Re: [fw-wiz] Using SSL accelerators in firewalls

From: Scott Walker Register (scott.register@us.checkpoint.com)
Date: 07/17/02 

From: Scott Walker Register <scott.register@us.checkpoint.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Jul 17 10:21:00 2002

It also depends on what you're using your SSL for, and how tightly you can couple
your firewall with your web application. If you're basically building a "clientless" VPN,
then doing SSL decryption on the firewall gives you authentication, content filtering,
per-page access control to your web server, etc. In this scenario, the firewall and the
web server don't have to be very aware of each other. If you can't trust the connection between
your firewall and your web server, you could always re-encrypt - but you probably have some
other issues to deal with. If you're trying to authenticate the user to the web server using
SSL, or do some kind of single-sign-on at the firewall which is passed on to the web server,
then this kind of deployment only makes sense if your firewall and web server can exchange
meaningful information about users and connections. IMHO.
-SwR

------------------------
  From: Ryan McBride <mcbride@countersiege.com>
  Subject: Re: [fw-wiz] Using SSL accelerators in firewalls
  Date: Wed, 17 Jul 2002 09:09:37 -0400
  To: firewall-wizards@honor.icsalabs.com

> On Wed, Jul 17, 2002 at 02:18:33PM +1000, Darren Reed wrote:
> >
> > There would seem to be a growing trend in using SSL accelerators not
> > next to the web server but attached to a firewall so that it isn't
> > https traffic that passes through but http.
> >
> > To me this screams out "bad design" as the end-to-end encryption is
> > lost in the process and the security of transactions eroded.
> >
> > What do others think? Is this becoming a "done thing" that is more
> > and more acceptable to corporates or is this just an isolated thing?
>
> I've seen it in several production environments, and I believe it's
> becoming increasingly common.
>
> - It allows you to place a network IDS in a position where you can sniff
> the http traffic and look for application layer attacks.
>
> - It allows you to do load balancing, caching, and application layer
> filtering with an intermediate box or boxes that you couldn't do on a
> raw SSL stream.
>
> Yes, there the drawback of a potential loss of confidentiality on the
> unencrypted segment, but if the system is carefully architected (network
> segment for this purpose only, good filtering, etc) the risks can be
> minimized. If they compromise your webserver, they can get the traffic
> anyways - in the cases of webserver software with poor security
> engineering, the intermediate box can actually improve security by
> blocking some classes of attacks.
>
> -Ryan
>
> --
> Ryan T. McBride, CISSP - mcbride@countersiege.com
> Countersiege Systems Corporation - http://www.countersiege.com
> PGP key fingerprint = 8BA0 A58C 5038 9157 59C3 F9E6 6DDA 6611 BF4C 776B
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

---------------End of Original Message-----------------

----------------------------------------------------------------
Scott.Register@us.CheckPoint.com || FireWall-1 Product Manager
               Check Point Software Technologies, Inc.
2255 Glades Road / Suite 324A \ Boca Raton, FL 33431
Voice: 561.989.5418 | Fax: 561.997.5421 | 07/17/02 10:11:58
----------------------------------------------------------------

Relevant Pages

  • Re: [fw-wiz] Firewall best practices
    ... The problem isn't exclusively that SSL is MITMable: it's the lack of or limited clue when assessing risk. ... While SSL may be in your terms crappy security, you can use it effectively enough so that you aren't the low hanging fruit, and today, there is so much low hanging fruit, effective security is pretty much reduced to creating the perception that someone else is an easier target. ... For example, in many scenarios where SSL is terminated at the firewall, the firewall is the trusted party identified by the server certificate. ...
    (Firewall-Wizards)
  • Re: Moving webserver inside firewall
    ... current OS/Product Service Packs, security patches, security tools, virus ... | I think inside the firewall is the best place for most any server. ... | The only way to be 100% sure the web server is not compromised is to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Proxy+ Trojan
    ... Im not terribly experienced at the web server type security but you might ... Check those for suspicious probes ... Unfortunately this isn't my particular area of security I specialise in, ... >misconfigured, I'm sure, but hadnling it with a firewall. ...
    (Security-Basics)
  • Re: Port 80
    ... > I have to open port 80 on firewall since we are going to have a web server ... > security for that? ...
    (comp.unix.solaris)
  • Re: disconnect a hacker
    ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
    (alt.computer.security)