Cisco has a new CSS/SSL product 30-90 days out, whereby the SSL card will be insertable to the CSS chassis. looks pretty cool..... Jon ----- Original Message ----- From: "Dom De Vitto" <Domat_private> To: <jlewisat_private>; "'Oliver Petruzel'" <opetruzelat_private>; "'zeno'" <bugtraqat_private>; <vuln-devat_private>; <bugtraqat_private>; <webappsecat_private>; <focus-idsat_private> Sent: Friday, March 22, 2002 2:45 AM Subject: RE: IDS and SSL > Ditto, for Cisco CSS 11000's > > They'll give you multi-site loadbalancing too... > > Dom > |-----Original Message----- > |From: Jason Lewis [mailto:jlewisat_private] > |Sent: Thursday, March 21, 2002 8:17 PM > |To: 'Oliver Petruzel'; 'zeno'; vuln-devat_private; > |bugtraqat_private; webappsecat_private; > |focus-idsat_private > |Subject: RE: IDS and SSL > | > | > |C'mon Ollie, I am doing this now. Instead of buying > |encryption cards for all my webservers, we threw a couple of > |Alteon iSD SSL accelerators onto our Alteon switches. > ||http://www.nortelnetworks.com/products/01/alteon/isdssl/index. > |html > | > |These offload encryption and allow me to drop a NIDS next to > |the webservers, where all the traffic is un-encrypted. I > |already had the Alteon infrastructure, and the iSD's won't > |work without them so YMMV. > | > |Granted, eventually we will see congestion, but the > |scalability of the SSL accelerators and the Alteons will make > |that a long range problem. I think the iSD's an scale to 256 > |with the Alteon's distributing the load. Not to mention I > |save my webserver processing power for serving page not > |encyrption....different discussion though. > | > |Good network design will avoid those traffic problems. If I > |have that much traffic into one datacenter, it is time to go global. > | > |Now, that isn't an excuse for NIDS. I like HIDS for the > |drill down on each box. I think the two can co-exist. I > |like seeing what is on the wire, not just what made it to each server. > | > |Jason Lewis > |http://www.packetnexus.com > |It's not secure "Because they told me it was secure". > |The people at the other end of the link know less > |about security than you do. And that's scary. > | > | > |//snip > |Nothing short of a big road-block could monitor encrypted > |traffic prior to a host; it's just not logically possible to > |examine the encrypted traffic without a big roadblock and > |certificate-sharing nightmare.. that is, on the wire > |atleast... with the exception of placing an IDS -ON- a > |VPN...and that still wont help with SSL specifically, and > |that would require SICK amounts of RAM/power to be anything > |close to efficient... SSL PROXY/IDS system? No way... same > |speed/RAM/bandwidth limitations... //snip > | > | >
This archive was generated by hypermail 2b30 : Sat Mar 23 2002 - 09:58:45 PST