Firewall Wizards mailing list archives
Re: SSL banking connections out of the firms firewall
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 1 Oct 2001 14:02:35 -0400 (EDT)
On Thu, 27 Sep 2001, Walker Andrew wrote:
Hi, I recently received a request from a user wanting to do his private banking via an SSL connection negotiated from his client laptop (company issue, connected to the internal LAN) to his banks server through the corporate firewall. I read up about SSL as a protocol and about public key encryption, but I'm still undecided. I have no help from the firms Internet policy to guide me so I'm looking for advise regarding how one would go about allowing it by a rule on FW1, if there are any security risks to be aware of, and also if anyone has any guidelines or experience of internet policies that deal with this kind of Internet usage from within the firm. Thanks in advance
I stopeed a long time ago from trying to get commercial Firewall vendors to MITM SSL legitimately for corporate networks. There are now some MITM programs available though, so if you want to make the connection as "bad" as a normal HTTP connection (which is bad enough IMO) then you can probably hack something up after several minutes of Web searching. I've also considered playing with ProxyRemote and URL rewriting, which is another good MITM vector for SSL. There are lots of legal/privacy issues surrounding such implementations though. What I've been interested in doing in the past was remote display to a secured host on the DMZ or Service Network- removing the problem on all HTTP/HTTPS tunnels. Since you're then in control of the machine doing the browsing, active content issues and anti-malcode issues are as good as your system administration policies are implemented. Depending on your privacy policies, I'd make it very clear to employees that their traffic _could_ be legitimately monitored in either case, especially during diagnostics, or if the company were complying with a court order. Your policy should be changed to account for anything you're doing operationally. There are lots of SSL sites out there, and you should deal with things like SSL remote control of company-owned computers from outside via both policy and practice. The other thing to consider is limiting SSL access to a small number of sites, or setting up a small SSL-only proxy with user authentication (preferably via one-time tokens if you want to stop outbound tunneling) for specific users. Turning on authentication for http/https is a very fun game if you use single-use passwords via tokens- you'd be surprised at what "breaks" that's been going through your "firewall" for months. I'd recommend everyone who can have at least one shot at playing. Personal usage should be outlined- when it is and isn't appropriate, no matter if it's SSL or HTTP, or SMTP. Someone should make an analysis of if it's worth the company's time for the administrator to support such usage, including time spent analyzing logs, doing a risk assessment, changing policy documents, etc. before you go too much further down the road. It's always fun to have the user draft up their business justification for access that is currently denied as well. If you're allowing HTTP, allowing HTTPS probably doesn't alter your risk profile much unless you're employing IDS, active content filtering, or other such mechanisms. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSL banking connections out of the firms firewall Henry Sieff (Oct 01)
- <Possible follow-ups>
- Re: SSL banking connections out of the firms firewall Rick Smith at Secure Computing (Oct 01)
- Re: SSL banking connections out of the firms firewall Paul D. Robertson (Oct 02)
- Re: SSL banking connections out of the firms firewall Illes Marci (Oct 11)