Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Q: Howto - SSL Tunnel for End-to-End encryption

Re: Q: Howto - SSL Tunnel for End-to-End encryption

From: Cyrill Osterwalder <cyrill.osterwalder_at_seclutions.com>
Date: Mon, 28 Apr 2003 09:19:51 +0200

Hello Pong

Terminating the network encryption in front of the application is actually
a very good idea for overall security. Of course, you have to be able to
control which components can read the plain traffic. But if you have an SSL
encrypted connection that passes firewalls, IDSs and proxies and goes
directly to the application server, quite some attacks to the app server
are possible that could have been avoided. All your packet filters, content
filtering firewalls, IDSs and also your HTTP proxies do not have the
capability of verifying protocol, content, user input or anything else if
the network connection is encrypted. There is our product whitepaper
available at our Seclutions website that also discusses this topic in the
context of a Web application security gateway. You might find some parts of
it interesting even if you're not interested in a commercial application
security gateway solution.

If you do not need more than just a packet filter and the proxy for plain
URL mapping reason, your approach is fine. Today, you normally require a
higher level of security checks before the traffic hits your app server. In
order to achieve a real end-to-end encryption with the additional risks
mentioned above, I'd recommend to logically merge your SSL termiating Web
proxy (Apache) with your application server. That's more or less the only
solution if you need to support standard browsers with SSL.

However, the best thing would be to introduce application level encryption
so that you can still benefit from protocol and public content verification
of other network components and only hide the data that you really need to.

Cyrill

---------------------------------------------------
Cyrill Osterwalder
Chief Technology Officer

Seclutions AG, Zurich, Switzerland

PGPKey ID :0xC70E7ACB
PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com
PGPKey URL:http://pgpkeys.mit.edu:11371

http://www.seclutions.com

--On Sonntag, 27. April 2003 16:53 +0800 "Ip, Ting Pong" <pong_at_cs.ust.hk>
wrote:

> Hi all,
>
> I am now researching on the implementation of end-to-end encryption for
> the following typical web application architecture.
> [Web Client] <-> [Web Server (Apache)] <-> [Application Server (WebLogic)]
> <-> [Database Server (Oracle)]
>
> I would like to make an end-to-end encryption from the web client to
> application server so that no intermediate nodes could read the
> transmitting traffic.
>
> However, I found that the Apache SSL-Proxy module would initiate the SSL
> connection from the web server to the Application Server. Besides, the
> SSL connection from web client will terminate on the web server.
> Therefore, in either case, the web server can read the transmitting
> traffic. I am thinking that to "rewrite" or "redirect" the web
> connection from the web server to the application server but this would
> expose the application server to the public.
>
> Other than implementing the end-to-end encryption on the application
> level, are there any network architecture that can achieve end-to-end
> encryption without bypassing the web server?
>
> Thank you very much.
>
> Pong
Received on Apr 28 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos