Firewall Wizards mailing list archives
Re: Using SSL accelerators in firewalls
From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 17 Jul 2002 10:27:26 -0600 (MDT)
On Wed, 17 Jul 2002, Darren Reed wrote:
There would seem to be a growing trend in using SSL accelerators not next to the web server but attached to a firewall so that it isn't https traffic that passes through but http. To me this screams out "bad design" as the end-to-end encryption is lost in the process and the security of transactions eroded.
So? Where is the bad guy? If the traffic is still encrypted when it goes past him, then the crypto is still doing its job. The obvious change is that there's now this small length of wire where the traffic isn't encrypted, somewhere on your DMZ. This means that an attacker who has compromised a machine on your DMZ can probably sniff the web traffic. THe machine that is mostly likely to be compromised is your web server, and even if it's not, they can likely sniff the traffic between the web server and the DB anyway, which is more to the point if they are trying to steal stuff you need SSL to protect. I.e. in my opinion, worrying about that short bit of unencrypted traffic is worrying about a smaller problem when there are larger ones to worry about. (I consider a hostile on my DMZ a worse problem that having my traffic sniffed.)
What do others think? Is this becoming a "done thing" that is more and more acceptable to corporates or is this just an isolated thing?
It's probably a done deal for anyone who has a significant amount of SSL traffic to do. It takes the CPU laod off the webservers, the SSL box probably includes the HTTP load balancing feature you need anyway, and your get your NIDS functionality back. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls David Pick (Jul 17)
- Re: Using SSL accelerators in firewalls Darren Reed (Jul 17)
- Re: Using SSL accelerators in firewalls Carson Gaspar (Jul 22)
- Re: Using SSL accelerators in firewalls Ryan McBride (Jul 17)
- Re: Using SSL accelerators in firewalls Scott Walker Register (Jul 17)
- Re: Using SSL accelerators in firewalls Paul Robertson (Jul 17)
- RE: Using SSL accelerators in firewalls Ian Peters (Jul 17)
- Re: Using SSL accelerators in firewalls Fabio Pietrosanti (naif) (Jul 17)
- Re: Using SSL accelerators in firewalls Ryan Russell (Jul 17)
- <Possible follow-ups>
- Re: Using SSL accelerators in firewalls miha (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- RE: Using SSL accelerators in firewalls Dawes, Rogan (ZA - Johannesburg) (Jul 17)
- Re: Using SSL accelerators in firewalls Dana Nowell (Jul 17)