How do you protect against specific vectors if your site is pure ssl?

ssl

Currently our firewalls inspect packets looking for certain known attack vectors. If my application goes pure ssl we'll lose that ability correct?

Granted we've lost that ability on our current ssl'd pages.


"It depends." You can set your firewall up so that the SSL termination happens on the firewall, thus the data stream can be inspected there, and then passed on to the back-end server via a different SSL certificate or non-SSLed. Generally (meaning in my experience) this is only done for larger-scale installations with dedicated hardware firewalls like a Cisco PIX or an accelerator like an F5, but it is possible even for a Linux iptables-based firewall utilizing Squid as an inbound proxy.


Usually you put an SSL accelerator in front of the IPS/IDS Firewalling, then the application servers. This not only allows for your to continue inspecting/filtering, but also offloads the relatively heavy connection process of SSL from your application servers.

Related

New server causing weird noise in headphones and speakers; Is this electromagnetic interference? What's causing it?
How does logrotate handle concurrency?
DRBD vs. GlusterFS for replication
Can I add an ESXi host to more than one vCenter server?
Nginx error stating connection refused to PHP-FPM port
scp inside sh-script with passphrase
LVM mirror attempt results in "Insufficient free space"
In which order are rules of custom iptables chains evaluated?
How to add an existing key to the certutil key database
Why does a ZFS resilver scan the entire pool?
Automating WSUS via PowerShell
Why is routing neither CPU nor memory intensive? [closed]