RE: Checkpoint smart defance as IPS

["Craig S. Wright" <craig.wright () Information-Defense com>]

Not at all. Your comment was:
"An IPS that decrypts SSL does not exist."

This is blatantly false. IDS, IPS, Wireshark even all have SSL decryption
capabilities. There is no requirement for a separate proxy. 

Checkpoint has this capability. NO extra proxy. You seem to be missing that
distinction.

Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: Trevor Alexander [mailto:trevor.alexander.email () gmail com] 
Sent: Sunday, 30 May 2010 4:28 AM
To: <craig.wright () Information-Defense com>
Cc: Laurens Vets; <mzcohen2682 () aim com>; <security-basics () securityfocus com>
Subject: Re: Checkpoint smart defance as IPS

You are saying the same thing me and anyone else who has posted on the  
topic is saying, you're just using different words. You should read  
the whole thread before you make comments.




On May 28, 2010, at 10:46 PM, "Craig S. Wright"
<craig.wright () Information-Defense com 
> wrote:

> "An IPS that decrypts SSL does not exist."
> Of course it does. You decrypted e the key. This means that it is  
> decrypted, scanned and re-encrypted. There are several products that  
> can do this.
>
> This does have a large CPU hit and it also means that the key is  
> stored on the IPS and hence lowers security (as well as adding a few  
> privacy concerns). Checkpoint has been able to do the SSL re-key bit  
> since version 3.x. So this is not even novel on CP.
>
> I first setup a reverse SSL proxy on Netscape proxy server back in  
> the mid 90's. So this is not even new.
>
> Regards
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
>
>
> -----Original Message-----
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com] On Behalf Of Trevor Alexander
> Sent: Saturday, 29 May 2010 4:14 AM
> To: Laurens Vets
> Cc: mzcohen2682 () aim com; security-basics () securityfocus com
> Subject: Re: Checkpoint smart defance as IPS
>
> An IPS that decrypts SSL does not exist. Research SSL and how it works
> and you will understand why.
>
> A simple solution to the problem (based on what I gathered from the
> snippets of conversation) is to place a proxy on the outside edge of
> the network; force all clients to use proxy. The proxy will recreate
> the SSL connection with a given webserver on the net for the client
> and any traffic that is passed back to a client will be decrypted by
> the proxy on its way back. On the inside edge of the proxy, place an
> IPS inline to inspect the decrypted traffic.
>
>
>
> On Thu, May 27, 2010 at 11:25 PM, Laurens Vets <laurens () daemon be>  
> wrote:
> > On 5/27/2010 11:47 PM, mzcohen2682 () aim com wrote:
> > > exactly. thats what I ment.
> > >
> > > thanks
> >
> > I don't think that even exists... :)
> >
> > > -----Original Message-----
> > > From: Laurens Vets <laurens () daemon be>
> > > To: mzcohen2682 () aim com
> > > Cc: security-basics () securityfocus com
> > > Sent: Thu, May 27, 2010 6:41 pm
> > > Subject: Re: Checkpoint smart defance as IPS
> > >
> > >
> > > > I think that the client needs to buy a real IPS which can also
> > > > open the encrypted traffic.
> > >
> > > Not sure what you mean by this? An IPS which can decrypt encrypted
> > > traffic on the fly?
> >
> > --- 
> > ---------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs  
> > an SSL
> > certificate.  We look at how SSL works, how it benefits your  
> > company and how
> > your customers can tell if a site is secure. You will find out how  
> > to test,
> > purchase, install and use a thawte Digital Certificate on your  
> > Apache web
> > server. Throughout, best practices for set-up are highlighted to  
> > help you
> > ensure efficient ongoing management of your encryption keys and  
> > digital
> > certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
> > --- 
> > ---------------------------------------------------------------------
>
> --- 
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
> --- 
> ---------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------