Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL

From: Balazs Scheidler <bazsi () balabit hu>
Date: Sat, 20 Oct 2001 10:04:55 +0200
On Wed, Oct 17, 2001 at 09:32:04AM -0400, Frederick M Avolio wrote:

At 08:18 AM 10/16/01 -0400, Crumrine, Gary L wrote:


... If I allow SSL outbound, and a user
browses a web site that is corrupt with something harmful like NIMDA, is it
possible that they will infect my network...


Yes. The firewall cannot examine it because the data is encrypted. SSL 
"proxies" are just circuit gateways. I know of no firewall that has a true 
SSL proxy wherein the data is encrypted between the firewall and the 
client, and the firewall and the server, but is in cleartext on the 
firewall. It is possible to do, but few customers (Paul Roberson) ask for it.


Just an exception to "circuit level" gateways. Zorp is a modular firewall,
and as such it lets you connect proxies in several interesting ways. For
example you can use the SSL proxy to communicate with the server and the
client, and 'stack' an HTTP proxy to further analyze the unencrypted
protocol stream. Of course nothing prevents you from using POP3 or IMAP
instead of HTTP.

Zorp has a GPLd version and is available at
http://www.balabit.hu/en/products/Zorp
 

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: