Re: Application Proxy/L7 Firewall Recommendation?

[Balazs Scheidler <bazsi () balabit hu>]

On Thu, Sep 05, 2002 at 11:17:05AM -0700, John Adams wrote:
> On Thu, 5 Sep 2002, Balazs Scheidler wrote:
>
> > And yes SSL means that you can peek into decrypted SSL streams. (url
> > filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting
> > HTTPS proxy within the CONNECT method to avoid instant messengers to go
> > through your firewall.
>
> How do they implement this? 
>
> Consider this: I attempt to connect to a site via HTTPS, and the
> certificate presented by your decrypting proxy doesn't match the expected
> certificate of the site I'm connecting to. Therefore, I know that there's
> a man-in-the-middle attempting to decrypt my session. This is exactly the
> sort of action that SSL was designed to prevent.

Yes, you know there's a mitm going on. But this is surely something that you
can state in your company security policy. The firewall checks the server
certificate instead of you (which by the way can be much more secure, as
most stupid users click on 'continue' just to get to the website without
knowing what they are doing), the trusted CA/server certificates can be
maintained at a single location (on the firewall instead of all client
computers), this is a real problem if you have your own PKI system with your
own root CA, distributing the root CA certificate securely is not easy.

> Note also that there's many other ways to tunnel illegitimate traffic 
> inside of legtimate traffic; these sorts of L7 proxies only prevent people 
> who don't know what they're doing from establishing a connection to where 
> they want to go. 

yes, you can always find covert channels, but eliminating the trivial
ones decreases the likelyhood that somebody finds a hole through your
firewall, and in addition it is quite sure that further covert channels will
have lower bandwidth.

Trivial covert channels (with bandwidth equal to the physical lines):
- direct port 443 connection
- HTTP CONNECT method
- ftp data channel (it is usually not restricted to one way only channel,
  even if the FTP command implies a direction, you can simply upload data
  with the RETR command)
- direct port 22 connection (ssh) if permitted

We usually require authentication for services which cannot be really
verified with a protocol analyzing proxy (not plug).

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards