Firewall Wizards mailing list archives
Re: Firewall best practices
From: david () lang hm
Date: Sun, 9 May 2010 12:44:27 -0700 (PDT)
The firewall needs to know the cert at one end of the connection (it can be either end, so if it knows the client cert you are using it will work as well)
In some cases the firewall makes up a cert on the fly, with the browser set to trust any cert the firewall signs, and the firewall is a full man-in-the-middle proxy.
In other cases the firewall works on a copy of the traffic and decrypts it with the known certs (there are some PKI modes this will not work on)
David Lang On Tue, 27 Apr 2010, John Morrison wrote:
My understanding of https (and other PKI-based encryption) is that only the holder of the private key can decrypt the data encrypted with the other (public) key in the pair. My view is that the firewall can only decrypt and inspect https traffic if it is acting as the server to the external client. It can't intercept and decrypt https traffic destined for another device - the real server. If it did https would be worthless. Any hacker could buy such a firewall to sniff and decrypt all https traffic. On 23 April 2010 20:18, <david () lang hm> wrote:On Fri, 23 Apr 2010, Martin Barry wrote:$quoted_author = "Marcus J. Ranum" ;That's why firewalls need to go back to doing what they originally did, and parsing/analyzying the traffic that flows through them, rather than "stateful packet inspection" (which, as far as I can tell, means that there's a state-table entry saying "I saw SYN!")Marcus, are you referring to DPI or proxies or both or something else entirely?If the firewall doesn't understand the data it's passing, it's not a firewall, it's a hub.If an application emulates HTTPS traffic and is proxy aware, how do you tell the difference?There are firewalls on the market that can decrypt HTTPS traffic (and I believe be configured to block any traffic that they can't decrypt) David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices miedaner (May 01)
- <Possible follow-ups>
- Re: Firewall best practices david (May 10)
- Re: Firewall best practices david (May 14)
- Re: Firewall best practices ArkanoiD (May 17)
- Re: Firewall best practices david (May 14)