Firewall Wizards mailing list archives
Re: Application Proxy/L7 Firewall Recommendation?
From: Balazs Scheidler <bazsi () balabit hu>
Date: Fri, 6 Sep 2002 09:31:14 +0200
On Thu, Sep 05, 2002 at 11:17:05AM -0700, John Adams wrote:
On Thu, 5 Sep 2002, Balazs Scheidler wrote:And yes SSL means that you can peek into decrypted SSL streams. (url filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting HTTPS proxy within the CONNECT method to avoid instant messengers to go through your firewall.How do they implement this? Consider this: I attempt to connect to a site via HTTPS, and the certificate presented by your decrypting proxy doesn't match the expected certificate of the site I'm connecting to. Therefore, I know that there's a man-in-the-middle attempting to decrypt my session. This is exactly the sort of action that SSL was designed to prevent.
Yes, you know there's a mitm going on. But this is surely something that you can state in your company security policy. The firewall checks the server certificate instead of you (which by the way can be much more secure, as most stupid users click on 'continue' just to get to the website without knowing what they are doing), the trusted CA/server certificates can be maintained at a single location (on the firewall instead of all client computers), this is a real problem if you have your own PKI system with your own root CA, distributing the root CA certificate securely is not easy.
Note also that there's many other ways to tunnel illegitimate traffic inside of legtimate traffic; these sorts of L7 proxies only prevent people who don't know what they're doing from establishing a connection to where they want to go.
yes, you can always find covert channels, but eliminating the trivial ones decreases the likelyhood that somebody finds a hole through your firewall, and in addition it is quite sure that further covert channels will have lower bandwidth. Trivial covert channels (with bandwidth equal to the physical lines): - direct port 443 connection - HTTP CONNECT method - ftp data channel (it is usually not restricted to one way only channel, even if the FTP command implies a direction, you can simply upload data with the RETR command) - direct port 22 connection (ssh) if permitted We usually require authentication for services which cannot be really verified with a protocol analyzing proxy (not plug). -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application Proxy/L7 Firewall Recommendation? Jeff Newton (Sep 05)
- Re: Application Proxy/L7 Firewall Recommendation? Balazs Scheidler (Sep 05)
- Re: Application Proxy/L7 Firewall Recommendation? John Adams (Sep 05)
- Re: Application Proxy/L7 Firewall Recommendation? Carson Gaspar (Sep 06)
- Re: Application Proxy/L7 Firewall Recommendation? Adam Shostack (Sep 06)
- Re: Application Proxy/L7 Firewall Recommendation? Carson Gaspar (Sep 06)
- Re: Application Proxy/L7 Firewall Recommendation? John Adams (Sep 05)
- Re: Application Proxy/L7 Firewall Recommendation? Balazs Scheidler (Sep 06)
- Re: Application Proxy/L7 Firewall Recommendation? Balazs Scheidler (Sep 05)
- Re: Application Proxy/L7 Firewall Recommendation? Carson Gaspar (Sep 05)
- <Possible follow-ups>
- RE: Application Proxy/L7 Firewall Recommendation? Dawes, Rogan (ZA - Johannesburg) (Sep 05)
- RE: Application Proxy/L7 Firewall Recommendation? Noonan, Wesley (Sep 06)
- RE: Application Proxy/L7 Firewall Recommendation? ark (Sep 09)
- RE: Application Proxy/L7 Firewall Recommendation? Paul D. Robertson (Sep 09)
- Re: Application Proxy/L7 Firewall Recommendation? ark (Sep 09)
- RE: Application Proxy/L7 Firewall Recommendation? Paul D. Robertson (Sep 09)
- RE: Application Proxy/L7 Firewall Recommendation? Noonan, Wesley (Sep 09)
- RE: Application Proxy/L7 Firewall Recommendation? kaptain (Sep 09)
- RE: Application Proxy/L7 Firewall Recommendation? Noonan, Wesley (Sep 10)