Security Basics mailing list archives
RE: Checkpoint smart defance as IPS
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Sun, 30 May 2010 07:10:33 +1000
Not at all. Your comment was: "An IPS that decrypts SSL does not exist." This is blatantly false. IDS, IPS, Wireshark even all have SSL decryption capabilities. There is no requirement for a separate proxy. Checkpoint has this capability. NO extra proxy. You seem to be missing that distinction. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Trevor Alexander [mailto:trevor.alexander.email () gmail com] Sent: Sunday, 30 May 2010 4:28 AM To: <craig.wright () Information-Defense com> Cc: Laurens Vets; <mzcohen2682 () aim com>; <security-basics () securityfocus com> Subject: Re: Checkpoint smart defance as IPS You are saying the same thing me and anyone else who has posted on the topic is saying, you're just using different words. You should read the whole thread before you make comments. On May 28, 2010, at 10:46 PM, "Craig S. Wright" <craig.wright () Information-Defense com
wrote:
"An IPS that decrypts SSL does not exist." Of course it does. You decrypted e the key. This means that it is decrypted, scanned and re-encrypted. There are several products that can do this. This does have a large CPU hit and it also means that the key is stored on the IPS and hence lowers security (as well as adding a few privacy concerns). Checkpoint has been able to do the SSL re-key bit since version 3.x. So this is not even novel on CP. I first setup a reverse SSL proxy on Netscape proxy server back in the mid 90's. So this is not even new. Regards ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Trevor Alexander Sent: Saturday, 29 May 2010 4:14 AM To: Laurens Vets Cc: mzcohen2682 () aim com; security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS An IPS that decrypts SSL does not exist. Research SSL and how it works and you will understand why. A simple solution to the problem (based on what I gathered from the snippets of conversation) is to place a proxy on the outside edge of the network; force all clients to use proxy. The proxy will recreate the SSL connection with a given webserver on the net for the client and any traffic that is passed back to a client will be decrypted by the proxy on its way back. On the inside edge of the proxy, place an IPS inline to inspect the decrypted traffic. On Thu, May 27, 2010 at 11:25 PM, Laurens Vets <laurens () daemon be> wrote:On 5/27/2010 11:47 PM, mzcohen2682 () aim com wrote:exactly. thats what I ment. thanksI don't think that even exists... :)-----Original Message----- From: Laurens Vets <laurens () daemon be> To: mzcohen2682 () aim com Cc: security-basics () securityfocus com Sent: Thu, May 27, 2010 6:41 pm Subject: Re: Checkpoint smart defance as IPSI think that the client needs to buy a real IPS which can also open the encrypted traffic.Not sure what you mean by this? An IPS which can decrypt encrypted traffic on the fly?--- --------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1
--- ------------------------------------------------------------------------ --------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1
--- ---------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Checkpoint smart defance as IPS, (continued)
- Re: Checkpoint smart defance as IPS John Bond (May 28)
- Message not available
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Message not available
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
- Re: Checkpoint smart defance as IPS Trevor Alexander (May 28)
- RE: Checkpoint smart defance as IPS Bretten, Andrew P (May 28)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- Re: Checkpoint smart defance as IPS Trevor Alexander (May 31)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)