On Thu, 2002-10-24 at 18:39, Henning P. Schmiedehausen wrote:
> Gerhard Mack <gmack@innerfire.net> writes:
> >It gets even worse if almost all of your services are encrypted(like you
> >would find on an e-commerse site). https will blind an IDS. The last
> >place I worked only had 3 ports open and 2 of them were encrypted.
>
> Nah. Do it right:
>
> Internet ----- Firewall ---- SSL Accelerator Box --+---- Webserver
> HTTPS HTTPS | HTTP
> |
> IDS
>
Eh... not really:
A. If there's a buffer overflow in the SSL Accelerator box the firewall
wont do you much good (it helps, but only a little).
B. The firewall in this setup provides very little besides packet
filtering anyway.
SO... basically we're back to square one. A better firewall might offer
more features but in the end the end point must be secure or all of
these features wont do a damn good, thus in many cases it would make
sense to use the free (as in both beer and speech) solution provided by
Linux, not because it's the best, but because it's enough: there are
weaker links to worry about.
Gilad.
-- Gilad Ben-Yossef <gilad@benyossef.com> http://benyossef.com"Geeks rock bands cool name #8192: RAID against the machine"
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:24 EST