|
Firewall Wizards
mailing list archives
RE: SSL
From: Illes Marci <illes () c3 hu>
Date: Thu, 18 Oct 2001 21:33:46 +0200 (CEST)
On Wed, 17 Oct 2001, Scott, Richard wrote:
readinteh archives in this mailing list you can have a sense of what the
professionals are considering... if you want to do packet inspection on SSL,
you may need to proxy the SSL data to be able to inspect it.
BTW - Does anyone have any pointers to be able to SSL packet inspection on
the data?
Hi,
I have already written about Zorp(http://www.balabit.hu), which is a
firewall suite, that has an SSL proxy, which you can combine with any
other modul like (http, pop3, imap, etc.) It makes a MITM attack, so it is
pretty hard to do SSL-key based auth. Though it can check the validty of
the certificates, giving the proxy the CAs certs.
With Zorp you can even do more tricky things:
have a nontransparent http proxy, which handles correctly CONNECT method,
with calling an SSL proxy, which emmbeds an other HTTP proxy. In this way
no ICQ, or any other unauthorized clients can get through your
firewall.
--->[HTTP]
\
\ CONNECT
\
[SSL-PROXY]---->
| /|\
\|/ |
[HTTP-PROXY]
Getting SSL through your firewall is always a tricky issue, but also SSL
across your firewall is a covert-chanel, and a potentional hole!
I hope I could help you, and feel free to ask me more on Zorp. Sorry for
my bad english.
bye,
Marci
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- RE: SSL, (continued)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
|
Intro
