Date: Fri, 28 May 2010 12:15:29 +0200 From: "Peter Cornelius" <pcc@gmx.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? Message-ID: <20100528101529.143490@gmx.net> In-Reply-To: <4BFF833E.6060301@infracaninophile.co.uk> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net> <4BFF833E.6060301@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matthew, > > And a hardware crypto device will level HTTPS to the HTTP volume > > without it? > > Probably. The usual approach with HTTPS once traffic levels get big > enough is crypto-offload. You use a separate device as the crypto > endpoint: typically built into a load balancer. You can do this using a > PF based firewall using relayd(8) for a lot less money, and in this case > one crypto accelerator card in your firewall could support several > webservers behind it. That's pretty close to what I had in mind though I considered a separate device in a DMZ for load balancing and mod_proxy/mod_security, as a minimum. However, HTTP(s) is only one of so many protocols. > Heh. When I said 'pretty fancy kit' I meant something considerably more > *shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity Ok, you win that one :) We typically use one up from that as a minimum. Dunno if that regains me my face though... > server is roughly performance compatible with a 5510 but considerably > cheaper if you want all the trimmings like high-availability, unlimited > numbers of servers, GB on all interfaces etc. That is all true but these arguments do only work if you talk to security-literate people, not managers who prefer "something with a real seal on" and regular updates etc. Since the latter are the ones who authorise the cash, here we go. There are some who I can convince but frequently it's just not worth the discussion. Imho, unfortunately, but I don't want to start an advocacy thread here. > Note that ASA5510 level kit tends to do things like deep packet > inspection, content based filtering etc. [Not to mention fubar'ing EDNS0 > and screwing with SMTP so hard it breaks.] PF itself is purely based on > dealing with packet headers: however you can easily add things like > squid caching and filtering, snort etc. but these will ramp up the CPU > requirements beyond what a small appliance could support. As indicated initially, I intend to shift the load off the firewall to a separate device which then may do a lot more to the traffic than the firewall. But I don't see why I should'nt try to use the same kind of hardware platform for both. However it may be, I first set up this with the hardware I already have and then see what I find and where to optimise best before going to series. I also must improve significantly on my config management before I actually can do that just as others do when I look at other threads. > > My reason for the post was considering more another 'quiet' and > > 'lowpower' project I have, so that's probably a completely different > > pair of shoes. I'll try without first and then see what comes out of > > it. > > Commodity servers certainly don't fulfil the "quiet" requirement. Most > of them have enough fannage to build a fairly respectable hovercraft. Nope, they don't. I used to dry my hair behind the cabinets. And I used to have a lot of that :) Thanks again for your responses, and All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100528101529.143490>