RE: IDS and SSL

["Jason Lewis" <jlewis () packetnexus com>]

C'mon Ollie, I am doing this now.  Instead of buying encryption cards for
all my webservers, we threw a couple of Alteon iSD SSL accelerators onto our
Alteon switches.
http://www.nortelnetworks.com/products/01/alteon/isdssl/index.html

These offload encryption and allow me to drop a NIDS next to the webservers,
where all the traffic is un-encrypted.  I already had the Alteon
infrastructure, and the iSD's won't work without them so YMMV.

Granted, eventually we will see congestion, but the scalability of the SSL
accelerators and the Alteons will make that a long range problem.  I think
the iSD's an scale to 256 with the Alteon's distributing the load.  Not to
mention I save my webserver processing power for serving page not
encyrption....different discussion though.

Good network design will avoid those traffic problems.  If I have that much
traffic into one datacenter, it is time to go global.

Now, that isn't an excuse for NIDS.  I like HIDS for the drill down on each
box.  I think the two can co-exist.  I like seeing what is on the wire, not
just what made it to each server.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.


//snip
Nothing short of a big road-block could monitor encrypted traffic prior
to a host;  it's just not logically possible to examine the encrypted
traffic without a big roadblock and certificate-sharing nightmare.. that
is, on the wire atleast... with the exception of placing an IDS -ON- a
VPN...and that still wont help with SSL specifically, and that would
require SICK amounts of RAM/power to be anything close to efficient...
SSL PROXY/IDS system? No way... same speed/RAM/bandwidth limitations...
//snip