Educause Security Discussion mailing list archives
Re: paloalto firewall
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 20 Dec 2007 18:08:52 -0500
On Thu, 20 Dec 2007 12:07:45 PST, Mark Boolootian said:
You can achieve these 3 requirements with an active method were you install a certificate authority certificate on all your client machines that the proxy server will use with satisfies A.I assume this means the client machines are compromised, in which case I'm not sure I see any value in bothering with the mitm attack. You already own the machine.
No - all it would mean is that you've installed a certificate that says "certs.example.edu is a CA". That's done by lots of places that have their own CAs - see for example what we do: http://www.pki.vt.edu/gettingstarted/start.html You could even do it as part of a shrink-wrapped "Welcome to campus" CD: http://www.antivirus.vt.edu/proactive/vtnet2007.asp (See point 1 on "What it does"). I hardly think that qualifies as "client machines are compromised".
Attachment:
_bin
Description:
Current thread:
- Re: paloalto firewall Mike Corcoran (Dec 20)
- <Possible follow-ups>
- Re: paloalto firewall Alex (Dec 20)
- Re: paloalto firewall Jeff Holden (Dec 20)
- Re: paloalto firewall Mark Boolootian (Dec 20)
- Re: paloalto firewall Valdis Kletnieks (Dec 20)
- Re: paloalto firewall Chris Edwards (Dec 21)
- Re: paloalto firewall Jeff Holden (Dec 21)
- Re: paloalto firewall Gene Spafford (Dec 21)