious non dictionary definition of 'to assume' :-).


On Wed, 17 Jul 2002 22:55:45 +1000 (EST) Darren Reed opined:
In some email I received from Darren Reed, sie wrote:


There would seem to be a growing trend in using SSL accelerators not
next to the web server but attached to a firewall so that it isn't
https traffic that passes through but http.


Let me ask this question another way.

If your bank was using one of these SSL accelerators and it was not
directly attached to the web server, but the "far side" of something
else so they could screen traffic and then pass your data through
some number of other things, unencrypted, would you use that bank's
Internet Banking service which used SSL encryption ?

If you had a choice between that and one which did the SSL encryption
on (or next to) the web server (lets assume all other security measures
are equal), which one would you choose, if you had the chance ?

Darren

--__--__--


Dana Nowell     Cornerstone Software Inc.
Voice: (603) 595-7480 Fax: (603) 882-7313
mailto:DanaNowell () CornerstoneSoftware com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: