Firewall Wizards mailing list archives
RE: SSL Vulnerabilities?
From: "Arjan Vos" <arjan_vos () ins com>
Date: Fri, 6 Aug 1999 08:48:28 +0100
Well, you plug a hole in your firewall and depend on the security of the Webserver. I am not familiar what SSL is being used for, but if anybody from the Internet is able to set up a SSL connection to your Web server, you are vulnerable to attacks aimed at that Web server. E.g., do you use ASP, CGI, server side includes or other scripting tools on your Web server? Those things are hard to do securely. OTOH, the last time I did some testing on the Gauntlet firewall, its SSL proxy was just added (I think it was version 3.something) and was still nothing more than a relay..... So at that time you were vulnerable to the same attacks as well.... However I think that times have changed (a bit) since that time.... Gr. Arjan
-----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Kyle Starkey Sent: woensdag 4 augustus 1999 20:05 To: firewall-wizards () nfr net Subject: SSL Vulnerabilities? I need some one to help me with a suggestion that was just made by my boss. It sounds OK to me, but after the whole "blocking ICMP" fiasco I started I am looking for some suggestions. I am currently managing a DMZ for customer support at my company. Our front end firewall is a NT based Gauntlet 5.0 with only the SSL port open to the internet. Since we are using the built in SSL/Http-Proxy, with the HTTP port blocked, the firewall intercepts the SSL packets changes the source IP address to its own and forwards the packets to the WebServer. The problem with this is that the webserver logs show the firewall as the only one accessing it. The Powers-that-Be would like to be able to see what pages are being accessed by what IP addresses. Our thoughts were to simply disable the proxy and use Packet filtering rules to manage the communications between the interent and the Webserver over the SSL port. Other than the fact that NT is bad platform to sit your firewalls on, can any one think of any reason why this might be a BAD idea. thanks for you help Kyle R. Starkey Information Security Group Altera Corporation
Current thread:
- SSL Vulnerabilities? Kyle Starkey (Aug 05)
- Re: SSL Vulnerabilities? Joseph S D Yao (Aug 06)
- Re: SSL Vulnerabilities? Ge' Weijers (Aug 06)
- RE: SSL Vulnerabilities? Arjan Vos (Aug 06)
- <Possible follow-ups>
- Re: SSL Vulnerabilities? Ryan Russell (Aug 06)
- Re: SSL Vulnerabilities? czarcone (Aug 07)