> That's interesting... because I'm seeing a lot of people get excited
> about load balancers from a variety of vendors, and terminating the
> SSL at some SSL acceleration HW on the load balancer and having
IMHO, designers must carefully verify that:
1. nothing except the webserver (and possibly an IDS) recieves the
unencrypted data. [place them in the same room sounds like the best
idea]
2. that there is no way to fool or by misstake access the same webserver
without the use of ssl. Alas, https://secured.example.com shouldn't be
possible to access as http://secure.example.com.
If those requirements are met, I can't name one mayor disadvantage by the
setup.
Come to think of it, is anyone aware of any attempts to take an hardware
accelerator (the ones which works as add-on PCI cards) and use them to
speed up SSL processing in an IDS? If implemented correctly, the IDS
should be able to do crypto-things far beyond any software based
solution...
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
Received on Sep 03 2000
Intro
