Firewall Wizards mailing list archives
RE: RE: In defense of non standard ports
From: "Bill Royds" <bill () royds net>
Date: Tue, 24 Jan 2006 18:56:18 -0500
The problem was that the application was not negotiating the security context as SSL states. It was just trying to use HTTP CONNECT to pass arbitrary traffic. Even though HTTPS is encrypted, there is still a handshake where the server certificate is authenticated and the session key is generated. The firewall can ensure that the structure of this exchange is corect, even if it does not actually see the traffic. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of James Sent: Tuesday, January 24, 2006 7:09 AM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] RE: In defense of non standard ports
As a postscript, when I managed a corporate firewall, I found that a number of sites and applications were trying to pass arbitrary traffic through HTTPS by just believing that it would not be examined by an application proxy more than checking the headers. Our particular firewall (Symantec SEF) actually had an HTTPS proxy and complained that the handshake was not correct and refused it.
I would have thought stunnel would make light work of SEF. How does the ssl proxying work ? Isn't the whole point of ssl that the session is encrypted end to end. Does SEF do some kind of CA trickery ? On this point of ssl tunneled connections how do the list members deal with it ? Just about any home user can get a piece of web estate and a domain name these days so how do you stop users using ssl tunnels to access resources denied by your policy ? Some ideas I have heard are traffic analysis, HIDS (which could flag the presence of stunnel, a connection to a listening port on localhost or even detect the protocol before it enters the tunnel) and even plain old enumerating goodness (ie you can go to urls' we want you to and everything else is denied) The problem with enumerating goodness is it creates a lot of work for the admin. So what do you do to stop mischievous users ? -- James _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: In defense of non standard ports, (continued)
- Re: RE: In defense of non standard ports James (Jan 24)
- Re: RE: In defense of non standard ports ArkanoiD (Jan 24)
- Re: RE: In defense of non standard ports Chuck Swiger (Jan 24)
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Re: RE: In defense of non standard ports Tim Shea (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Message not available
- RE: In defense of non standard ports Brian Loe (Jan 24)
- Message not available
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- Re: RE: In defense of non standard ports James (Jan 24)
- Re: RE: In defense of non standard ports ArkanoiD (Jan 25)
- RE: RE: In defense of non standard ports Bill Royds (Jan 24)
- Re: RE: In defense of non standard ports Karl (Jan 24)