Re: paloalto firewall

[Alex <alex.everett () UNC EDU>]

I thought I might add to the speculation :)
The key (I hope) issue is that the end-user (Client) will need to be
prevented with a valid SSL cert.
The SSL Cert is tied to a host, typically a fully qualified domain name.
Of course, for #2 you must be in the flow of traffic (active).

It seems you could do this a few ways:
Passive or Active
1. Have the private keys for all sites using SSL
        a. Decrypt PKI messages to obtain symmetric keys
        b. Decrypt messages encrypted with the symmetric key.

Active
2. Have the man-in-the-middle present the end-user with a valid certificate
        a. Act as a proxy for SSL connectionsby establishing two seperate
SSL sessions.
        b. DNS points to man-in-the-middle as the web server (or just drop
end-user's traffic and spoof responses)
        b. Present the end-user with a valid certificate (maybe a wildcard
cert)
        c. Most servers dont require the client to have cert, so act as a
client to the web-server(s). Here you are creating sessions to the real
web-server.
        d. Pass data back and forth between client and server.

Comments?

-Alex

-----Original Message-----
From: Mike Corcoran [mailto:mike.corcoran () WRIGHT EDU]
Sent: Thursday, December 20, 2007 1:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] paloalto firewall

David Morton wrote:

> Mike do you have more info on their capabilities?

I went to a presentation by PaloAlto in Cincinnati, OH on 10/3/07.  The
presenter was Nir Zuk (formerly of CheckPoint).
He explained the SSL decryption using "man in the middle."
Since we have not demo'd the box yet I don't have much information to share.
I can only suggest the web site http://www.paloaltonetworks.com/ for more
information.

Mike
--
Mike Corcoran, Systems Security Engineer Wright State University, CaTS
Voice:937-775-2431, Fax:937-775-4049 http://www.cats.wright.edu/

Attachment: smime.p7s
Description: