Firewall Wizards mailing list archives
Re: SSL
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 17 Oct 2001 15:49:36 +0200 (CEST)
Hi Gary!
Just a quick question on SSL. If I allow SSL outbound, and a user browses a web site that is corrupt with something harmful like NIMDA, is it possible that they will infect my network... and will the firewall not pass it along without checking?
From a theoretical point of view:
Most of the time SSL connections are used for server side authentication (am I really dealing with Mumbleco Inc.?) and encryption. It's what users think of as "secure web browsing". Honestly, we can forget about the authentication issues, because most users will click <accept> for any certificate they are presented :-/ That leaves us with encryption, which can easily be dealt with by a man-in-the-middle approach which would permit your firewall to read everything in the clear and, e.g., check for viruses or other malware. (Just as an aside, this is what IPSec's AH explicitly forbids - it enforces end-to-end security that can't be intercepted - unless someone knows the private keys involved) Theoretically ...
If true, how can I combat this? Is there a product that will stop the packets and inspect them before being returned to the requester?
Unfortunetaly I'm not aware of any product that actually does this. All firewalls I know just use transparent TCP proxying or something similar for SSL. The traffic passes in encrypted form from server to browser without the firewall touching it. Another side note - checking for malware on the enterprise Internet gateway doesn't free you from deploying proper measures like up-to-date antivirus software on each and every desktop machine ;-) HTH, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SSL Crumrine, Gary L (Oct 17)
- Re: SSL Frederick M Avolio (Oct 18)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
(Thread continues...)