Firewall Wizards mailing list archives
Re: Using SSL accelerators in firewalls
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Wed, 17 Jul 2002 14:12:02 -0400
OK, so I take it you either don't do online banking or you believe that your account database is hosted on the web server? :-). If the DB is not hosted on the web server, then how much privacy / data security did that end-to-end browser to web server SSL socket REALLY provide? (Of course, if it IS hosted on the web server, run do not walk to a new bank. ;-) Seriously, just because the SSL tunnel ends at the firewall does NOT make it less secure than other implementations in the field. You really have to look at the overall picture. Take two banks, one uses SSL to the web server and naked database I/O. The other uses SSL to the firewall, places a firewall interface, the web server, and the DB engine on a different physical segment than all other hosts, encrypts (hardware VPN to allow IDS?) the links between the firewall and the web server and encrypts the link between the web server and the database. Are you REALLY telling me that the SSL connection to the web server with naked DB I/O is more secure in your opinion? Taking one piece of a system out of context and making overall system level ASSUMPTIONS about global security is not terribly productive. Note that assumption is derived from assume and as you probably well know, there is the obvious non dictionary definition of 'to assume' :-). On Wed, 17 Jul 2002 22:55:45 +1000 (EST) Darren Reed opined: In some email I received from Darren Reed, sie wrote:
There would seem to be a growing trend in using SSL accelerators not next to the web server but attached to a firewall so that it isn't https traffic that passes through but http.
Let me ask this question another way. If your bank was using one of these SSL accelerators and it was not directly attached to the web server, but the "far side" of something else so they could screen traffic and then pass your data through some number of other things, unencrypted, would you use that bank's Internet Banking service which used SSL encryption ? If you had a choice between that and one which did the SSL encryption on (or next to) the web server (lets assume all other security measures are equal), which one would you choose, if you had the chance ? Darren --__--__-- Dana Nowell Cornerstone Software Inc. Voice: (603) 595-7480 Fax: (603) 882-7313 mailto:DanaNowell () CornerstoneSoftware com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Using SSL accelerators in firewalls, (continued)
- Re: Using SSL accelerators in firewalls Ryan McBride (Jul 17)
- Re: Using SSL accelerators in firewalls Scott Walker Register (Jul 17)
- Re: Using SSL accelerators in firewalls Paul Robertson (Jul 17)
- RE: Using SSL accelerators in firewalls Ian Peters (Jul 17)
- Re: Using SSL accelerators in firewalls Fabio Pietrosanti (naif) (Jul 17)
- Re: Using SSL accelerators in firewalls Ryan Russell (Jul 17)
- Re: Using SSL accelerators in firewalls miha (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- Re: Using SSL accelerators in firewalls Dana Nowell (Jul 17)
- Re: Using SSL accelerators in firewalls Ryan McBride (Jul 17)