Firewall Wizards mailing list archives

Re: httport 3snf

From: Christopher Hicks <chicks () chicks net>
Date: Mon, 21 Oct 2002 17:14:53 -0400 (EDT)

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

Are there application layer routers that can deny all SSL except for MAC
addresses or IPs on an appoved ACL? I know this could be a nightmare to
enforce, but I think we may be getting to the point where networks only
approve certain IP addresses for SSL/connect??.


It's a never ending game.  Even if you could detect SSL (which would
require a load of CPU), there's no reason someone can't switch to a
different method of encryption.  Let me give you two examples.  We have a
couple of friends that work for large stupid companies that would rather
those large stupid IT people not watch their personal e-mail and browsing
activities.  Since these folks are carrying in their own personal linux
laptops I don't feel terribly immoral about helping them this.  (I'm sort
of fond of privacy myself.)  Anyway, neither of the folks I have in mind
uses SSL to do what they're doing.  It's not a matter of avoiding SSL
either, it's just a matter of their individual geek preferences.  
Individual A ** uses ssh and is quite happy with pine and lynx and doesn't
want to configure anything.  ssh doesn't use SSL and your imagined SSL
blocker would have no effect on them.  You can use AIM knock-offs through
linux too if you like.  Individual B wants all the GUI garbage and is
happy to configure things to get that and Mr. B uses a VPN client to
connect to a VPN server we have.  Again, SSL isn't involved, but it is
encrypted.  So, I don't think your imaginary SSL blocker would have the
hoped-for result.

** I feel like Henry Blake lecturing.  Eeeee gads!

Someone else suggested becoming authoritative for the big IM domains 
(aol.com, etc.)  This won't help you unless they're using your DNS servers 
and even if you hose your own DNS servers so things won't work there's 
nothing to stop the miscreants from using other DNS servers, through a 
tunnel if necessary.

You may want to block all traffic that doesn't go through your proxy
server or SOCKS.  You can set those up to require authentication and track
who is doing what.  I've been stuck at a few Fortune 500 corporate offices
that functioned that way.

-- 
</chris>

Recently, I was asked if I was going to fire an employee who made a
mistake that cost the company $600,000.  No, I replied, I just spent
$600,000 training him. Why would I want somebody to hire his experience?
                -Thomas J.  Watson, industrialist (1874-1956)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

httport 3snf Robert E. Martin (Oct 21)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
  - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Paul D. Robertson (Oct 21)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul D. Robertson (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)

(Thread continues...)