Re: SSL

["Patrick M. Hausen" <hausen () punkt de>]

Hi Gary!

>       Just a quick question on SSL.  If I allow SSL outbound, and a user
> browses a web site that is corrupt with something harmful like NIMDA, is it
> possible that they will infect my network... and will the firewall not pass
> it along without checking?

> From a theoretical point of view:

Most of the time SSL connections are used for server side authentication
(am I really dealing with Mumbleco Inc.?) and encryption. It's what
users think of as "secure web browsing". Honestly, we can forget about
the authentication issues, because most users will click <accept>
for any certificate they are presented :-/
That leaves us with encryption, which can easily be dealt with by
a man-in-the-middle approach which would permit your firewall to read
everything in the clear and, e.g., check for viruses or other malware.

(Just as an aside, this is what IPSec's AH explicitly forbids - it enforces
 end-to-end security that can't be intercepted - unless someone knows the
 private keys involved)

Theoretically ...

>       If true, how can I combat this?  Is there a product that will stop
> the packets and inspect them before being returned to the requester? 

Unfortunetaly I'm not aware of any product that actually does this.
All firewalls I know just use transparent TCP proxying or something similar
for SSL. The traffic passes in encrypted form from server to browser
without the firewall touching it.

Another side note - checking for malware on the enterprise Internet gateway
doesn't free you from deploying proper measures like up-to-date antivirus
software on each and every desktop machine ;-)

HTH,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards