[fw-wiz] HTTPS proxy solutions

• Previous message: Al Cooper: "RE: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX"
• Next in thread: lordchariot_at_earthlink.net: "RE: [fw-wiz] HTTPS proxy solutions"
• Reply: lordchariot_at_earthlink.net: "RE: [fw-wiz] HTTPS proxy solutions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: 05 Mar 2004 20:20:21 +0100

Hi all,

does anyone know of commercially or freely available https proxies
that terminates the SSL traffic, thus allows for content scanning of
the traffic?

I'm aware that such a solution need to generate certificates that the
clients accept.

What I'm thinking of is a proxy that gathers information about name
resolution done by clients and use that to generate a SSL certificates
for each connection.

E.g if the proxy gets a connection from IP a.b.c.d from host w.x.y.z,
it and, by some kind of magical glue, can figure out that host w.x.y.z
recently was given the information that host www.foo.com is at
a.b.c.d, it can also give the client a certificate for www.foo.com.

The connection can then quite easily be scanned and proxied to
www.foo.com.

As long as the issuing CA is trusted by the clients (which should be
quite easy to implement), the proxy would should be transparent to the
end-users.

So does anyone know of solutions either technically or functionally
equivalent ot this?

Or have I just overlooked something obvious and presented another
fundamentally flawed idea for a HTTPS proxy? (I hope not:-)

kind regards,

-sig

-- 
Sigurd Urdahl                           sigurdur@linpro.no
Systemkonsulent og sånt        Systems consultant and such
Linpro A/S                           http://www.linpro.no/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Al Cooper: "RE: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX"
• Next in thread: lordchariot_at_earthlink.net: "RE: [fw-wiz] HTTPS proxy solutions"
• Reply: lordchariot_at_earthlink.net: "RE: [fw-wiz] HTTPS proxy solutions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Winroute, block everything besides browsing through proxy. (port 3128) ... > Im trying real hard to block all access to the clients on my network, ... Permit TCP Any host port>1023 => WinrouteHost port=3128 ... Assumes you're running Winroute's HTTP proxy and DNS forwarder on default ... (comp.security.firewalls) Re: To those who develop in VMs ... will it infect the host machine? ... I set my clients to be "Host Only" networking and go through a proxy on ... (borland.public.delphi.non-technical) Re: ISA Server Problems, please help ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ... (microsoft.public.windows.server.sbs) Re: ISA 2004 Web Proxy Clients ... Do I need to create WPAD cname record in DNS in concert with WPAD entries in ... Is it possible to propagate web proxy information to clients using WPAD ... proxy clients dont get proxy server address in LAN settings of IE.Another ... (microsoft.public.isa.clients) RE: Web Pages Stall ... The clients can access the internet via IE7. ... All proxy settings are correct. ... Do you still need the ISA logs?? ... (microsoft.public.windows.server.sbs)