RE: SSL

[Illes Marci <illes () c3 hu>]

On Wed, 17 Oct 2001, Scott, Richard wrote:

> readinteh archives in this mailing list you can have a sense of what the
> professionals are considering... if you want to do packet inspection on SSL,
> you may need to proxy the SSL data to be able to inspect it.
>
> BTW - Does anyone have any pointers to be able to SSL packet inspection on
> the data?
Hi,

I have already written about Zorp(http://www.balabit.hu), which is a
firewall suite, that has an SSL proxy, which you can combine with any
other modul like (http, pop3, imap, etc.) It makes a MITM attack, so it is
pretty hard to do SSL-key based auth. Though it can check the validty of
the certificates, giving the proxy the CAs certs. 

With Zorp you can even do more tricky things:
 have a nontransparent http proxy, which handles correctly CONNECT method,
with calling an SSL proxy, which emmbeds an other HTTP proxy. In this way
no ICQ, or any other unauthorized clients can get through your
firewall.

--->[HTTP]
      \
       \ CONNECT
        \
       [SSL-PROXY]---->
        |     /|\
       \|/     |
      [HTTP-PROXY]


Getting SSL through your firewall is always a tricky issue, but also SSL
across your firewall is a covert-chanel, and a potentional hole!

I hope I could help you, and feel free to ask me more on Zorp. Sorry for
my bad english.

bye,

Marci




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards