Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem --
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 17 Jul 2006 09:52:24 -0400 (EDT)
On Tue, 11 Jul 2006, Marcus J. Ranum wrote:
"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim's network.
It'd be interesting to know if it was protective or reactive blocking -- it may just be that the IPS couldn't deal with that traffic so they decided to punt it, or it may be they finally have the authority to block something they've wanted to block-- we used to have a state.gov poster, if he's still around it'd be nice to know if we're at the event horizon yet...
Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on." So, reading between the lines, it would appear that the bad guys were using SSL egress as a conduit. Some of us (me, Paul, Fred..) were predicting back in the mid-1990's that this would eventually be a problem.
I hate it when we're right...
So perhaps a bit of this message is "I told you so!" but it does raise an interesting question. Once you've got a user base that is accustomed be being able to send arbitrary encrypted streams out through your firewall, what ARE you going to do when the bad guys start tunnelling in with your "authorized" data?
IDS! No IPS! No SSL Firewalls!!!!! We're way beyond the generic protection mechanism stage, simply because HTTP tunnels have driven us there. SSL tunnels won't change that, so here's your next big great market opportunity...
In Marcus-land, it seems an act of insanity to allow (anyone inside) -> (anyplace outside) SSL connectivity. For exactly the reasons that State appears to be in the process of discovering. What are most organizations doing about this?? Do most security managers have their heads still firmly in the sand on this topic? I trust that everyone realizes that it's going to get worse, not better, right?
Most security managers have their heads firmly planted somewhere- normally it's in a vendor's sandpile ;)
As far as I can see, the endgame is going to be one of two things. - Organizations are going to try to add signature-style controls to SSL transactions and are going to rely on "man in the middle" style interception tricks and (call 'em what you want) signatures to detect malicious traffic - Organizations are going to have to positively identify sites with which it is necessary/appropriate to do SSL transactions I don't see a lot of future in EITHER of those options. The first one falls apart really fast if anyone ever fixes SSL's certificate trust model (not highly likely) but since it's signature-based it'll fail when the hackers add superencryption to their command streams. The second option would have worked if it had been approached 10 years ago but ironically there's finally enough SSL being used that it's probably too late. And reining it in would be bad, anyhow. So what happens? Is the long term prognosis as bad as I think it is? I'm just afraid that the hackers, malcode-writers, and botnetters of the world are going to have an impact on the entire Internet that is comparable to the impact that the spammers have had on Email systems: namely, they have degraded the value and raised the costs of the system to the point where it's worth 1/100th of what it should be. As many of you have noticed, this boils my blood. Someone, please - tell me I am wrong and that somehow it'll get fixed soon.
I dunno- wanna form a software start-up? I've got a couple of ideas. Our motto could be "We sell you expensive stuff because your were too stupid to listen to us when it was a cheap problem to fix." Paul "I should probably be running to the patent office" Robertson ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- The Outgoing Traffic Problem -- Marcus J. Ranum (Jul 17)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)
- Re: The Outgoing Traffic Problem -- R. DuFresne (Jul 21)
- Re: The Outgoing Traffic Problem -- damnliberals (Jul 19)
- PIX monitoring and fine tunning question Shahin Ansari (Jul 20)
- Re: The Outgoing Traffic Problem -- Carson Gaspar (Jul 26)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)