'Serious' crypto?
Peter Cornelius
pcc at gmx.net
Fri May 28 10:15:32 UTC 2010
Hi Matthew,
> > And a hardware crypto device will level HTTPS to the HTTP volume
> > without it?
>
> Probably. The usual approach with HTTPS once traffic levels get big
> enough is crypto-offload. You use a separate device as the crypto
> endpoint: typically built into a load balancer. You can do this using a
> PF based firewall using relayd(8) for a lot less money, and in this case
> one crypto accelerator card in your firewall could support several
> webservers behind it.
That's pretty close to what I had in mind though I considered a separate device in a DMZ for load balancing and mod_proxy/mod_security, as a minimum. However, HTTP(s) is only one of so many protocols.
> Heh. When I said 'pretty fancy kit' I meant something considerably more
> *shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity
Ok, you win that one :) We typically use one up from that as a minimum. Dunno if that regains me my face though...
> server is roughly performance compatible with a 5510 but considerably
> cheaper if you want all the trimmings like high-availability, unlimited
> numbers of servers, GB on all interfaces etc.
That is all true but these arguments do only work if you talk to security-literate people, not managers who prefer "something with a real seal on" and regular updates etc. Since the latter are the ones who authorise the cash, here we go. There are some who I can convince but frequently it's just not worth the discussion. Imho, unfortunately, but I don't want to start an advocacy thread here.
> Note that ASA5510 level kit tends to do things like deep packet
> inspection, content based filtering etc. [Not to mention fubar'ing EDNS0
> and screwing with SMTP so hard it breaks.] PF itself is purely based on
> dealing with packet headers: however you can easily add things like
> squid caching and filtering, snort etc. but these will ramp up the CPU
> requirements beyond what a small appliance could support.
As indicated initially, I intend to shift the load off the firewall to a separate device which then may do a lot more to the traffic than the firewall. But I don't see why I should'nt try to use the same kind of hardware platform for both.
However it may be, I first set up this with the hardware I already have and then see what I find and where to optimise best before going to series. I also must improve significantly on my config management before I actually can do that just as others do when I look at other threads.
> > My reason for the post was considering more another 'quiet' and
> > 'lowpower' project I have, so that's probably a completely different
> > pair of shoes. I'll try without first and then see what comes out of
> > it.
>
> Commodity servers certainly don't fulfil the "quiet" requirement. Most
> of them have enough fannage to build a fairly respectable hovercraft.
Nope, they don't. I used to dry my hair behind the cabinets. And I used to have a lot of that :)
Thanks again for your responses, and
All the best regards,
Peter.
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the freebsd-questions
mailing list