Vulnerability Development mailing list archives

RE: IDS and SSL

From: "Dom De Vitto" <Dom () DeVitto com>
Date: Sun, 24 Mar 2002 17:06:06 -0000

Superficially, yes.

However in reality, where is the most likely place to be broken into?

You got it: the web server.
So obviously any decryption the the webserver process does, asp/php
script etc. etc. are available, let alone if the webserver should
then have access (frequently too much access) to a backend DB.

In practice, the arch is:
[ Firewall ]
[ Load balancer/redirector ]
(which can detect faulty servers and does SSL decryption)
[ Web Server farm, possibly spread over many sites. ]
[ Firewall ]
[ Load balancer/redirector ]
[ DB Server farm, possibly spread over many sites. ]
[ Firewall ]
[ Load balancer/redirector ]
[ Corp data DBs, possibly spread over many sites. ]

This architecture allows many different types of load balancing
and fault torrerance.
(DNS 'race', layer 7, 3 or 2 redirection)

It's actually a really complicated thing this - Cisco can talk for
hours on it, trust me.

I think we'll see a single layer2+3+7 switch/firewall/loadbalancer
device within 12-18 months, and that will spell the end for what
most people call a "firewall" today.  It'll also put a nail in the
server clustering coffin.

And I think all that's a good thing (TM).

Dom

 |From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr] 
 |> From: Jason Lewis [mailto:jlewis () packetnexus com]
 |>
 |
 |> These offload encryption and allow me to drop a NIDS next to the 
 |> webservers, where all the traffic is un-encrypted.  I 
 |already had the 
 |> Alteon infrastructure, and the iSD's won't work without 
 |them so YMMV.
 |
 |But aren't you doing a wrong thing here ?
 |If you ask me, you're creating a weak point in encryption 
 |chain. If someone hypothetically speaking gets cotnrol of 
 |that Alteon (I'm not familiar with that device though), or of 
 |any point behind it (between that box and your web server) 
 |they can normally sniff all the traffic because, as you said, 
 |it's un-encrypted.
 |
 |I think encryption chain should be from web server point to 
 |client point in this matter. I know you have other benefits 
 |like acceleration but I think you are loosing a bit on security here.
 |
 |Just my 2 cents,
 |
 |Best regards,
 |
 |Bojan Zdrnja
 |
 |

Current thread:

Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
  - RE: IDS and SSL Jason Lewis (Mar 21)
    - RE: IDS and SSL Dom De Vitto (Mar 22)
    - Re: IDS and SSL Jon (Mar 23)
    - RE: IDS and SSL Bojan Zdrnja (Mar 24)
    - RE: IDS and SSL Dom De Vitto (Mar 24)
    - RE: IDS and SSL Jason Lewis (Mar 24)
    - Re: IDS and SSL Florian Weimer (Mar 25)
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- Re: IDS and SSL me (Mar 22)