Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 25 Oct 2002 05:37:53 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 25 Oct 2002 05:37:53 -0400 Received: from babsi.intermeta.de ([212.34.181.3]:37639 "EHLO mail.intermeta.de") by vger.kernel.org with ESMTP id ; Fri, 25 Oct 2002 05:37:51 -0400 Subject: Re: One for the Security Guru's From: Henning Schmiedehausen To: Gilad Ben-Yossef Cc: linux-kernel@vger.kernel.org In-Reply-To: <1035479086.9935.6.camel@gby.benyossef.com> References: <1035453664.1035.11.camel@syntax.dstl.gov.uk> <1035479086.9935.6.camel@gby.benyossef.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 25 Oct 2002 11:44:02 +0200 Message-Id: <1035539042.23977.24.camel@forge> Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1833 Lines: 48 On Thu, 2002-10-24 at 19:04, Gilad Ben-Yossef wrote: > On Thu, 2002-10-24 at 18:39, Henning P. Schmiedehausen wrote: > > Gerhard Mack writes: > > >It gets even worse if almost all of your services are encrypted(like you > > >would find on an e-commerse site). https will blind an IDS. The last > > >place I worked only had 3 ports open and 2 of them were encrypted. > > > > Nah. Do it right: > > > > Internet ----- Firewall ---- SSL Accelerator Box --+---- Webserver > > HTTPS HTTPS | HTTP > > | > > IDS > > > > Eh... not really: > > A. If there's a buffer overflow in the SSL Accelerator box the firewall > wont do you much good (it helps, but only a little). This is a hardware device. Hardware as in "silicon". I very much doubt that you can run "general purpose programs" on a device specifically designed to do crypto. And this is _not_ just an "embedded Linux on ix86 with a crypto chip". > B. The firewall in this setup provides very little besides packet > filtering anyway. You're right. But if I'd let it off, I'd would have gotten mail with "there is no firewall in your setup, it's not secure". Either way I lose. :-) Regards Henning -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.de Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/