Snort mailing list archives
Re: Snorting SSL
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 08 Jul 2003 16:21:58 +1200
Hutchinson, Andrew wrote:
I may be wrong, but the only good way that I know of to do this is to use an SSL Accelerator, and run your ISD behind it. This can often be combined with a we server load balancing solution, from folks like Radware or F5. The accelerator terminates the SSL sessions and then dispatches the session of one of the servers in the farm. Radware allows you to plug your IDS right into the accelerator/load balancer. I don't know too much about F5.
It's not as bad as that..You need to redefine "SSL accelerators" - it also includes any form of Reverse proxy. So set up Apache + mod_ssl/mod_proxy or Microsoft ISA server and you're away laughing. Your users talk HTTPS to the frontend, and your IDS sees all the unencrypted traffic heading back to the backend servers.
It works well, and doesn't cost much at all :-)Oh yeah - and if you've got <10Mbs Internet links, the performance is fine too. A couple of years ago I benchmarked an Apache 1.3.?? server on an AMD 1200 Linux reverse proxy pushing ~6Mbs HTTPS traffic at about 10% CPU load - that was without SSL session caching (which really affects throughput). In reality, you need a big pipe to justify Big Iron.
Jason Haar ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting SSL mjm (Jul 07)
- Re: Snorting SSL Derya Sezen (Jul 07)
- <Possible follow-ups>
- RE: Snorting SSL Hutchinson, Andrew (Jul 07)
- Re: Snorting SSL Jason Haar (Jul 07)
- RE: Snorting SSL James R. Hendrick (Jul 07)
- Re: Snorting SSL Ryan Johnson (Jul 07)