netcontinuum .. for ssl off-loading

Discussion in 'Computer Security' started by BernieM, Jan 28, 2006.

  1. BernieM

    BernieM Guest

    We have a 'text book' 3-tier ebusiness infrastructure ...

    pix -- web server -- netscreen -- app server -- ip tables -- database server

    and am considering retiring the ip-tables, moving the pix to that space,and
    using netcontinuum at the perimeter mainly for their ability to provide a
    complete proxy service for the web front-end especially for their ability to
    terminate ssl ... allowing the first line of ids's to see what's going on.

    Comments / experiences would be appreciated.

    BernieM
    BernieM, Jan 28, 2006
    #1
    1. Advertising

  2. BernieM

    Winged Guest

    BernieM wrote:
    > We have a 'text book' 3-tier ebusiness infrastructure ...
    >
    > pix -- web server -- netscreen -- app server -- ip tables -- database server
    >
    > and am considering retiring the ip-tables, moving the pix to that space,and
    > using netcontinuum at the perimeter mainly for their ability to provide a
    > complete proxy service for the web front-end especially for their ability to
    > terminate ssl ... allowing the first line of ids's to see what's going on.
    >
    > Comments / experiences would be appreciated.
    >
    > BernieM
    >
    >

    I always thought that The IDS's needed a sensor located before and after
    each tier including tripwire on the actual server. The db server needs
    to use sequenced wrappers between the web server and the db
    communication with sequence ID/ encryption key set dynamically by the DB
    server (not web server).

    Both sides of the PIX need an IDS sensor. Otherwise it is difficult to
    detect protocol tunneling and other potentially harmful activity.

    You do not go into detail of the granularity you are using with IP
    tables. They can be your friend, though redundant in conjunction with
    PIX (redundant can be good!).

    With Breechview you can intercept and interpret all SSL communications
    with most IDS systems.

    An alternative option in high load environs is to process the SSL in
    either a separate instance or via hardware similar to a rainbow card,
    then sensor between the SSL server and web server. This is not as good
    using the Breechview approach, but it works. Breechview is more
    important when IDS is monitoring overall network activity versus just
    web server communications.

    Winged
    Winged, Jan 31, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,576
    Olivier PELERIN
    Aug 30, 2004
  2. RS

    best device for off-loading image files ?

    RS, Jan 13, 2004, in forum: Digital Photography
    Replies:
    18
    Views:
    549
    Michael Meissner
    Jan 15, 2004
  3. jenny
    Replies:
    0
    Views:
    915
    jenny
    Nov 30, 2006
  4. jbert

    Off loading images from digital cameras

    jbert, Jun 24, 2005, in forum: Digital Photography
    Replies:
    10
    Views:
    474
    jbert
    Jun 27, 2005
  5. Giuen
    Replies:
    0
    Views:
    680
    Giuen
    Sep 12, 2008
Loading...

Share This Page