Re: netcontinuum .. for ssl off-loading

From: Winged <Winged@xxxxxxxxxxxx>
Date: Mon, 30 Jan 2006 23:25:55 -0600

BernieM wrote:

We have a 'text book' 3-tier ebusiness infrastructure ...
pix -- web server -- netscreen -- app server -- ip tables -- database server
and am considering retiring the ip-tables, moving the pix to that space,and using netcontinuum at the perimeter mainly for their ability to provide a complete proxy service for the web front-end especially for their ability to terminate ssl ... allowing the first line of ids's to see what's going on.
Comments / experiences would be appreciated.
BernieM

I always thought that The IDS's needed a sensor located before and after each tier including tripwire on the actual server. The db server needs to use sequenced wrappers between the web server and the db communication with sequence ID/ encryption key set dynamically by the DB server (not web server).

Both sides of the PIX need an IDS sensor. Otherwise it is difficult to detect protocol tunneling and other potentially harmful activity.

You do not go into detail of the granularity you are using with IP tables. They can be your friend, though redundant in conjunction with PIX (redundant can be good!).

With Breechview you can intercept and interpret all SSL communications with most IDS systems.

An alternative option in high load environs is to process the SSL in either a separate instance or via hardware similar to a rainbow card, then sensor between the SSL server and web server. This is not as good using the Breechview approach, but it works. Breechview is more important when IDS is monitoring overall network activity versus just web server communications.

Winged

References:
- netcontinuum .. for ssl off-loading
  - From: BernieM

Prev by Date: Re: Newbie question: If you don't host a website, and....
Next by Date: Re: AFTER Computers; What's Next?
Previous by thread: netcontinuum .. for ssl off-loading
Next by thread: Re: Security Experts Warn of Kama Sutra Worm (yet another MS worm)
Index(es):
- Date
- Thread

Relevant Pages

Re: Multiple SSL sites on one IIS server
... You usualy have 2 options when publishing SSL sites ... the clients as the requested web server, in this case, you export the web ... Machine Certificate Store on the ISA Server, and you then configure 2 HTTPS ... request from the ISA to the Internal Web Server. ...
(microsoft.public.isa)
Re: Multiple SSL sites on one IIS server
... You usualy have 2 options when publishing SSL sites ... the clients as the requested web server, in this case, you export the web ... Machine Certificate Store on the ISA Server, and you then configure 2 HTTPS ... request from the ISA to the Internal Web Server. ...
(microsoft.public.inetserver.iis)
RE: How to setup SSL communication in IIS
... I'm by no means an expert on SSL or IIS, but I did find that for more ... information about how to tighten security on your Web server you can visit ... > I opened home server in my SOHO office and it's working now. ...
(microsoft.public.win2000.advanced_server)
[HPADM] [SUMMARY] - IMAP PORT 993
... Integrated server lumtest2 is using SSL on ... If the error indicates that the connection was reset ... you must restart your web server." ...
(HP-UX-Admin)
SSL Performance HIT in REVERSE? the clients are PEGGED as opposed to the server?
... I am trying to stress test the effects of SSL on a web server using Web ...
(microsoft.public.dotnet.languages.csharp)