06-24-2010
New SSL Inspection Solutions: Are they helping us or not?
I saw some presentations and papers about a new technology that is able to decrypts SSL traffic and sends it to existing security and network appliances on high speed networks. This technology enables existing IPS solutions to identify risks normally hidden by SSL such as regulatory compliance violations, viruses, malware, data loss, intrusion attempts, etc.
This is a very good approach to detect/block those attacks (there are reports showing a increase on attacks using SSL traffic) but I see some risks related.
- If someone uses this technology to decrypt the traffic and get the info? What are the mitigation actions in place to avoid this?
- How this technology will handle DDOS attacks? It'll be overloaded?
- What is the latency that this technology will add on the network?
- How browsers handle this "man-in-the middle" like security solution?
There are obvious advantages to adopt such technology but a careful analysis must be in place earlier the adoption to address these risks. This will be a case-by-case study and (at least I believe) that not all companies will be able to deploy such technology due to regulations or compliance.
Best Regards
More...
7 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Can someone explain the difference between the two. Thanks (1 Reply)
Discussion started by: jerardfjay
1 Replies
2. UNIX for Dummies Questions & Answers
i have configured Squid proxy server in Fedora 8 with two network interfaces.
HTTP, HTTPS, FTP are working fine but we are unable to download mails using mail clients from mail server with POP3(ssl) and SMTP(ssl).
so please someone help us how to enable pop and smtp in Squid. (1 Reply)
Discussion started by: praneel2k
1 Replies
3. Web Development
I have interesting problem.
https:/host/some/x.cgi
- this script has run twice when I call this url
But
http:/host/some/x.cgi
work fine, only once.
Output is text/plain.
If I change output format to the Content-type text/html,
then both urls works fine - executed only once. (2 Replies)
Discussion started by: kshji
2 Replies
4. Shell Programming and Scripting
hi,
i have a file where I want to extract the the failure count only from the file.
JOB_NAME STATE RUN_COUNT FAILURE_COUNT
------------------------------ --------------- ---------- -------------
OFS_BALA_BILLING_IN SCHEDULED 22992 ... (6 Replies)
Discussion started by: gotam
6 Replies
5. Programming
"C++ Execution Inspection" is the best term I could coin for what it is I'd like to do. Suggestions from anyone who has done programming in C++ on Linux are welcome.
I was taught C++ in classrooms that used MS Visual Studio a few years ago. Visual Studio had a debugging mode that made it really... (1 Reply)
Discussion started by: ejr2122
1 Replies
6. Shell Programming and Scripting
Good Evening,
i got a homework where i have to list all files in the directory with the name length >=3 and <= 6 and after trying it for 2 days my Prof gave me a bit of code:
#!/bin/bash
for file in $(ls)
do
done
after that he told me "now you only have to use wc and you got it" but... (1 Reply)
Discussion started by: Mentoss
1 Replies
7. Linux
Issue observed: I have configured ng.my-site.com using widlcard ssl cert. When I hit https://www.my-site.com it loads ng.my-site.com website!
please advise if I missed any concept / configs... Thank you!
httpd.conf
<VirtualHost *:80>
ServerName www.my-site.com
ServerAdmin... (0 Replies)
Discussion started by: ashokvpp
0 Replies
LEARN ABOUT OSX
ssl_ctx_set_ssl_version
SSL_CTX_set_ssl_version(3) OpenSSL SSL_CTX_set_ssl_version(3)
NAME
SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method - choose a new TLS/SSL method
SYNOPSIS
#include <openssl/ssl.h>
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, SSL_METHOD *method);
int SSL_set_ssl_method(SSL *s, SSL_METHOD *method);
SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
DESCRIPTION
SSL_CTX_set_ssl_version() sets a new default TLS/SSL method for SSL objects newly created from this ctx. SSL objects already created with
SSL_new(3) are not affected, except when SSL_clear(3) is being called.
SSL_set_ssl_method() sets a new TLS/SSL method for a particular ssl object. It may be reset, when SSL_clear() is called.
SSL_get_ssl_method() returns a function pointer to the TLS/SSL method set in ssl.
NOTES
The available method choices are described in SSL_CTX_new(3).
When SSL_clear(3) is called and no session is connected to an SSL object, the method of the SSL object is reset to the method currently set
in the corresponding SSL_CTX object.
RETURN VALUES
The following return values can occur for SSL_CTX_set_ssl_version() and SSL_set_ssl_method():
0 The new choice failed, check the error stack to find out the reason.
1 The operation succeeded.
SEE ALSO
SSL_CTX_new(3), SSL_new(3), SSL_clear(3), ssl(3), SSL_set_connect_state(3)
50 2013-03-05 SSL_CTX_set_ssl_version(3)