Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort + reverse proxy on same box = SSL decrypt ?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort + reverse proxy on same box = SSL decrypt ?


Posted by cube on June 16, 2005 16:47:34

Hi all - is this even possible - or, if someone has done something similar and could share their experience, that would be great. It's the old issue of monitoring encrypted SSL traffic. A possible solution my team has come up with is this: running snort and a reverse proxy on the same box. The rvs proxy would terminate the SSL inbound session, then (hopefully) using a loopback address or some other route on another interface to monitor the un-encrypted traffic with snort (without sending it on a wire) - then, using another interface to re-establish a new SSL session to the target web server.

Sounds complicated, but policy dictates end-end encryption and now inspection is also highly desired. Any other solutions are welcome - FYI, I am aware of the Breach solution. Thx in advance.

Posted by taosecurity on June 23, 2005 04:54:41

Hello,

It is certainly possible. If you build your reverse proxy/SSL termination box such that it sits inline between your Web clients and your Web servers, it will need two interfaces. One interface accepts SSL traffic on port 443 TCP and faces your Web clients. The second interface sends unencrypted traffic to port 80 TCP on your Web servers, where that interface is closest. You could run Snort on the SSL termination box and have it watch the interface closest to the Web servers.

A single interface solution should also be possible if you tell Snort to ignore port 443 TCP traffic to the single interface that both accepts SSL and transmits unencrypted HTTP.

In my forthcoming book Extrusion Detection I explain how to build a reverse proxy/SSL termination box using Squid, but I don't run Snort on it.

Sincerely,

Richard
www.taosecurity.com

Posted by brevizniak on July 09, 2005 08:30:13

I actually use Apache as a reverse proxy for this exact purpose in a select few deployments. The preferred case is to use an SSL Accelerator and terminate the connections then using a crossover or dedicated segment into your web server to handle interactions in the clear. You can monitor this with a security device with little issue. There is an additional benefit of using the reverse proxy because you can now use it as an application firewall.

There are other options as well like PCI based SSL cards and off system decryption once you have access to the private keys. Sharing the private keys across multiple devices can be problematic depending on the type of crypto and audit requirements you are under though.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.