Firewall Wizards mailing list archives
Re: SSL
From: Frederick M Avolio <fred () avolio com>
Date: Wed, 17 Oct 2001 09:32:04 -0400
At 08:18 AM 10/16/01 -0400, Crumrine, Gary L wrote:
... If I allow SSL outbound, and a user browses a web site that is corrupt with something harmful like NIMDA, is it possible that they will infect my network...
Yes. The firewall cannot examine it because the data is encrypted. SSL "proxies" are just circuit gateways. I know of no firewall that has a true SSL proxy wherein the data is encrypted between the firewall and the client, and the firewall and the server, but is in cleartext on the firewall. It is possible to do, but few customers (Paul Roberson) ask for it.
If true, how can I combat this? Is there a product that will stop the packets and inspect them before being returned to the requester?
Defense in depth... use other means (virus scanning on desktops and acceptable use policies). When you couple an SSL connection with allowing people to pull email down from outside sites, it increases the risk.
Fred Avolio Consulting, Inc. 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US +1 410-309-6910 (voice) +1 410-309-6911 (fax) http://www.avolio.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards