Re: Q: Howto - SSL Tunnel for End-to-End encryption

Hello Pong

Terminating the network encryption in front of the application is actually a very good idea for overall security. Of course, you have to be able to control which components can read the plain traffic. But if you have an SSL encrypted connection that passes firewalls, IDSs and proxies and goes directly to the application server, quite some attacks to the app server are possible that could have been avoided. All your packet filters, content filtering firewalls, IDSs and also your HTTP proxies do not have the capability of verifying protocol, content, user input or anything else if the network connection is encrypted. There is our product whitepaper available at our Seclutions website that also discusses this topic in the context of a Web application security gateway. You might find some parts of it interesting even if you're not interested in a commercial application security gateway solution.

If you do not need more than just a packet filter and the proxy for plain URL mapping reason, your approach is fine. Today, you normally require a higher level of security checks before the traffic hits your app server. In order to achieve a real end-to-end encryption with the additional risks mentioned above, I'd recommend to logically merge your SSL termiating Web proxy (Apache) with your application server. That's more or less the only solution if you need to support standard browsers with SSL.

However, the best thing would be to introduce application level encryption so that you can still benefit from protocol and public content verification of other network components and only hide the data that you really need to.

Cyrill

Seclutions AG, Zurich, Switzerland

PGPKey ID :0xC70E7ACB
PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com
PGPKey URL:
http://pgpkeys.mit.edu:11371

http://www.seclutions.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

--On Sonntag, 27. April 2003 16:53 +0800 "Ip, Ting Pong" <pong@cs.ust.hk> wrote:

> Hi all,
Received on Mon Apr 28 11:03:35 2003