Educause Security Discussion mailing list archives
Re: paloalto firewall
From: Jeff Holden <JHolden () MTSAC EDU>
Date: Thu, 20 Dec 2007 12:00:35 -0800
As far as I know there is no passive way to do a successful man in the middle attack on SSL. The client will get a warning that the certificate isn't valid. You can make the certificate look convincing and most users will just accept it, but you still get the warning that the site is not trusted. You have three things that must be true for a SSL certificate. A. the certificate has been signed by a recognized certificate authority B. the certificate is currently valid and has not expired C. the common name on the certificate matches the DNS name of the server You can achieve these 3 requirements with an active method were you install a certificate authority certificate on all your client machines that the proxy server will use with satisfies A. You intercept the DNS request and return the IP of the proxy server to satisfy C , then the proxy server fetches the pages and sends them to the client encrypted with the self signed certificate which satisfies B. Thanks, Jeff Holden, CISSP, RHCE Manager, Network & Data Security Mt. San Antonio College (909) 594-5611 Alex <alex.everett () UNC EDU> 12/20/2007 10:48 AM Please respond to The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject Re: [SECURITY] paloalto firewall I thought I might add to the speculation :) The key (I hope) issue is that the end-user (Client) will need to be prevented with a valid SSL cert. The SSL Cert is tied to a host, typically a fully qualified domain name. Of course, for #2 you must be in the flow of traffic (active). It seems you could do this a few ways: Passive or Active 1. Have the private keys for all sites using SSL a. Decrypt PKI messages to obtain symmetric keys b. Decrypt messages encrypted with the symmetric key. Active 2. Have the man-in-the-middle present the end-user with a valid certificate a. Act as a proxy for SSL connectionsby establishing two seperate SSL sessions. b. DNS points to man-in-the-middle as the web server (or just drop end-user's traffic and spoof responses) b. Present the end-user with a valid certificate (maybe a wildcard cert) c. Most servers dont require the client to have cert, so act as a client to the web-server(s). Here you are creating sessions to the real web-server. d. Pass data back and forth between client and server. Comments? -Alex -----Original Message----- From: Mike Corcoran [mailto:mike.corcoran () WRIGHT EDU] Sent: Thursday, December 20, 2007 1:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] paloalto firewall David Morton wrote:
Mike do you have more info on their capabilities?
I went to a presentation by PaloAlto in Cincinnati, OH on 10/3/07. The presenter was Nir Zuk (formerly of CheckPoint). He explained the SSL decryption using "man in the middle." Since we have not demo'd the box yet I don't have much information to share. I can only suggest the web site http://www.paloaltonetworks.com/ for more information. Mike -- Mike Corcoran, Systems Security Engineer Wright State University, CaTS Voice:937-775-2431, Fax:937-775-4049 http://www.cats.wright.edu/
Current thread:
- Re: paloalto firewall Mike Corcoran (Dec 20)
- <Possible follow-ups>
- Re: paloalto firewall Alex (Dec 20)
- Re: paloalto firewall Jeff Holden (Dec 20)
- Re: paloalto firewall Mark Boolootian (Dec 20)
- Re: paloalto firewall Valdis Kletnieks (Dec 20)
- Re: paloalto firewall Chris Edwards (Dec 21)
- Re: paloalto firewall Jeff Holden (Dec 21)
- Re: paloalto firewall Gene Spafford (Dec 21)