Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Sun, 24 Mar 2002 14:17:10 +0100
-----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: 21. ozujak 2002 21:17 To: 'Oliver Petruzel'; 'zeno'; vuln-dev () securityfocus com; bugtraq () securityfocus com; webappsec () securityfocus com; focus-ids () securityfocus com Subject: RE: IDS and SSL
These offload encryption and allow me to drop a NIDS next to the webservers, where all the traffic is un-encrypted. I already had the Alteon infrastructure, and the iSD's won't work without them so YMMV.
But aren't you doing a wrong thing here ? If you ask me, you're creating a weak point in encryption chain. If someone hypothetically speaking gets cotnrol of that Alteon (I'm not familiar with that device though), or of any point behind it (between that box and your web server) they can normally sniff all the traffic because, as you said, it's un-encrypted. I think encryption chain should be from web server point to client point in this matter. I know you have other benefits like acceleration but I think you are loosing a bit on security here. Just my 2 cents, Best regards, Bojan Zdrnja
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)