Re: SSL banking connections out of the firms firewall

["Paul D. Robertson" <proberts () patriot net>]

On Thu, 27 Sep 2001, Walker Andrew wrote:

> Hi,
>
> I recently received a request from a user wanting to do his private banking
> via an SSL connection negotiated from his client laptop (company issue,
> connected to the internal LAN) to his banks server through the corporate
> firewall.
>
> I read up about SSL as a protocol and about public key encryption, but I'm
> still undecided.  I have no help from the firms Internet policy to guide me
> so I'm looking for advise regarding how one would go about allowing it by a
> rule on FW1, if there are any security risks to be aware of, and also if
> anyone has  any guidelines or experience of internet policies that deal with
> this kind of Internet usage from within the firm.
>
> Thanks in advance

I stopeed a long time ago from trying to get commercial Firewall vendors
to MITM SSL legitimately for corporate networks.  There are now some MITM
programs available though, so if you want to make the connection as "bad"
as a normal HTTP connection (which is bad enough IMO) then you can
probably hack something up after several minutes of Web searching.

I've also considered playing with ProxyRemote and URL rewriting, which is
another good MITM vector for SSL.

There are lots of legal/privacy issues surrounding such implementations
though.

What I've been interested in doing in the past was remote display to a
secured host on the DMZ or Service Network- removing the problem on all
HTTP/HTTPS tunnels.  Since you're then in control of the machine doing the
browsing, active content issues and anti-malcode issues are as good as
your system administration policies are implemented.

Depending on your privacy policies, I'd make it very clear to employees
that their traffic _could_ be legitimately monitored in either case,
especially during diagnostics, or if the company were complying with a
court order.

Your policy should be changed to account for anything you're doing
operationally.  There are lots of SSL sites out there, and you should deal
with things like SSL remote control of company-owned computers from
outside via both policy and practice.

The other thing to consider is limiting SSL access to a small number of
sites, or setting up a small SSL-only proxy with user authentication
(preferably via one-time tokens if you want to stop outbound tunneling)
for specific users.  

Turning on authentication for http/https is a very fun game if you use
single-use passwords via tokens- you'd be surprised at what "breaks"
that's been going through your "firewall" for months.   I'd recommend
everyone who can have at least one shot at playing.

Personal usage should be outlined- when it is and isn't appropriate, no
matter if it's SSL or HTTP, or SMTP.  Someone should make an analysis of
if it's worth the company's time for the administrator to support such
usage, including time spent analyzing logs, doing a risk assessment,
changing policy documents, etc. before you go too much further down the
road.  It's always fun to have the user draft up their business
justification for access that is currently denied as well.

If you're allowing HTTP, allowing HTTPS probably doesn't alter your risk
profile much unless you're employing IDS, active content filtering, or
other such mechanisms.

Paul 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards