Re: [fw-wiz] httport 3snf
From: Christopher Hicks (chicks@chicks.net)
Date: 10/21/02
- Next message: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Previous message: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- In reply to: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Next in thread: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Reply: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Reply: Paul Robertson: "Re: [fw-wiz] httport 3snf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Christopher Hicks <chicks@chicks.net> To: firewall-wizards@nfr.com Date: Mon Oct 21 17:09:18 2002
On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
> Are there application layer routers that can deny all SSL except for MAC
> addresses or IPs on an appoved ACL? I know this could be a nightmare to
> enforce, but I think we may be getting to the point where networks only
> approve certain IP addresses for SSL/connect??.
It's a never ending game. Even if you could detect SSL (which would
require a load of CPU), there's no reason someone can't switch to a
different method of encryption. Let me give you two examples. We have a
couple of friends that work for large stupid companies that would rather
those large stupid IT people not watch their personal e-mail and browsing
activities. Since these folks are carrying in their own personal linux
laptops I don't feel terribly immoral about helping them this. (I'm sort
of fond of privacy myself.) Anyway, neither of the folks I have in mind
uses SSL to do what they're doing. It's not a matter of avoiding SSL
either, it's just a matter of their individual geek preferences.
Individual A ** uses ssh and is quite happy with pine and lynx and doesn't
want to configure anything. ssh doesn't use SSL and your imagined SSL
blocker would have no effect on them. You can use AIM knock-offs through
linux too if you like. Individual B wants all the GUI garbage and is
happy to configure things to get that and Mr. B uses a VPN client to
connect to a VPN server we have. Again, SSL isn't involved, but it is
encrypted. So, I don't think your imaginary SSL blocker would have the
hoped-for result.
** I feel like Henry Blake lecturing. Eeeee gads!
Someone else suggested becoming authoritative for the big IM domains
(aol.com, etc.) This won't help you unless they're using your DNS servers
and even if you hose your own DNS servers so things won't work there's
nothing to stop the miscreants from using other DNS servers, through a
tunnel if necessary.
You may want to block all traffic that doesn't go through your proxy
server or SOCKS. You can set those up to require authentication and track
who is doing what. I've been stuck at a few Fortune 500 corporate offices
that functioned that way.
-- </chris> Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. No, I replied, I just spent $600,000 training him. Why would I want somebody to hire his experience? -Thomas J. Watson, industrialist (1874-1956)
- Next message: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Previous message: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- In reply to: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Next in thread: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Reply: Ryan M. Ferris: "Re: [fw-wiz] httport 3snf"
- Reply: Paul Robertson: "Re: [fw-wiz] httport 3snf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
