Re: Q: Howto - SSL Tunnel for End-to-End encryption

[Cyrill Osterwalder <cyrill.osterwalder () seclutions com>]

Hello Pong

Terminating the network encryption in front of the application is actually 
a very good idea for overall security. Of course, you have to be able to 
control which components can read the plain traffic. But if you have an SSL 
encrypted connection that passes firewalls, IDSs and proxies and goes 
directly to the application server, quite some attacks to the app server 
are possible that could have been avoided. All your packet filters, content 
filtering firewalls, IDSs and also your HTTP proxies do not have the 
capability of verifying protocol, content, user input or anything else if 
the network connection is encrypted. There is our product whitepaper 
available at our Seclutions website that also discusses this topic in the 
context of a Web application security gateway. You might find some parts of 
it interesting even if you're not interested in a commercial application 
security gateway solution.

If you do not need more than just a packet filter and the proxy for plain 
URL mapping reason, your approach is fine. Today, you normally require a 
higher level of security checks before the traffic hits your app server. In 
order to achieve a real end-to-end encryption with the additional risks 
mentioned above, I'd recommend to logically merge your SSL termiating Web 
proxy (Apache) with your application server. That's more or less the only 
solution if you need to support standard browsers with SSL.

However, the best thing would be to introduce application level encryption 
so that you can still benefit from protocol and public content verification 
of other network components and only hide the data that you really need to.

Cyrill

---------------------------------------------------
Cyrill Osterwalder
Chief Technology Officer

Seclutions AG, Zurich, Switzerland

PGPKey ID :0xC70E7ACB
PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com
PGPKey URL:http://pgpkeys.mit.edu:11371

http://www.seclutions.com







--On Sonntag, 27. April 2003 16:53 +0800 "Ip, Ting Pong" <pong () cs ust hk> 
wrote:

> Hi all,
>
> I am now researching on the implementation of end-to-end encryption for
> the following typical web application architecture.
> [Web Client] <-> [Web Server (Apache)] <-> [Application Server (WebLogic)]
> <-> [Database Server (Oracle)]
>
> I would like to make an end-to-end encryption from the web client to
> application server so that no intermediate nodes could read the
> transmitting traffic.
>
> However, I found that the Apache SSL-Proxy module would initiate the SSL
> connection from the web server to the Application Server.  Besides, the
> SSL connection from web client will terminate on the web server.
> Therefore, in either case, the web server can read the transmitting
> traffic.  I am thinking that to "rewrite" or "redirect" the web
> connection from the web server to the application server but this would
> expose the application server to the public.
>
> Other than implementing the end-to-end encryption on the application
> level, are there any network architecture that can achieve end-to-end
> encryption without bypassing the web server?
>
> Thank you very much.
>
> Pong