Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Harrell, Matthew" <mhar () plex com>
Date: Tue, 27 Apr 2010 11:09:21 -0400
That is exactly what they do, at least the ones I'm familiar with. The firewall is acting as the server (it's a proxy, anyway): The CSR is generated there, and the cert is installed there. This then allows the firewall to scan the data in the packets as well as header information for RFC compliance, etc. Some firewalls even allow for the re-encryption of the HTTPS traffic back to the web server. We don't need that functionality, and simply send the packets on to the servers as plain text HTTP. If we need to know whether the traffic arrived at the firewall encrypted, then I configure the firewall to use a different port for the traffic to the back end web server. -------------------- Matthew Harrell Plex Systems (248) 391-8000 mhar () plex com ________________________________________ From: firewall-wizards-bounces () listserv icsalabs com [firewall-wizards-bounces () listserv icsalabs com] On Behalf Of John Morrison [john.morrison101 () googlemail com] Sent: Tuesday, April 27, 2010 5:45 AM To: Firewall Wizards Security Mailing List Cc: mjr () ranum com; Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Firewall best practices My understanding of https (and other PKI-based encryption) is that only the holder of the private key can decrypt the data encrypted with the other (public) key in the pair. My view is that the firewall can only decrypt and inspect https traffic if it is acting as the server to the external client. It can't intercept and decrypt https traffic destined for another device - the real server. If it did https would be worthless. Any hacker could buy such a firewall to sniff and decrypt all https traffic. On 23 April 2010 20:18, <david () lang hm> wrote:
On Fri, 23 Apr 2010, Martin Barry wrote:$quoted_author = "Marcus J. Ranum" ;That's why firewalls need to go back to doing what they originally did, and parsing/analyzying the traffic that flows through them, rather than "stateful packet inspection" (which, as far as I can tell, means that there's a state-table entry saying "I saw SYN!")Marcus, are you referring to DPI or proxies or both or something else entirely?If the firewall doesn't understand the data it's passing, it's not a firewall, it's a hub.If an application emulates HTTPS traffic and is proxy aware, how do you tell the difference?There are firewalls on the market that can decrypt HTTPS traffic (and I believe be configured to block any traffic that they can't decrypt) David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices Morty (Apr 16)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)
- Re: Firewall best practices Paul D. Robertson (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Andre Lima (Apr 30)
- Re: Firewall best practices Dave Piscitello (Apr 28)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices Nate Itkin (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 27)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices Fetch, Brandon (Apr 27)