> -----Original Message----- > From: Jason Lewis [mailto:jlewisat_private] > Sent: 21. ozujak 2002 21:17 > To: 'Oliver Petruzel'; 'zeno'; vuln-devat_private; > bugtraqat_private; webappsecat_private; > focus-idsat_private > Subject: RE: IDS and SSL > > These offload encryption and allow me to drop a NIDS next to the > webservers, > where all the traffic is un-encrypted. I already had the Alteon > infrastructure, and the iSD's won't work without them so YMMV. But aren't you doing a wrong thing here ? If you ask me, you're creating a weak point in encryption chain. If someone hypothetically speaking gets cotnrol of that Alteon (I'm not familiar with that device though), or of any point behind it (between that box and your web server) they can normally sniff all the traffic because, as you said, it's un-encrypted. I think encryption chain should be from web server point to client point in this matter. I know you have other benefits like acceleration but I think you are loosing a bit on security here. Just my 2 cents, Best regards, Bojan Zdrnja
This archive was generated by hypermail 2b30 : Sun Mar 24 2002 - 08:27:00 PST