[Snort-users] Snorting SSL
Jason.Haar at ...294...
Mon Jul 7 21:22:05 EDT 2003
Hutchinson, Andrew wrote:
> I may be wrong, but the only good way that I know of to do this is to
> use an SSL Accelerator, and run your ISD behind it. This can often be
> combined with a we server load balancing solution, from folks like
> Radware or F5. The accelerator terminates the SSL sessions and then
> dispatches the session of one of the servers in the farm. Radware
> allows you to plug your IDS right into the accelerator/load balancer. I
> don't know too much about F5.
It's not as bad as that..
You need to redefine "SSL accelerators" - it also includes any form of
Reverse proxy. So set up Apache + mod_ssl/mod_proxy or Microsoft ISA
server and you're away laughing. Your users talk HTTPS to the frontend,
and your IDS sees all the unencrypted traffic heading back to the
It works well, and doesn't cost much at all :-)
Oh yeah - and if you've got <10Mbs Internet links, the performance is
fine too. A couple of years ago I benchmarked an Apache 1.3.?? server on
an AMD 1200 Linux reverse proxy pushing ~6Mbs HTTPS traffic at about 10%
CPU load - that was without SSL session caching (which really affects
throughput). In reality, you need a big pipe to justify Big Iron.
More information about the Snort-users