Re: Snorting SSL

[Jason Haar <Jason.Haar () trimble co nz>]

Hutchinson, Andrew wrote:
> I may be wrong, but the only good way that I know of to do this is to
> use an SSL Accelerator, and run your ISD behind it.  This can often be
> combined with a we server load balancing solution, from folks like
> Radware or F5.  The accelerator terminates the SSL sessions and then
> dispatches the session of one of the servers in the farm.  Radware
> allows you to plug your IDS right into the accelerator/load balancer.  I
> don't know too much about F5.

It's not as bad as that..

You need to redefine "SSL accelerators" - it also includes any form of 
Reverse proxy. So set up Apache + mod_ssl/mod_proxy or Microsoft ISA 
server and you're away laughing. Your users talk HTTPS to the frontend, 
and your IDS sees all the unencrypted traffic heading back to the 
backend servers.

It works well, and doesn't cost much at all :-)

Oh yeah - and if you've got <10Mbs Internet links, the performance is 
fine too. A couple of years ago I benchmarked an Apache 1.3.?? server on 
an AMD 1200 Linux reverse proxy pushing ~6Mbs HTTPS traffic at about 10% 
CPU load - that was without SSL session caching (which really affects 
throughput). In reality, you need a big pipe to justify Big Iron.


Jason Haar



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users