Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > netcontinuum .. for ssl off-loading

Reply
Thread Tools

netcontinuum .. for ssl off-loading

 
 
BernieM
Guest
Posts: n/a
 
      01-28-2006
We have a 'text book' 3-tier ebusiness infrastructure ...

pix -- web server -- netscreen -- app server -- ip tables -- database server

and am considering retiring the ip-tables, moving the pix to that space,and
using netcontinuum at the perimeter mainly for their ability to provide a
complete proxy service for the web front-end especially for their ability to
terminate ssl ... allowing the first line of ids's to see what's going on.

Comments / experiences would be appreciated.

BernieM


 
Reply With Quote
 
 
 
 
Winged
Guest
Posts: n/a
 
      01-31-2006
BernieM wrote:
> We have a 'text book' 3-tier ebusiness infrastructure ...
>
> pix -- web server -- netscreen -- app server -- ip tables -- database server
>
> and am considering retiring the ip-tables, moving the pix to that space,and
> using netcontinuum at the perimeter mainly for their ability to provide a
> complete proxy service for the web front-end especially for their ability to
> terminate ssl ... allowing the first line of ids's to see what's going on.
>
> Comments / experiences would be appreciated.
>
> BernieM
>
>

I always thought that The IDS's needed a sensor located before and after
each tier including tripwire on the actual server. The db server needs
to use sequenced wrappers between the web server and the db
communication with sequence ID/ encryption key set dynamically by the DB
server (not web server).

Both sides of the PIX need an IDS sensor. Otherwise it is difficult to
detect protocol tunneling and other potentially harmful activity.

You do not go into detail of the granularity you are using with IP
tables. They can be your friend, though redundant in conjunction with
PIX (redundant can be good!).

With Breechview you can intercept and interpret all SSL communications
with most IDS systems.

An alternative option in high load environs is to process the SSL in
either a separate instance or via hardware similar to a rainbow card,
then sensor between the SSL server and web server. This is not as good
using the Breechview approach, but it works. Breechview is more
important when IDS is monitoring overall network activity versus just
web server communications.

Winged



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Failed set trust point in ssl context" when using SSL communication emukang Java 0 12-20-2005 04:54 PM
Response.Redirect from SSL to non SSL with port drops port. Sean Wolfe ASP .Net 1 04-28-2005 07:49 PM
SSL with backend SSL on CSS 11500 Olivier PELERIN Cisco 0 08-30-2004 08:30 PM
How to imbed non-SSL links within SSL pages without using code CW ASP .Net 2 05-02-2004 01:40 PM
From non-ssl area to ssl ara with a virtual href path? 620 ASP .Net 2 01-06-2004 09:58 PM



Advertisments