Vulnerability Development mailing list archives
Re: SSL & IDS
From: "Benjamin P. Grubin" <bgrubin () guardent com>
Date: Tue, 5 Sep 2000 15:23:33 -0400
This risk is quite easy to mitigate by having the unencrypted traffic behind the reverse proxy flow through an isolated physical network containing only the IDS and the webserver. I don't think anyone recommended having it flow in the clear over a shared internal network. If the job is inside enough that they have privileges on the web server itself, this entire point is moot anyhow. This tactic, combined with a secure out of band management and reporting network for the NIDS and/or HIDS/log analysis tools provides plenty of physical and logical isolation to obviate the issue of terminating SSL just before the web server. It also has huge upsides, as mentioned by other people on the list, in traffic management. The ability to offload the SSL, session management, and load balancing from the web server to dedicated hardware has trmendous advantages in scalability and network design, not to mention freeing up the previously encrypted channel to all form of traffic monitoring and intrusion detection capabilities. Cheers, Ben -------------------------------------------------- Benjamin P. Grubin bgrubin () guardent com Guardent, Inc. http://www.guardent.com "The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeros, little bits of data.. it's all just electrons."
-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Ng Pheng Siong Sent: Saturday, September 02, 2000 4:49 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: SSL & IDS On Fri, Sep 01, 2000 at 09:36:34AM +0200, Mikael Olsson wrote:You'll likely have to terminate the SSL connection on areverse proxymachine in front of the web server and do your IDS sniffingafter thatreverse proxy.This seems a popular suggestion. Given the usual statistic that 80% (or 90% or whatever) of security compromises are internal jobs, deliberately terminating your SSL early and then having your app talk in the clear over your internal network is more dangerous than it is useful, IMHO. Cheers. -- Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps
Current thread:
- Re: SSL & IDS, (continued)
- Re: SSL & IDS Ed Padin (Sep 01)
- Re: SSL & IDS Inno Eroraha (Sep 01)
- Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Dragos Ruiu (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
- Re: SSL & IDS Pluto (Sep 08)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS Ed Padin (Sep 01)
- Re: SSL & IDS J Edgar Hoover (Sep 01)