Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL

From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Fri, 19 Oct 2001 10:36:30 +0200
Hi!


A levelezõm azt hiszi, hogy Frederick M Avolio a következõeket írta:


Yes. The firewall cannot examine it because the data is encrypted. SSL 


No, it can. Look at Zorp.

A levelezõm azt hiszi, hogy Patrick M. Hausen a következõeket írta:

From a theoretical point of view:

Most of the time SSL connections are used for server side authentication
(am I really dealing with Mumbleco Inc.?) and encryption. It's what
users think of as "secure web browsing". Honestly, we can forget about
the authentication issues, because most users will click <accept>
for any certificate they are presented :-/


With Zorp, you can even be smarter than the user. You can
check the certificate, either by public key, signer certificate,
etc.


That leaves us with encryption, which can easily be dealt with by
a man-in-the-middle approach which would permit your firewall to read
everything in the clear and, e.g., check for viruses or other malware.

(Just as an aside, this is what IPSec's AH explicitly forbids - it enforces
 end-to-end security that can't be intercepted - unless someone knows the
 private keys involved)


You can do MIMD with AH as well. It is a matter of key handling and trust
relationship, not plain technology.



Theoretically ...

[]

Unfortunetaly I'm not aware of any product that actually does this.


Actually Zorp does just this.

A levelezõm azt hiszi, hogy Ames, Neil a következõeket írta:

I am baffled by how a proxy would handle the SSL exchange.  Aside from all
other issues related to this thread-such as defenses at the client, or the
break in end-to-end encryption--what is right or wrong with the following?

1) A user hits an SSL site with a cert (that the user's browser may or may
not trust, and the firewall's proxy may or may not trust).  
2) The proxy lets the user determine that the proxy is going to trust the
cert, according to some policy rule that allows that.
3) Proxy manages, somehow, to act as intermediary.  (This is what I don't
get.)
4) The proxy sets up the SSL tunnel with the remote site.
5) The proxy sets up the SSL tunnel with the users browser.
6) The proxy checks everything as it hands pieces of the user-Web site
exchange, filtering according to policy.

What am I missing, particularly in how steps 3 and 5 would work?


The point is that the proxy uses certs signed by a CA trusted by the user.
In real word, it should be a local CA, and the user should be educated about the
fact that any key and traffic signed by this CA is intercepted and checked.
There are two hard questions:
        -Trust relationship between the user and the local CA. This question
                is out of the domain of technology, but very important.
        -Technical issues related to the process of generating the keys when there are 
                multiple server and user keys should be used.

Those problems are solvable in concrete cases, but I don't think that there is a 
one-fits-all solution.

-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: