Security Basics mailing list archives

RE: Checkpoint smart defance as IPS

From: "Bretten, Andrew P" <andrew.bretten () kroger com>
Date: Fri, 28 May 2010 16:11:23 -0400

Trevor, typically a proxy does NOT decrypt ssl connections that it proxies.   Yes it proxies the TCP socket and the 
HTTP connection that the SSL sits on top of, but the encryption is typically from client to end server, the proxy 
cannot decrypt it.

There are certain proxies out there which will dynamically create a certificate that matches the site the client is 
trying to reach and terminate the SSL have you described, but not all proxies do this.   It also requires that all your 
internal clients then trust the (typically internal) CA used to real-time sign the dynamically created certificates

I wont even get into all the legal questions raised when now inspecting all SSL (think private Web mail etc).

Look at http://www.bluecoat.com/doc/807   as an example of a proxy that does this.

Andy


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Trevor Alexander
Sent: Friday, May 28, 2010 2:14 PM
To: Laurens Vets
Cc: mzcohen2682 () aim com; security-basics () securityfocus com
Subject: Re: Checkpoint smart defance as IPS

An IPS that decrypts SSL does not exist. Research SSL and how it works
and you will understand why.

A simple solution to the problem (based on what I gathered from the
snippets of conversation) is to place a proxy on the outside edge of
the network; force all clients to use proxy. The proxy will recreate
the SSL connection with a given webserver on the net for the client
and any traffic that is passed back to a client will be decrypted by
the proxy on its way back. On the inside edge of the proxy, place an
IPS inline to inspect the decrypted traffic.



On Thu, May 27, 2010 at 11:25 PM, Laurens Vets <laurens () daemon be> wrote:

On 5/27/2010 11:47 PM, mzcohen2682 () aim com wrote:


exactly. thats what I ment.

thanks


I don't think that even exists... :)

-----Original Message-----
From: Laurens Vets <laurens () daemon be>
To: mzcohen2682 () aim com
Cc: security-basics () securityfocus com
Sent: Thu, May 27, 2010 6:41 pm
Subject: Re: Checkpoint smart defance as IPS

I think that the client needs to buy a real IPS which can also
open the encrypted traffic.


Not sure what you mean by this? An IPS which can decrypt encrypted
traffic on the fly?


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain 
information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply 
e-mail and destroy all copies of the original message.

Current thread:

RE: Checkpoint smart defance as IPS, (continued)
- RE: Checkpoint smart defance as IPS Boyd, Chad (May 28)
  - Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Message not available
  - Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS John Bond (May 28)
- Message not available
  - Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Message not available
  - Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
- Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
  - Re: Checkpoint smart defance as IPS mzcohen2682 (May 28)
    - Re: Checkpoint smart defance as IPS Laurens Vets (May 28)
    - Re: Checkpoint smart defance as IPS Trevor Alexander (May 28)
    - RE: Checkpoint smart defance as IPS Bretten, Andrew P (May 28)
    - RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
    - Re: Checkpoint smart defance as IPS Trevor Alexander (May 31)
    - RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
    - RE: Checkpoint smart defance as IPS Craig S. Wright (May 31)
- Re: Checkpoint smart defance as IPS FV (May 28)
- Re: Checkpoint smart defance as IPS Demith Samaraweera (May 28)