Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem --
From: Carson Gaspar <carson () taltos org>
Date: Tue, 25 Jul 2006 15:16:05 -0700
--On Tuesday, July 11, 2006 9:51 PM -0400 "Marcus J. Ranum" <mjr () ranum com> wrote:
As far as I can see, the endgame is going to be one of two things. - Organizations are going to try to add signature-style controls to SSL transactions and are going to rely on "man in the middle" style interception tricks and (call 'em what you want) signatures to detect malicious traffic - Organizations are going to have to positively identify sites with which it is necessary/appropriate to do SSL transactions
I really wish I'd gone & patented my "benevolent dictator MITM attack" back in '96, but I was/am too damned lazy... I haven't looked at the current crop of commercial MITM SSL proxies, but one simple method of weeding out some naughty connections is for the proxy to enforce server cert validity (with the inevitable exception list for crap sites that we nonetheless must do business with). I suspect this would stop a large percentage of HTTPS phone-home schemes, unless they're using hijacked sites' legitimate certs. Of course that's just another finger in one of many holes in the dike. Personally, I'd love to deploy a dual client environment using some syscall ACL tech. Normal apps have full (well, normal user) local privs, but may only go to whitelisted sites off net. To access random cruft, a user must use a sandboxed app that is allowed to do very little indeed. I _think_ this would be a decent tradeoff that would allow crap 3rd party apps to work, and allow users to visit their favorite malware-infected sites without sideswiping the rest of the company on the way. Of course, enforcing that only the sandboxed app can get at the default-permit proxy is an interesting technical and political problem... -- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- The Outgoing Traffic Problem -- Marcus J. Ranum (Jul 17)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)
- Re: The Outgoing Traffic Problem -- R. DuFresne (Jul 21)
- Re: The Outgoing Traffic Problem -- damnliberals (Jul 19)
- PIX monitoring and fine tunning question Shahin Ansari (Jul 20)
- Re: The Outgoing Traffic Problem -- Carson Gaspar (Jul 26)
- Re: The Outgoing Traffic Problem -- Paul D. Robertson (Jul 17)