Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Sun, 24 Mar 2002 17:06:06 -0000
Superficially, yes. However in reality, where is the most likely place to be broken into? You got it: the web server. So obviously any decryption the the webserver process does, asp/php script etc. etc. are available, let alone if the webserver should then have access (frequently too much access) to a backend DB. In practice, the arch is: [ Firewall ] [ Load balancer/redirector ] (which can detect faulty servers and does SSL decryption) [ Web Server farm, possibly spread over many sites. ] [ Firewall ] [ Load balancer/redirector ] [ DB Server farm, possibly spread over many sites. ] [ Firewall ] [ Load balancer/redirector ] [ Corp data DBs, possibly spread over many sites. ] This architecture allows many different types of load balancing and fault torrerance. (DNS 'race', layer 7, 3 or 2 redirection) It's actually a really complicated thing this - Cisco can talk for hours on it, trust me. I think we'll see a single layer2+3+7 switch/firewall/loadbalancer device within 12-18 months, and that will spell the end for what most people call a "firewall" today. It'll also put a nail in the server clustering coffin. And I think all that's a good thing (TM). Dom |From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr] |> From: Jason Lewis [mailto:jlewis () packetnexus com] |> | |> These offload encryption and allow me to drop a NIDS next to the |> webservers, where all the traffic is un-encrypted. I |already had the |> Alteon infrastructure, and the iSD's won't work without |them so YMMV. | |But aren't you doing a wrong thing here ? |If you ask me, you're creating a weak point in encryption |chain. If someone hypothetically speaking gets cotnrol of |that Alteon (I'm not familiar with that device though), or of |any point behind it (between that box and your web server) |they can normally sniff all the traffic because, as you said, |it's un-encrypted. | |I think encryption chain should be from web server point to |client point in this matter. I know you have other benefits |like acceleration but I think you are loosing a bit on security here. | |Just my 2 cents, | |Best regards, | |Bojan Zdrnja | |
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)