Security Basics mailing list archives
RE: Checkpoint smart defance as IPS
From: "Bretten, Andrew P" <andrew.bretten () kroger com>
Date: Fri, 28 May 2010 16:11:23 -0400
Trevor, typically a proxy does NOT decrypt ssl connections that it proxies. Yes it proxies the TCP socket and the HTTP connection that the SSL sits on top of, but the encryption is typically from client to end server, the proxy cannot decrypt it. There are certain proxies out there which will dynamically create a certificate that matches the site the client is trying to reach and terminate the SSL have you described, but not all proxies do this. It also requires that all your internal clients then trust the (typically internal) CA used to real-time sign the dynamically created certificates I wont even get into all the legal questions raised when now inspecting all SSL (think private Web mail etc). Look at http://www.bluecoat.com/doc/807 as an example of a proxy that does this. Andy -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Trevor Alexander Sent: Friday, May 28, 2010 2:14 PM To: Laurens Vets Cc: mzcohen2682 () aim com; security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS An IPS that decrypts SSL does not exist. Research SSL and how it works and you will understand why. A simple solution to the problem (based on what I gathered from the snippets of conversation) is to place a proxy on the outside edge of the network; force all clients to use proxy. The proxy will recreate the SSL connection with a given webserver on the net for the client and any traffic that is passed back to a client will be decrypted by the proxy on its way back. On the inside edge of the proxy, place an IPS inline to inspect the decrypted traffic. On Thu, May 27, 2010 at 11:25 PM, Laurens Vets <laurens () daemon be> wrote:
On 5/27/2010 11:47 PM, mzcohen2682 () aim com wrote:exactly. thats what I ment. thanksI don't think that even exists... :)-----Original Message----- From: Laurens Vets <laurens () daemon be> To: mzcohen2682 () aim com Cc: security-basics () securityfocus com Sent: Thu, May 27, 2010 6:41 pm Subject: Re: Checkpoint smart defance as IPSI think that the client needs to buy a real IPS which can also open the encrypted traffic.Not sure what you mean by this? An IPS which can decrypt encrypted traffic on the fly?------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Current thread:
- RE: Checkpoint smart defance as IPS, (continued)
- RE: Checkpoint smart defance as IPS Boyd, Chad (May 28)
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Message not available
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- RE: Checkpoint smart defance as IPS Boyd, Chad (May 28)
- Re: Checkpoint smart defance as IPS John Bond (May 28)
- Message not available
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Message not available
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
- Re: Checkpoint smart defance as IPS Trevor Alexander (May 28)
- RE: Checkpoint smart defance as IPS Bretten, Andrew P (May 28)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- Re: Checkpoint smart defance as IPS Trevor Alexander (May 31)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)