Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: HTTPS proxy solutions

RE: HTTPS proxy solutions

From: <lordchariot_at_earthlink.net>
Date: Sun, 7 Mar 2004 21:58:27 -0500

I've done SSL termination before just by using an Apache web server with
mod_proxy and mod_rewrite.
Apache listens on the exterior (through a firewall), accepts the SSL
connection and forwards the clear text HTTP to another internal server. The
cert resides on the apache server and handles the encryption.
You can also do a moderate amount of redirection as well. i.e.
https://www.foo.com goes to http://server1/
https://www.foo.com/mail/ -> http://server2/exchange/

There are some commercial products out there too, including features
built-in to a proxy firewall (like CyberGuard) or load balancer (F5
BigIP...newest release I think)

Erik

-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Sigurd
Urdahl
Sent: Friday, March 05, 2004 2:20 PM
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] HTTPS proxy solutions

Hi all,

does anyone know of commercially or freely available https proxies
that terminates the SSL traffic, thus allows for content scanning of
the traffic?

I'm aware that such a solution need to generate certificates that the
clients accept.

What I'm thinking of is a proxy that gathers information about name
resolution done by clients and use that to generate a SSL certificates
for each connection.

E.g if the proxy gets a connection from IP a.b.c.d from host w.x.y.z,
it and, by some kind of magical glue, can figure out that host w.x.y.z
recently was given the information that host www.foo.com is at
a.b.c.d, it can also give the client a certificate for www.foo.com.

The connection can then quite easily be scanned and proxied to
www.foo.com.

As long as the issuing CA is trusted by the clients (which should be
quite easy to implement), the proxy would should be transparent to the
end-users.

So does anyone know of solutions either technically or functionally
equivalent ot this?

Or have I just overlooked something obvious and presented another
fundamentally flawed idea for a HTTPS proxy? (I hope not:-)

kind regards,

-sig 

-- 
Sigurd Urdahl                           sigurdur_at_linpro.no
Systemkonsulent og sånt        Systems consultant and such
Linpro A/S                           http://www.linpro.no/
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Mar 08 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos