Re: netcontinuum .. for ssl off-loading



BernieM wrote:
We have a 'text book' 3-tier ebusiness infrastructure ...

pix -- web server -- netscreen -- app server -- ip tables -- database server

and am considering retiring the ip-tables, moving the pix to that space,and using netcontinuum at the perimeter mainly for their ability to provide a
complete proxy service for the web front-end especially for their ability to terminate ssl ... allowing the first line of ids's to see what's going on.


Comments / experiences would be appreciated.

BernieM


I always thought that The IDS's needed a sensor located before and after each tier including tripwire on the actual server. The db server needs to use sequenced wrappers between the web server and the db communication with sequence ID/ encryption key set dynamically by the DB server (not web server).

Both sides of the PIX need an IDS sensor. Otherwise it is difficult to detect protocol tunneling and other potentially harmful activity.

You do not go into detail of the granularity you are using with IP tables. They can be your friend, though redundant in conjunction with PIX (redundant can be good!).

With Breechview you can intercept and interpret all SSL communications with most IDS systems.

An alternative option in high load environs is to process the SSL in either a separate instance or via hardware similar to a rainbow card, then sensor between the SSL server and web server. This is not as good using the Breechview approach, but it works. Breechview is more important when IDS is monitoring overall network activity versus just web server communications.

Winged



.