Firewall Wizards mailing list archives

RE: SSL Vulnerabilities?

From: "Arjan Vos" <arjan_vos () ins com>
Date: Fri, 6 Aug 1999 08:48:28 +0100

Well, you plug a hole in your firewall and depend on the security of the
Webserver. I am not familiar what SSL is being used for, but if anybody
from the Internet is able to set up a SSL connection to your Web server,
you are vulnerable to attacks aimed at that Web server. E.g., do you use
ASP, CGI, server side includes or other scripting tools on your Web
server? Those things are hard to do securely.

OTOH, the last time I did some testing on the Gauntlet firewall, its SSL
proxy was just added (I think it was version 3.something) and was still
nothing more than a relay..... So at that time you were vulnerable to the
same attacks as well.... However I think that times have changed (a bit)
since that time....

Gr. Arjan

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Kyle Starkey
Sent: woensdag 4 augustus 1999 20:05
To: firewall-wizards () nfr net
Subject: SSL Vulnerabilities?

I need some one to help me with a suggestion that was just
made by my boss.
It sounds OK to me, but after the whole "blocking ICMP"
fiasco I started I
am looking for some suggestions.  I am currently managing a
DMZ for customer
support at my company.  Our front end firewall is a NT based
Gauntlet 5.0
with only the SSL port open to the internet.  Since we are
using the built
in SSL/Http-Proxy, with the HTTP port blocked, the firewall
intercepts the
SSL packets changes the source IP address to its own and forwards the
packets to the WebServer.  The problem with this is that the
webserver logs
show the firewall as the only one accessing it.  The
Powers-that-Be would
like to be able to see what pages are being accessed by what
IP addresses.
Our thoughts were to simply disable the proxy and use Packet
filtering rules
to manage the communications between the interent and the
Webserver over the
SSL port.  Other than the fact that NT is bad platform to sit
your firewalls
on, can any one think of any reason why this might be a BAD idea.

thanks for you help

Kyle R. Starkey
Information Security Group
Altera Corporation

Current thread:

SSL Vulnerabilities? Kyle Starkey (Aug 05)
- Re: SSL Vulnerabilities? Joseph S D Yao (Aug 06)
- Re: SSL Vulnerabilities? Ge' Weijers (Aug 06)
- RE: SSL Vulnerabilities? Arjan Vos (Aug 06)
- <Possible follow-ups>
- Re: SSL Vulnerabilities? Ryan Russell (Aug 06)
- Re: SSL Vulnerabilities? czarcone (Aug 07)