Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Jason Lewis" <jlewis () packetnexus com>
Date: Thu, 21 Mar 2002 15:17:26 -0500
C'mon Ollie, I am doing this now. Instead of buying encryption cards for all my webservers, we threw a couple of Alteon iSD SSL accelerators onto our Alteon switches. http://www.nortelnetworks.com/products/01/alteon/isdssl/index.html These offload encryption and allow me to drop a NIDS next to the webservers, where all the traffic is un-encrypted. I already had the Alteon infrastructure, and the iSD's won't work without them so YMMV. Granted, eventually we will see congestion, but the scalability of the SSL accelerators and the Alteons will make that a long range problem. I think the iSD's an scale to 256 with the Alteon's distributing the load. Not to mention I save my webserver processing power for serving page not encyrption....different discussion though. Good network design will avoid those traffic problems. If I have that much traffic into one datacenter, it is time to go global. Now, that isn't an excuse for NIDS. I like HIDS for the drill down on each box. I think the two can co-exist. I like seeing what is on the wire, not just what made it to each server. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. //snip Nothing short of a big road-block could monitor encrypted traffic prior to a host; it's just not logically possible to examine the encrypted traffic without a big roadblock and certificate-sharing nightmare.. that is, on the wire atleast... with the exception of placing an IDS -ON- a VPN...and that still wont help with SSL specifically, and that would require SICK amounts of RAM/power to be anything close to efficient... SSL PROXY/IDS system? No way... same speed/RAM/bandwidth limitations... //snip
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)