RE: IDS and SSL

["Jason Lewis" <jlewis () packetnexus com>]

There is a trade off.  You have to make that decision for yourself.

The cost of putting certificates on all my webservers is high.  The
implementation, the design, the management, the processing power, etc....it
all costs in the end.  I have one device (There are actually more, but they
load balance themselves) that holds the certificate and handle the
encryption.  I also have complete control of my datacenter.  No one is
plugging anything in without me knowing about it.  While I guess it is
POSSIBLE for someone to attack my alteon, it would be extremely difficult.
Without going into detail, network equipment is only accessed via the
console.

The attack would have to be on the server itself.  That would happen if I
was running SSL on the box or on my dedicated hardware.  I just moved the
encryption part off the server and onto a device.  Man in the Middle attacks
aren't possible if you can't get in the middle.

I wouldn't be surprised if a lot of major ecommerce sites did something
similar.  Encryption is expensive, in more ways than money.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.




<snip>
I think encryption chain should be from web server point to client point in
this matter.
I know you have other benefits like acceleration but I think you are loosing
a bit on security here.
</snip>