Firewall Wizards mailing list archives
Re: httport 3snf
From: Christopher Hicks <chicks () chicks net>
Date: Mon, 21 Oct 2002 17:14:53 -0400 (EDT)
On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
Are there application layer routers that can deny all SSL except for MAC addresses or IPs on an appoved ACL? I know this could be a nightmare to enforce, but I think we may be getting to the point where networks only approve certain IP addresses for SSL/connect??.
It's a never ending game. Even if you could detect SSL (which would require a load of CPU), there's no reason someone can't switch to a different method of encryption. Let me give you two examples. We have a couple of friends that work for large stupid companies that would rather those large stupid IT people not watch their personal e-mail and browsing activities. Since these folks are carrying in their own personal linux laptops I don't feel terribly immoral about helping them this. (I'm sort of fond of privacy myself.) Anyway, neither of the folks I have in mind uses SSL to do what they're doing. It's not a matter of avoiding SSL either, it's just a matter of their individual geek preferences. Individual A ** uses ssh and is quite happy with pine and lynx and doesn't want to configure anything. ssh doesn't use SSL and your imagined SSL blocker would have no effect on them. You can use AIM knock-offs through linux too if you like. Individual B wants all the GUI garbage and is happy to configure things to get that and Mr. B uses a VPN client to connect to a VPN server we have. Again, SSL isn't involved, but it is encrypted. So, I don't think your imaginary SSL blocker would have the hoped-for result. ** I feel like Henry Blake lecturing. Eeeee gads! Someone else suggested becoming authoritative for the big IM domains (aol.com, etc.) This won't help you unless they're using your DNS servers and even if you hose your own DNS servers so things won't work there's nothing to stop the miscreants from using other DNS servers, through a tunnel if necessary. You may want to block all traffic that doesn't go through your proxy server or SOCKS. You can set those up to require authentication and track who is doing what. I've been stuck at a few Fortune 500 corporate offices that functioned that way. -- </chris> Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. No, I replied, I just spent $600,000 training him. Why would I want somebody to hire his experience? -Thomas J. Watson, industrialist (1874-1956) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- httport 3snf Robert E. Martin (Oct 21)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul D. Robertson (Oct 21)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul D. Robertson (Oct 22)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)