At 11:34 AM 9/27/2001, Walker Andrew wrote:
>I recently received a request from a user wanting to do his private banking
>via an SSL connection negotiated from his client laptop (company issue,
>connected to the internal LAN) to his banks server through the corporate
>firewall.
In other words, the current site policy does *not* allow outbound SSL traffic.
SSL traffic poses a dilemma in environments that try to monitor Web
traffic. Of course, firewalls can't usually scan SSL-protected traffic
since the encryption is terminated at the client's host and the firewall
doesn't have any of the relevant keying material. Thus, users could use SSL
to bypass any content filtering that's done by the firewall.
Now, if the firewall doesn't actually do Web content filtering, like URL
classification and blocking, then it probably doesn't matter to the site
security policy implementation whether you block SSL or not.
On the other hand, many people here *must* use SSL as part of their work.
Certain sensitive, distributed projects store data on a Web server and use
SSL to protect project documents whenever a participant needs to retrieve
one across the public Internet. In such a case the site policy must choose
between the perceived benefits of filtering the contents of Web
transactions (if the site actually does such things) and the tangible
benefits of participating in the project.
Moreover, your site probably can't even order office supplies over the 'Net
if users can't open SSL connections to, say, the OfficeMax Web site.
Rick.
smith_at_securecomputing.com roseville, minnesota
"Authentication" coming in October http://www.visi.com/crypto/
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 01 2001
Intro
