Vulnerability Development mailing list archives

Re: SSL & IDS

From: "Benjamin P. Grubin" <bgrubin () guardent com>
Date: Tue, 5 Sep 2000 15:23:33 -0400

This risk is quite easy to mitigate by having the unencrypted traffic behind
the reverse proxy flow through an isolated physical network containing only
the IDS and the webserver.  I don't think anyone recommended having it flow
in the clear over a shared internal network.  If the job is inside enough
that they have privileges on the web server itself, this entire point is
moot anyhow.

This tactic, combined with a secure out of band management and reporting
network for the NIDS and/or HIDS/log analysis tools provides plenty of
physical and logical isolation to obviate the issue of terminating SSL just
before the web server.  It also has huge upsides, as mentioned by other
people on the list, in traffic management.  The ability to offload the SSL,
session management, and load balancing from the web server to dedicated
hardware has trmendous advantages in scalability and network design, not to
mention freeing up the previously encrypted channel to all form of traffic
monitoring and intrusion detection capabilities.

Cheers,
Ben

--------------------------------------------------
Benjamin P. Grubin            bgrubin () guardent com
Guardent, Inc.             http://www.guardent.com

"The world isn't run by weapons anymore, or energy, or money.  It's run by
little ones and zeros, little bits of data.. it's all just electrons."

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Ng
Pheng Siong
Sent: Saturday, September 02, 2000 4:49 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: SSL & IDS


On Fri, Sep 01, 2000 at 09:36:34AM +0200, Mikael Olsson wrote:

You'll likely have to terminate the SSL connection on a

reverse proxy

machine in front of the web server and do your IDS sniffing

after that

reverse proxy.


This seems a popular suggestion.

Given the usual statistic that 80% (or 90% or whatever) of
security compromises are internal jobs, deliberately terminating
your SSL early and then having your app talk in the clear over
your internal network is more dangerous than it is useful, IMHO.

Cheers.
--
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps

Current thread:

Re: SSL & IDS, (continued)
- Re: SSL & IDS Ed Padin (Sep 01)
  - Re: SSL & IDS Inno Eroraha (Sep 01)
  - Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
  - Re: SSL & IDS Ng Pheng Siong (Sep 02)
    - Re: SSL & IDS Dragos Ruiu (Sep 02)
    - Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
    - Re: SSL & IDS Pluto (Sep 08)
    - Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS H D Moore (Sep 01)
  - Re: SSL & IDS J Edgar Hoover (Sep 01)
- Re: SSL & IDS Crispin Cowan (Sep 01)
- Re: SSL & IDS Lowry, Shaun (ISSReading) (Sep 04)