Re: [fw-wiz] RE: In defense of non standard ports

---

• From: James <jimbob.coffey@xxxxxxxxx>
• Date: Tue, 24 Jan 2006 23:08:53 +1100

---

> As a postscript, when I managed a corporate firewall, I found that a number of
> sites and applications were trying to pass arbitrary traffic through HTTPS by
> just believing that it would not be examined by an application proxy more than
> checking the headers. Our particular firewall (Symantec SEF) actually had an
> HTTPS proxy and complained that the handshake was not correct and refused it.

I would have thought stunnel would make light work of SEF.
How does the ssl proxying work ? Isn't the whole point of ssl that the
session is encrypted end to end. Does SEF do some kind of CA trickery ?

On this point of ssl tunneled connections how do the list members deal
with it ? Just about any home user can get a piece of web estate and a domain
name these days so how do you stop users using ssl tunnels to access resources
denied by your policy ?

Some ideas I have heard are traffic analysis, HIDS (which could flag
the presence of
stunnel, a connection to a listening port on localhost or even detect
the protocol before
it enters the tunnel) and even plain old enumerating goodness (ie you
can go to urls' we want you to and everything else is denied) The
problem with enumerating goodness
is it creates a lot of work for the admin.

So what do you do to stop mischievous users ?
--
James
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

---

• Follow-Ups:
  • RE: [fw-wiz] RE: In defense of non standard ports
    • From: Bill Royds
  • Re: [fw-wiz] RE: In defense of non standard ports
    • From: ArkanoiD

• References:
  • [fw-wiz] RE: In defense of non standard ports
    • From: Behm, Jeffrey L.
  • RE: [fw-wiz] RE: In defense of non standard ports
    • From: Bill Royds

• Prev by Date: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
• Next by Date: RE: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sor t of...
• Previous by thread: Re: [fw-wiz] RE: In defense of non standard ports
• Next by thread: Re: [fw-wiz] RE: In defense of non standard ports
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Symantec Enterprise Firewall 7.0 ... Although the price of the SEF firewall may seem a bit steep, ... I manage several Raptor firewalls and have ... (comp.security.firewalls) Re: Web server behind Symantec Enterprise Firewall ... finally i solve the problem with a persistent route at ... the sef Host... ... external nics of the firewall... ... > create a address translation for inbound traffic so that the web server ... (comp.security.firewalls) Re: Symantec Enterprise Firewall (Axent) with ADSL ... > Will say I have the firewall with the internal and external NIC and the ... you use a Linux box as a NAT and router why not just use a Linux based ... you would be replacing many of the basic features of SEF. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2006-01