Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 May 2010 12:15:29 +0200
From:      "Peter Cornelius" <pcc@gmx.net>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        kevin.wilcox@gmail.com, freebsd-questions@freebsd.org
Subject:   Re: 'Serious' crypto?
Message-ID:  <20100528101529.143490@gmx.net>
In-Reply-To: <4BFF833E.6060301@infracaninophile.co.uk>
References:  <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFE99EB.50208@infracaninophile.co.uk>	<20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net> <4BFF833E.6060301@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matthew,

> > And a hardware crypto device will level HTTPS to the HTTP volume
> > without it?
> 
> Probably.  The usual approach with HTTPS once traffic levels get big
> enough is crypto-offload.  You use a separate device as the crypto
> endpoint: typically built into a load balancer.  You can do this using a
> PF based firewall using relayd(8) for a lot less money, and in this case
>  one crypto accelerator card in your firewall could support several
> webservers behind it.

That's pretty close to what I had in mind though I considered a separate device in a DMZ for load balancing and mod_proxy/mod_security, as a minimum. However, HTTP(s) is only one of so many protocols.

> Heh.  When I said 'pretty fancy kit' I meant something considerably more
> *shiny* than a Cisco ASA5510.  In fact, running OpenBSD on a commodity

Ok, you win that one :) We typically use one up from that as a minimum. Dunno if that regains me my face though...

> server is roughly performance compatible with a 5510 but considerably
> cheaper if you want all the trimmings like high-availability, unlimited
> numbers of servers, GB on all interfaces etc.

That is all true but these arguments do only work if you talk to security-literate people, not managers who prefer "something with a real seal on" and regular updates etc. Since the latter are the ones who authorise the cash, here we go. There are some who I can convince but frequently it's just not worth the discussion. Imho, unfortunately, but I don't want to start an advocacy thread here.

> Note that ASA5510 level kit tends to do things like deep packet
> inspection, content based filtering etc. [Not to mention fubar'ing EDNS0
> and screwing with SMTP so hard it breaks.]  PF itself is purely based on
> dealing with packet headers: however you can easily add things like
> squid caching and filtering, snort etc. but these will ramp up the CPU
> requirements beyond what a small appliance could support.

As indicated initially, I intend to shift the load off the firewall to a separate device which then may do a lot more to the traffic than the firewall. But I don't see why I should'nt try to use the same kind of hardware platform for both.

However it may be, I first set up this with the hardware I already have and then see what I find and where to optimise best before going to series. I also must improve significantly on my config management before I actually can do that just as others do when I look at other threads.

> > My reason for the post was considering more another 'quiet' and
> > 'lowpower' project I have, so that's probably a completely different
> > pair of shoes. I'll try without first and then see what comes out of
> > it.
> 
> Commodity servers certainly don't fulfil the "quiet" requirement.  Most
> of them have enough fannage to build a fairly respectable hovercraft.

Nope, they don't. I used to dry my hair behind the cabinets. And I used to have a lot of that :)

Thanks again for your responses, and

All the best regards,

Peter.

-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100528101529.143490>