Educause Security Discussion mailing list archives

Re: paloalto firewall

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 20 Dec 2007 18:08:52 -0500

On Thu, 20 Dec 2007 12:07:45 PST, Mark Boolootian said:

You can achieve these 3 requirements with an active method were you
install a certificate authority certificate on all your client machines
that the proxy server will use with satisfies A.


I assume this means the client machines are compromised, in which
case I'm not sure I see any value in bothering with the mitm attack.
You already own the machine.


No - all it would mean is that you've installed a certificate that says
"certs.example.edu is a CA".  That's done by lots of places that have their own
CAs - see for example what we do:

http://www.pki.vt.edu/gettingstarted/start.html

You could even do it as part of a shrink-wrapped "Welcome to campus" CD:

http://www.antivirus.vt.edu/proactive/vtnet2007.asp

(See point 1 on "What it does").

I hardly think that qualifies as "client machines are compromised".

Attachment: _bin
Description:

Current thread:

Re: paloalto firewall Mike Corcoran (Dec 20)
- <Possible follow-ups>
- Re: paloalto firewall Alex (Dec 20)
- Re: paloalto firewall Jeff Holden (Dec 20)
- Re: paloalto firewall Mark Boolootian (Dec 20)
- Re: paloalto firewall Valdis Kletnieks (Dec 20)
- Re: paloalto firewall Chris Edwards (Dec 21)
- Re: paloalto firewall Jeff Holden (Dec 21)
- Re: paloalto firewall Gene Spafford (Dec 21)