Firewall Wizards mailing list archives
RE: SSL
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 17 Oct 2001 13:19:57 -0500
<snip> Just a quick question on SSL. If I allow SSL outbound, and a user browses a web site that is corrupt with something harmful like NIMDA, is it possible that they will infect my network... and will the firewall not pass it along without checking? If true, how can I combat this? Is there a product that will stop the packets and inspect them before being returned to the requester? <!snip> Gary, It all depends on what measures are in place and the injection vector used in contaminate your network. SSL, like most tunnels protects from man in the middle attacks. What ever data is passed through the tunnel, travels through it from one end to the other. Simply using SSL as a mechanism does not prevent infections from hostile web code. SSL prevents the vector of attack performed by sniffing the data. In the instance of Nimda, one would have to look at the injection vector, the method of attack. Let's assume that it was a single vector, the malicious java script code and one is trying to protect the user (client side). This can be prevented by two popular mechanisms. 1) educating users to switch of Javascripting in a browser or 2) Firewall packet inspection. There are other methods, but assuming that you do not want the code to excute (rather than exploit a bug), these mechanisms would be used. There are politics to each mechanism, and there are better protection mechanisms using signatures that are available. So to answer you question, you can do packet inspection (processing could be very high), you can do SSL, you can educate users. A good security policy would involve many methods and the reason is simple. Multi-pronged attacks that Nimda has. infected systems from servers to clients using different vectors. Using just one mechanism would not have prevented your system getting infected (of course, you could have been on a Unix platform, the only single mechanism that would have combated it). readinteh archives in this mailing list you can have a sense of what the professionals are considering... if you want to do packet inspection on SSL, you may need to proxy the SSL data to be able to inspect it. BTW - Does anyone have any pointers to be able to SSL packet inspection on the data? Cheers r. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SSL, (continued)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)