Re: lack of security proxies?

[Bennett Todd <bet () rahul net>]

2000-03-23-04:55:52 John White:
> Now, I planned on using specific machines on the LAN side of the 
> firewall to proxy http, https, dns, and smtp traffic.  I'm wondering
> how important it is to actively filter mail for malicious programs
> and http traffic for malicious java/activex.

A very interesting question, which can only be settled with a
detailed examination of your organization's needs --- what resources
must be protectd, against what threats, at what cost of failure.
Armed with that info you should be able to compose a policy that can
be defended.

If you decide to do content filtering, you can eliminate some
threats. But you can only do this if armed with suitable resources,
and those resources include a willingness to defy user's wishes.
There are some web sites that cannot be used without Java or
Javascript, just as a trivial for-instance. So you either get to
tell your users they just can't get at those sites, or you need to
provide them a way to dodge the content filtering.

As far as I know, if you really want to do content filtering for
web browsers, you have to disable https (SSL) altogether. The
SSL protocol is specifically designed to prohibit a "man in
the middle" from examining or modifying the traffic in either
direction. The easiest way to allow a firewall to scrutinize the
traffic while letting users visit secure websites would be to modify
the web-browsing client programs, so they communicate with the proxy
unencrypted, and the proxy communicates with the secure website
encrypted.

Alternatively, in principle you could create your own Certificate
Authority, install its key in all your browsers, then have a
man-in-the-middle proxy that is constantly generating and signing
certs for itself for each distinct site it proxies to. That could
work with unmodified browsers. I haven't heard of anyone actually
doing it, though.

What I've done in the past, for both of these problems, is to
provide a "sandbox" machine in the DMZ; allow users to tunnel
through the firewall to the sandbox (e.g. with ssh), remote
displaying the browser that runs there back to the user's desktop.
Explain to them that special procedures will be needed if they wish
to download anything using this special browser, since it can't
get at their home directories, but they can use it for viewing
java[script]-only sites, https secure websites, etc.

One final note: content analysis, both scrutinizing email and
attempting to sanitize html, is a heuristic, guesswork game. The
best that can be achieved is an approximation. There will always be
obscure ways for "forbidden" stuff to slide past the scanners, so
they'll need active maintenance to continuously teach them new
tricks. Depressingly similar to the virus-scanning game.

-Bennett

Attachment: _bin
Description: