Firewall Wizards mailing list archives
RE: SSL
From: Illes Marci <illes () c3 hu>
Date: Thu, 18 Oct 2001 21:33:46 +0200 (CEST)
On Wed, 17 Oct 2001, Scott, Richard wrote:
readinteh archives in this mailing list you can have a sense of what the professionals are considering... if you want to do packet inspection on SSL, you may need to proxy the SSL data to be able to inspect it. BTW - Does anyone have any pointers to be able to SSL packet inspection on the data?
Hi, I have already written about Zorp(http://www.balabit.hu), which is a firewall suite, that has an SSL proxy, which you can combine with any other modul like (http, pop3, imap, etc.) It makes a MITM attack, so it is pretty hard to do SSL-key based auth. Though it can check the validty of the certificates, giving the proxy the CAs certs. With Zorp you can even do more tricky things: have a nontransparent http proxy, which handles correctly CONNECT method, with calling an SSL proxy, which emmbeds an other HTTP proxy. In this way no ICQ, or any other unauthorized clients can get through your firewall. --->[HTTP] \ \ CONNECT \ [SSL-PROXY]----> | /|\ \|/ | [HTTP-PROXY] Getting SSL through your firewall is always a tricky issue, but also SSL across your firewall is a covert-chanel, and a potentional hole! I hope I could help you, and feel free to ask me more on Zorp. Sorry for my bad english. bye, Marci _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SSL, (continued)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)