[Snort-users] Snorting SSL

Jason Haar Jason.Haar at ...294...
Mon Jul 7 21:22:05 EDT 2003

Hutchinson, Andrew wrote:
> I may be wrong, but the only good way that I know of to do this is to
> use an SSL Accelerator, and run your ISD behind it.  This can often be
> combined with a we server load balancing solution, from folks like
> Radware or F5.  The accelerator terminates the SSL sessions and then
> dispatches the session of one of the servers in the farm.  Radware
> allows you to plug your IDS right into the accelerator/load balancer.  I
> don't know too much about F5.

It's not as bad as that..

You need to redefine "SSL accelerators" - it also includes any form of 
Reverse proxy. So set up Apache + mod_ssl/mod_proxy or Microsoft ISA 
server and you're away laughing. Your users talk HTTPS to the frontend, 
and your IDS sees all the unencrypted traffic heading back to the 
backend servers.

It works well, and doesn't cost much at all :-)

Oh yeah - and if you've got <10Mbs Internet links, the performance is 
fine too. A couple of years ago I benchmarked an Apache 1.3.?? server on 
an AMD 1200 Linux reverse proxy pushing ~6Mbs HTTPS traffic at about 10% 
CPU load - that was without SSL session caching (which really affects 
throughput). In reality, you need a big pipe to justify Big Iron.

Jason Haar

More information about the Snort-users mailing list