Re: Ipfilter with SSL?

This is a discussion on Re: Ipfilter with SSL? within the IPFilter forums, part of the System Security and Security Related category; This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBFE7DDE0414C160B2B3604EC Content-Type: text/plain; charset=ISO-8859-1 ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: Ipfilter with SSL?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-12-2006
Phil Dibowitz
 
Posts: n/a
Default Re: Ipfilter with SSL?
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBFE7DDE0414C160B2B3604EC
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Jorgen Lundman wrote:
>=20
> I am fairly certain it can not be done now, and would probably be a
> massive task, but I am curious as to any engineering solution there
> might be..
>=20
> A colleague whose Cisco SSL accellerators had not arrived in time
> brought this up. They need an (incoming) L4 loadbalancer, that retains
> the real remote IP (billing, country codes etc) and handles SSL on the
> external facing interface, and plain TCP/IP on internal.

This is just SSL-offloading. Standard feature in most load balancers
including netscaler and Foundry.

> IPfilter and l4ip would take care of the L4 loadbalancing no problem,
> and retain the external IPs. However, the SSL part is tricky. If you
> drop any one of the criteria, it's not a big problem as well.

I would suspect you could do this with SQUID.... the docs say it can do
HTTP acceleration and also say it can *terminate* and SSL connection.
The two together sound like SSL offloading... and if it doesn't do this,
it probably could be made to with much less hacking then making IPF do it=
=2E

Of course that only works for https -> http... for smtps/pops/imaps ->
smtp/pop/imap you'd need to do more hacking.

Can you give is a better idea of the flow of traffic though?

--=20
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/

"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Suess



--------------enigBFE7DDE0414C160B2B3604EC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEY/roN5XoxaHnMrsRAlC5AJ9oNpx2ljK8UQBMSIRJjs6Axxw27gCf QFSJ
Y1CydbpzLrRV6sOD3hW6YTk=
=zkIf
-----END PGP SIGNATURE-----

--------------enigBFE7DDE0414C160B2B3604EC--
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:49 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0