Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem --
From: damnliberals () gmail com
Date: Wed, 19 Jul 2006 03:36:46 +0300
On 7/12/06, Marcus J. Ranum <mjr () ranum com> wrote: <..>
As far as I can see, the endgame is going to be one of two things. - Organizations are going to try to add signature-style controls to SSL transactions and are going to rely on "man in the middle" style interception tricks and (call 'em what you want) signatures to detect malicious traffic - Organizations are going to have to positively identify sites with which it is necessary/appropriate to do SSL transactions I don't see a lot of future in EITHER of those options. The first one falls apart really fast if anyone ever fixes SSL's certificate trust model (not highly likely) but since it's signature-based it'll fail when the hackers add superencryption to their command streams. The second option would have worked if it had been
<..> One branch of the military that I'm working with across the pond, has recently moved to option 1, specifically using bluecoat SSL proxies to scan SSL-encrypted traffic. They are also significantly reducing the (already limited) sites that can be accessed. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- The Outgoing Traffic Problem -- Marcus J. Ranum (Jul 17)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)
- Re: The Outgoing Traffic Problem -- R. DuFresne (Jul 21)
- Re: The Outgoing Traffic Problem -- damnliberals (Jul 19)
- PIX monitoring and fine tunning question Shahin Ansari (Jul 20)
- Re: The Outgoing Traffic Problem -- Carson Gaspar (Jul 26)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)