You're right - it'll cost you a lot of CPU resources. But remember, that there's a special device for special purpose - encryption is one of the oldest tasksk in IT world. And there's a lots of hardware encryption cards, some NIC's even have an encryption chip on 'em... Use proper devices for your purposes - or you'll be opening a bottle of beer using a digging machine.. Yes, that's physically possible( especially if you've previously opened and emptied some of beer bottles ;) )... But the problem you arised is more deep than just an encrypted traffic analysis... There are so many cases almost everywhere in IT world, when you're using a wrong or too simple device. And there a couple of reasons - price, administrator's or programmer's lack of skills, ... and more and more, BUT ONE root of the problem - practical experience. In my practice I'm meetin' very often such sort of people - in all the variety of IT jobs - that have alot of theory, but piece of praktice. That is the reason, why there's so many such situations. Nobody tought me all the IT skills I have - I've left my univercity and choose a self-education. It's much more harder, but it's mach more better : you don't need to recall any piece of knowledge you have - it's built-in in you during your learning process and it's always located at your fingertips... In youq special case my advice to you : use hardware encryption accelerators. Some time ago( about a year ) I has similar task ( SnortGuard watches over HTTPS boxe1s ) - and QuickLogic PCI accelerator board has helped me alot. Yes' there wasn't a driver for FreeBSD, but it wasn't impossible to write one by a hand( and get another good piece of practice ). Try it - it works perfectly.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/336/32142#32142