Firewall Wizards mailing list archives

Re: Firewall best practices

From: <lordchariot () embarqmail com>
Date: Wed, 28 Apr 2010 01:15:51 -0400


Speaking of rogue root CAs. Mozilla recently discovered a CA they couldn't
account for that was presumably from RSA.
http://blogs.zdnet.com/security/?p=6016&tag=nl.e589

They have since confirmed its authenticity in an update, but can you imagine
if a nefarious CA got embedded into the browser?

Meh, it actually probably wouldn't make much difference anyway. Users are
just going to click OK anyway to bypass the warning...sigh.

-erik

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-
wizards-bounces () listserv icsalabs com] On Behalf Of Fetch, Brandon
Sent: Tuesday, April 27, 2010 12:13 PM
To: Firewall Wizards Security Mailing List
Cc: mjr () ranum com; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

Too late:
http://files.cloudprivacy.net/ssl-mitm.pdf

And these devices are already in deployment...now, imagine one of these
with a wildcard certificate running at a coffee house, or at the
aggregation point within a provider's CO POP...

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-
wizards-bounces () listserv icsalabs com] On Behalf Of John Morrison
Sent: Tuesday, April 27, 2010 5:45 AM
To: Firewall Wizards Security Mailing List
Cc: mjr () ranum com; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

On 23 April 2010 20:18,  <david () lang hm> wrote:

On Fri, 23 Apr 2010, Martin Barry wrote:

$quoted_author = "Marcus J. Ranum" ;


That's why firewalls need to go back to doing what they
originally did, and parsing/analyzying the traffic that
flows through them, rather than "stateful packet
inspection" (which, as far as I can tell, means that
there's a state-table entry saying "I saw SYN!")


Marcus, are you referring to DPI or proxies or both or something else
entirely?

If the firewall doesn't understand the data it's passing,
it's not a firewall, it's a hub.


If an application emulates HTTPS traffic and is proxy aware, how do you
tell
the difference?


There are firewalls on the market that can decrypt HTTPS traffic (and I
believe be configured to block any traffic that they can't decrypt)

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action
concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall best practices, (continued)
- - - Re: Firewall best practices Marcus J. Ranum (Apr 27)
    - Re: Firewall best practices Paul D. Robertson (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 30)
    - Re: Firewall best practices Andre Lima (Apr 30)
    - Re: Firewall best practices Dave Piscitello (Apr 28)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices Nate Itkin (Apr 27)
    - Re: Firewall best practices Dave Piscitello (Apr 27)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices Fetch, Brandon (Apr 27)
    - Re: Firewall best practices lordchariot (Apr 28)
    - Re: Firewall best practices Bruce B. Platt (Apr 30)
    - Re: Firewall best practices Cian Brennan (Apr 28)
    - Re: Firewall best practices Fetch, Brandon (Apr 28)
    - Re: Firewall best practices Mathew Want (Apr 30)
    - Re: Firewall best practices ArkanoiD (Apr 30)
    - Re: Firewall best practices Marcus J. Ranum (Apr 30)
    - Re: Firewall best practices ArkanoiD (Apr 27)
    - Re: Firewall best practices Dave Piscitello (Apr 22)
  - Re: Firewall best practices Marcus J. Ranum (Apr 14)
  - Re: Firewall best practices MILAN, SANDY (ATTSI) (Apr 14)

(Thread continues...)