RE: Checkpoint smart defance as IPS

["Craig S. Wright" <craig.wright () Information-Defense com>]

Peter Gutmann has a good and fairly simple explanation of this and the
problems from cross certification. See P18 on.

www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf 

Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: Todd Haverkos [mailto:infosec () haverkos com] 
Sent: Wednesday, 9 June 2010 6:41 AM
To: craig.wright () Information-Defense com
Cc: 'Shreyas Zare'; security-basics () securityfocus com
Subject: Re: Checkpoint smart defance as IPS

"Craig S. Wright" <craig.wright () Information-Defense com> writes:

> I do not memorise software costs. I stated I would obtain them. 
>
> I suggest that you check the Wireshark page. And yes, with the key,
> Wireshark does this. With an RA, you have the key. Too simple for you?
>
> I would strongly recommend that you do some reading on some of the topics
> you are attempting to argue.

This thread seems to have become Craig vs the world, which is
unfortunate...because Craig seems to be on the correct side of the
tech.

SSL has been broken, and is often implemented in ways that undermine
its efforts at securing the connection.  Craig has also been more
patient than most in trying to make his point clear. Those in a death
match with his point would be well advised to become familiar with
what's been presented at conferences and seen in the wild over the
past 2 years with respect to SSL middling.

And it is also true that there are commercial products that decrypt
SSL inline so that infosec departments can do IDS and DLP or feed ICAP
services even on those web sessions that show employees Super Shiny
Locks (SSL).  One example
http://www.darkreading.com/security/encryption/showArticle.jhtml?articleID=2
23100989
notably "the SSL Inspector Appliance is fully transparent requiring no
client configuration."

Useful search terms include: 

Moxy Marlinspike SSL 
sslstrip 
Dan Kaminsky SSL
Michael Coates ssl 
Mike Zusman SSL 

http://www.cupfighter.net/index.php/2009/08/ssl-beaten-up-at-blackhat-and-de
fcon/
seems to be one decent summary of the SSL pain of 2009 that
perhaps some readers of this thread aren't aware of.   

About a month or so ago, Michael Coates gave a good presentation here
in Chicago on implementation issues with SSL that's also worth a look,
also mentioned in some OWASP podcasts if memory serves:
http://michael-coates.blogspot.com/2010/04/thotcon-slides-ssl-screw-ups.html




--
Todd Haverkos, LPT MsCompE
http://haverkos.com/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------