Re: HTTPS, proxies, and remote developers.

[simonis () att net]

> What would be the easiest way to handle this situation? How would you
> resolve a policy issue if one of your clients requires that you use
> unencrypted traffic outbound from their network into yours.
> (Their need to know for traffic on their network against your need for
> security).

It seems to be that the client has an irrational desire.  Why would
anyone disagree with having a VPN between two networks whose 
interconnection crosses a public network?  There are many ways they 
could maintain visibility on their network while still allowing
encryption.  For example, using a point to point VPN with a preshared
secret.  TCPDump can, with knowlege of the preshared key, decrypt
that traffic for monitoring.  There are numerous other, more complex,
means for decrypting/inspecting/encrypting VPN traffic, if the need
really exists, and I would use this angle to herd this customer into
the proper corral.  

-Ds
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards