Firewall Wizards mailing list archives

Re: SSL

From: Frederick M Avolio <fred () avolio com>
Date: Wed, 17 Oct 2001 09:32:04 -0400

At 08:18 AM 10/16/01 -0400, Crumrine, Gary L wrote:

... If I allow SSL outbound, and a user
browses a web site that is corrupt with something harmful like NIMDA, is it
possible that they will infect my network...

Yes. The firewall cannot examine it because the data is encrypted. SSL"proxies" are just circuit gateways. I know of no firewall that has a trueSSL proxy wherein the data is encrypted between the firewall and theclient, and the firewall and the server, but is in cleartext on thefirewall. It is possible to do, but few customers (Paul Roberson) ask for it.

        If true, how can I combat this?  Is there a product that will stop
the packets and inspect them before being returned to the requester?

Defense in depth... use other means (virus scanning on desktops andacceptable use policies). When you couple an SSL connection with allowingpeople to pull email down from outside sites, it increases the risk.



Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

SSL Crumrine, Gary L (Oct 17)
- Re: SSL Frederick M Avolio (Oct 18)
  - Re: SSL Eric Rescorla (Oct 18)
    - Re: SSL Paul D. Robertson (Oct 20)
  - Re: SSL Magosányi Árpád (Oct 20)
  - Re: SSL Balazs Scheidler (Oct 20)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- <Possible follow-ups>
- RE: SSL Bruce Platt (Oct 18)
  - RE: SSL R. DuFresne (Oct 18)

(Thread continues...)