Firewall Wizards mailing list archives
Re: lack of security proxies?
From: Bennett Todd <bet () rahul net>
Date: Thu, 23 Mar 2000 12:05:53 -0500
2000-03-23-04:55:52 John White:
Now, I planned on using specific machines on the LAN side of the firewall to proxy http, https, dns, and smtp traffic. I'm wondering how important it is to actively filter mail for malicious programs and http traffic for malicious java/activex.
A very interesting question, which can only be settled with a detailed examination of your organization's needs --- what resources must be protectd, against what threats, at what cost of failure. Armed with that info you should be able to compose a policy that can be defended. If you decide to do content filtering, you can eliminate some threats. But you can only do this if armed with suitable resources, and those resources include a willingness to defy user's wishes. There are some web sites that cannot be used without Java or Javascript, just as a trivial for-instance. So you either get to tell your users they just can't get at those sites, or you need to provide them a way to dodge the content filtering. As far as I know, if you really want to do content filtering for web browsers, you have to disable https (SSL) altogether. The SSL protocol is specifically designed to prohibit a "man in the middle" from examining or modifying the traffic in either direction. The easiest way to allow a firewall to scrutinize the traffic while letting users visit secure websites would be to modify the web-browsing client programs, so they communicate with the proxy unencrypted, and the proxy communicates with the secure website encrypted. Alternatively, in principle you could create your own Certificate Authority, install its key in all your browsers, then have a man-in-the-middle proxy that is constantly generating and signing certs for itself for each distinct site it proxies to. That could work with unmodified browsers. I haven't heard of anyone actually doing it, though. What I've done in the past, for both of these problems, is to provide a "sandbox" machine in the DMZ; allow users to tunnel through the firewall to the sandbox (e.g. with ssh), remote displaying the browser that runs there back to the user's desktop. Explain to them that special procedures will be needed if they wish to download anything using this special browser, since it can't get at their home directories, but they can use it for viewing java[script]-only sites, https secure websites, etc. One final note: content analysis, both scrutinizing email and attempting to sanitize html, is a heuristic, guesswork game. The best that can be achieved is an approximation. There will always be obscure ways for "forbidden" stuff to slide past the scanners, so they'll need active maintenance to continuously teach them new tricks. Depressingly similar to the virus-scanning game. -Bennett
Attachment:
_bin
Description:
Current thread:
- lack of security proxies? John White (Mar 23)
- Re: lack of security proxies? Bennett Todd (Mar 28)