Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: SSL

Re: SSL

From: Magosányi Árpád <mag_at_bunuel.tii.matav.hu>
Date: Fri, 19 Oct 2001 10:36:30 +0200

Hi!

A levelezőm azt hiszi, hogy Frederick M Avolio a következőeket írta:
>
> Yes. The firewall cannot examine it because the data is encrypted. SSL

No, it can. Look at Zorp.

A levelezőm azt hiszi, hogy Patrick M. Hausen a következőeket írta:
> From a theoretical point of view:
>
> Most of the time SSL connections are used for server side authentication
> (am I really dealing with Mumbleco Inc.?) and encryption. It's what
> users think of as "secure web browsing". Honestly, we can forget about
> the authentication issues, because most users will click <accept>
> for any certificate they are presented :-/

With Zorp, you can even be smarter than the user. You can
check the certificate, either by public key, signer certificate,
etc.

> That leaves us with encryption, which can easily be dealt with by
> a man-in-the-middle approach which would permit your firewall to read
> everything in the clear and, e.g., check for viruses or other malware.
>
> (Just as an aside, this is what IPSec's AH explicitly forbids - it enforces
> end-to-end security that can't be intercepted - unless someone knows the
> private keys involved)

You can do MIMD with AH as well. It is a matter of key handling and trust
relationship, not plain technology.

>
> Theoretically ...
[]
> Unfortunetaly I'm not aware of any product that actually does this.

Actually Zorp does just this.

A levelezőm azt hiszi, hogy Ames, Neil a következőeket írta:
> I am baffled by how a proxy would handle the SSL exchange. Aside from all
> other issues related to this thread-such as defenses at the client, or the
> break in end-to-end encryption--what is right or wrong with the following?
>
> 1) A user hits an SSL site with a cert (that the user's browser may or may
> not trust, and the firewall's proxy may or may not trust).
> 2) The proxy lets the user determine that the proxy is going to trust the
> cert, according to some policy rule that allows that.
> 3) Proxy manages, somehow, to act as intermediary. (This is what I don't
> get.)
> 4) The proxy sets up the SSL tunnel with the remote site.
> 5) The proxy sets up the SSL tunnel with the users browser.
> 6) The proxy checks everything as it hands pieces of the user-Web site
> exchange, filtering according to policy.
>
> What am I missing, particularly in how steps 3 and 5 would work?

The point is that the proxy uses certs signed by a CA trusted by the user.
In real word, it should be a local CA, and the user should be educated about the
fact that any key and traffic signed by this CA is intercepted and checked.
There are two hard questions:
        -Trust relationship between the user and the local CA. This question
                is out of the domain of technology, but very important.
        -Technical issues related to the process of generating the keys when there are
                multiple server and user keys should be used.

Those problems are solvable in concrete cases, but I don't think that there is a
one-fits-all solution. 

-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 20 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]