Firewall Wizards mailing list archives
Re: SSL
From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Fri, 19 Oct 2001 10:36:30 +0200
Hi! A levelezõm azt hiszi, hogy Frederick M Avolio a következõeket Ărta:
Yes. The firewall cannot examine it because the data is encrypted. SSL
No, it can. Look at Zorp. A levelezõm azt hiszi, hogy Patrick M. Hausen a következõeket Ărta:
From a theoretical point of view: Most of the time SSL connections are used for server side authentication (am I really dealing with Mumbleco Inc.?) and encryption. It's what users think of as "secure web browsing". Honestly, we can forget about the authentication issues, because most users will click <accept> for any certificate they are presented :-/
With Zorp, you can even be smarter than the user. You can check the certificate, either by public key, signer certificate, etc.
That leaves us with encryption, which can easily be dealt with by a man-in-the-middle approach which would permit your firewall to read everything in the clear and, e.g., check for viruses or other malware. (Just as an aside, this is what IPSec's AH explicitly forbids - it enforces end-to-end security that can't be intercepted - unless someone knows the private keys involved)
You can do MIMD with AH as well. It is a matter of key handling and trust relationship, not plain technology.
Theoretically ...
[]
Unfortunetaly I'm not aware of any product that actually does this.
Actually Zorp does just this. A levelezõm azt hiszi, hogy Ames, Neil a következõeket Ărta:
I am baffled by how a proxy would handle the SSL exchange. Aside from all other issues related to this thread-such as defenses at the client, or the break in end-to-end encryption--what is right or wrong with the following? 1) A user hits an SSL site with a cert (that the user's browser may or may not trust, and the firewall's proxy may or may not trust). 2) The proxy lets the user determine that the proxy is going to trust the cert, according to some policy rule that allows that. 3) Proxy manages, somehow, to act as intermediary. (This is what I don't get.) 4) The proxy sets up the SSL tunnel with the remote site. 5) The proxy sets up the SSL tunnel with the users browser. 6) The proxy checks everything as it hands pieces of the user-Web site exchange, filtering according to policy. What am I missing, particularly in how steps 3 and 5 would work?
The point is that the proxy uses certs signed by a CA trusted by the user. In real word, it should be a local CA, and the user should be educated about the fact that any key and traffic signed by this CA is intercepted and checked. There are two hard questions: -Trust relationship between the user and the local CA. This question is out of the domain of technology, but very important. -Technical issues related to the process of generating the keys when there are multiple server and user keys should be used. Those problems are solvable in concrete cases, but I don't think that there is a one-fits-all solution. -- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards