Re: IDS and SSL

From: Jon (vandiveeat_private)
Date: Fri Mar 22 2002 - 20:47:15 PST

Next message: Sverre H. Huseby: "Re: CSS implication"

Previous message: Ron DuFresne: "RE: Problem with xkill"
In reply to: Dom De Vitto: "RE: IDS and SSL"
Next in thread: Bojan Zdrnja: "RE: IDS and SSL"
Next in thread: Gabriel Lawrence: "Re: IDS and SSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cisco has a new CSS/SSL product 30-90 days out, whereby the SSL card will be
insertable to the CSS chassis.
looks pretty cool.....

Jon

----- Original Message -----
From: "Dom De Vitto" <Domat_private>
To: <jlewisat_private>; "'Oliver Petruzel'" <opetruzelat_private>;
"'zeno'" <bugtraqat_private>; <vuln-devat_private>;
<bugtraqat_private>; <webappsecat_private>;
<focus-idsat_private>
Sent: Friday, March 22, 2002 2:45 AM
Subject: RE: IDS and SSL


> Ditto, for Cisco CSS 11000's
>
> They'll give you multi-site loadbalancing too...
>
> Dom
>  |-----Original Message-----
>  |From: Jason Lewis [mailto:jlewisat_private]
>  |Sent: Thursday, March 21, 2002 8:17 PM
>  |To: 'Oliver Petruzel'; 'zeno'; vuln-devat_private;
>  |bugtraqat_private; webappsecat_private;
>  |focus-idsat_private
>  |Subject: RE: IDS and SSL
>  |
>  |
>  |C'mon Ollie, I am doing this now.  Instead of buying
>  |encryption cards for all my webservers, we threw a couple of
>  |Alteon iSD SSL accelerators onto our Alteon switches.
>   ||http://www.nortelnetworks.com/products/01/alteon/isdssl/index.
>  |html
>  |
>  |These offload encryption and allow me to drop a NIDS next to
>  |the webservers, where all the traffic is un-encrypted.  I
>  |already had the Alteon infrastructure, and the iSD's won't
>  |work without them so YMMV.
>  |
>  |Granted, eventually we will see congestion, but the
>  |scalability of the SSL accelerators and the Alteons will make
>  |that a long range problem.  I think the iSD's an scale to 256
>  |with the Alteon's distributing the load.  Not to mention I
>  |save my webserver processing power for serving page not
>  |encyrption....different discussion though.
>  |
>  |Good network design will avoid those traffic problems.  If I
>  |have that much traffic into one datacenter, it is time to go global.
>  |
>  |Now, that isn't an excuse for NIDS.  I like HIDS for the
>  |drill down on each box.  I think the two can co-exist.  I
>  |like seeing what is on the wire, not just what made it to each server.
>  |
>  |Jason Lewis
>  |http://www.packetnexus.com
>  |It's not secure "Because they told me it was secure".
>  |The people at the other end of the link know less
>  |about security than you do. And that's scary.
>  |
>  |
>  |//snip
>  |Nothing short of a big road-block could monitor encrypted
>  |traffic prior to a host;  it's just not logically possible to
>  |examine the encrypted traffic without a big roadblock and
>  |certificate-sharing nightmare.. that is, on the wire
>  |atleast... with the exception of placing an IDS -ON- a
>  |VPN...and that still wont help with SSL specifically, and
>  |that would require SICK amounts of RAM/power to be anything
>  |close to efficient... SSL PROXY/IDS system? No way... same
>  |speed/RAM/bandwidth limitations... //snip
>  |
>  |
>

Next message: Sverre H. Huseby: "Re: CSS implication"
Previous message: Ron DuFresne: "RE: Problem with xkill"
In reply to: Dom De Vitto: "RE: IDS and SSL"
Next in thread: Bojan Zdrnja: "RE: IDS and SSL"
Next in thread: Gabriel Lawrence: "Re: IDS and SSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 23 2002 - 09:58:45 PST