Re: SSL banking connections out of the firms firewall

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

At 11:34 AM 9/27/2001, Walker Andrew wrote:

> I recently received a request from a user wanting to do his private banking
> via an SSL connection negotiated from his client laptop (company issue,
> connected to the internal LAN) to his banks server through the corporate
> firewall.

In other words, the current site policy does *not* allow outbound SSL traffic.

SSL traffic poses a dilemma in environments that try to monitor Web 
traffic. Of course, firewalls can't usually scan SSL-protected traffic 
since the encryption is terminated at the client's host and the firewall 
doesn't have any of the relevant keying material. Thus, users could use SSL 
to bypass any content filtering that's done by the firewall.

Now, if the firewall doesn't actually do Web content filtering, like URL 
classification and blocking, then it probably doesn't matter to the site 
security policy implementation whether you block SSL or not.

On the other hand, many people here *must* use SSL as part of their work. 
Certain sensitive, distributed projects store data on a Web server and use 
SSL to protect project documents whenever a participant needs to retrieve 
one across the public Internet. In such a case the site policy must choose 
between the perceived benefits of filtering the contents of Web 
transactions (if the site actually does such things) and the tangible 
benefits of participating in the project.

Moreover, your site probably can't even order office supplies over the 'Net 
if users can't open SSL connections to, say, the OfficeMax Web site.


Rick.
smith () securecomputing com          roseville, minnesota
"Authentication" coming in October http://www.visi.com/crypto/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards