From owner-freebsd-questions@FreeBSD.ORG Fri May 28 10:15:32 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8F4B106566C for ; Fri, 28 May 2010 10:15:31 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 4EE948FC12 for ; Fri, 28 May 2010 10:15:30 +0000 (UTC) Received: (qmail 2246 invoked by uid 0); 28 May 2010 10:15:29 -0000 Received: from 84.163.211.120 by www085.gmx.net with HTTP; Fri, 28 May 2010 12:15:29 +0200 (CEST) Content-Type: text/plain; charset="utf-8" Date: Fri, 28 May 2010 12:15:29 +0200 From: "Peter Cornelius" In-Reply-To: <4BFF833E.6060301@infracaninophile.co.uk> Message-ID: <20100528101529.143490@gmx.net> MIME-Version: 1.0 References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net> <4BFF833E.6060301@infracaninophile.co.uk> To: Matthew Seaman X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 5 X-Provags-ID: V01U2FsdGVkX19pd2xFVC9pr76D/go1kCn0mXGYaI/KkEsIFNu507 C5w4/XpOXq/ZEO46vDPgxfZIHx5M763X3UhA== Content-Transfer-Encoding: 8bit X-GMX-UID: 9q/Kf0ZyRkkNdNT6dGRq/4xudWkvKNMN X-FuHaFi: 0.56999999999999995 Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 10:15:32 -0000 Hi Matthew, > > And a hardware crypto device will level HTTPS to the HTTP volume > > without it? > > Probably. The usual approach with HTTPS once traffic levels get big > enough is crypto-offload. You use a separate device as the crypto > endpoint: typically built into a load balancer. You can do this using a > PF based firewall using relayd(8) for a lot less money, and in this case > one crypto accelerator card in your firewall could support several > webservers behind it. That's pretty close to what I had in mind though I considered a separate device in a DMZ for load balancing and mod_proxy/mod_security, as a minimum. However, HTTP(s) is only one of so many protocols. > Heh. When I said 'pretty fancy kit' I meant something considerably more > *shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity Ok, you win that one :) We typically use one up from that as a minimum. Dunno if that regains me my face though... > server is roughly performance compatible with a 5510 but considerably > cheaper if you want all the trimmings like high-availability, unlimited > numbers of servers, GB on all interfaces etc. That is all true but these arguments do only work if you talk to security-literate people, not managers who prefer "something with a real seal on" and regular updates etc. Since the latter are the ones who authorise the cash, here we go. There are some who I can convince but frequently it's just not worth the discussion. Imho, unfortunately, but I don't want to start an advocacy thread here. > Note that ASA5510 level kit tends to do things like deep packet > inspection, content based filtering etc. [Not to mention fubar'ing EDNS0 > and screwing with SMTP so hard it breaks.] PF itself is purely based on > dealing with packet headers: however you can easily add things like > squid caching and filtering, snort etc. but these will ramp up the CPU > requirements beyond what a small appliance could support. As indicated initially, I intend to shift the load off the firewall to a separate device which then may do a lot more to the traffic than the firewall. But I don't see why I should'nt try to use the same kind of hardware platform for both. However it may be, I first set up this with the hardware I already have and then see what I find and where to optimise best before going to series. I also must improve significantly on my config management before I actually can do that just as others do when I look at other threads. > > My reason for the post was considering more another 'quiet' and > > 'lowpower' project I have, so that's probably a completely different > > pair of shoes. I'll try without first and then see what comes out of > > it. > > Commodity servers certainly don't fulfil the "quiet" requirement. Most > of them have enough fannage to build a fairly respectable hovercraft. Nope, they don't. I used to dry my hair behind the cabinets. And I used to have a lot of that :) Thanks again for your responses, and All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01