Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 24 Oct 2002 12:38:20 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 24 Oct 2002 12:38:20 -0400 Received: from warden-p.diginsite.com ([208.29.163.248]:41884 "HELO warden.diginsite.com") by vger.kernel.org with SMTP id ; Thu, 24 Oct 2002 12:38:18 -0400 From: David Lang To: "Henning P. Schmiedehausen" Cc: linux-kernel@vger.kernel.org Date: Thu, 24 Oct 2002 09:34:51 -0700 (PDT) Subject: Re: One for the Security Guru's In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2102 Lines: 52 Unfortunantly there are things that you can't do with a network based SSL accelerator box (specificly have your webserver give people an understandable warning if they are useing weak encryption) so this isn't the Right (tm) way of doing things, it's one of the ways to do them. David Lang On Thu, 24 Oct 2002, Henning P. Schmiedehausen wrote: > Date: Thu, 24 Oct 2002 16:39:23 +0000 (UTC) > From: Henning P. Schmiedehausen > To: linux-kernel@vger.kernel.org > Newsgroups: hometree.linux.kernel > Subject: Re: One for the Security Guru's > > Gerhard Mack writes: > > >It gets even worse if almost all of your services are encrypted(like you > >would find on an e-commerse site). https will blind an IDS. The last > >place I worked only had 3 ports open and 2 of them were encrypted. > > Nah. Do it right: > > Internet ----- Firewall ---- SSL Accelerator Box --+---- Webserver > HTTPS HTTPS | HTTP > | > IDS > > Check out the boxes from SonicWall, they're quite nice. Expensive, > though. If your E-Commerce site can't afford them, well, then they > shouldn't be able to affore a security consulant in the first > place. :-) > > Regards > Henning > -- > Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer > INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.de > > Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de > D-91054 Buckenhof Fax.: 09131 / 50654-20 > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/