Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Application Proxy/L7 Firewall Recommendation?

From: John Adams <jna-dated-1031681827.333800 () retina net>
Date: Thu, 5 Sep 2002 11:17:05 -0700 (PDT)
On Thu, 5 Sep 2002, Balazs Scheidler wrote:


And yes SSL means that you can peek into decrypted SSL streams. (url
filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting
HTTPS proxy within the CONNECT method to avoid instant messengers to go
through your firewall.


How do they implement this? 

Consider this: I attempt to connect to a site via HTTPS, and the
certificate presented by your decrypting proxy doesn't match the expected
certificate of the site I'm connecting to. Therefore, I know that there's
a man-in-the-middle attempting to decrypt my session. This is exactly the
sort of action that SSL was designed to prevent.

Note also that there's many other ways to tunnel illegitimate traffic 
inside of legtimate traffic; these sorts of L7 proxies only prevent people 
who don't know what they're doing from establishing a connection to where 
they want to go. 

-john

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: