RE: [fw-wiz] RE: In defense of non standard ports



The problem was that the application was not negotiating the security context
as SSL states. It was just trying to use HTTP CONNECT to pass arbitrary traffic.
Even though HTTPS is encrypted, there is still a handshake where the server
certificate is authenticated and the session key is generated. The firewall can
ensure that the structure of this exchange is corect, even if it does not
actually see the traffic.


-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of James
Sent: Tuesday, January 24, 2006 7:09 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] RE: In defense of non standard ports

> As a postscript, when I managed a corporate firewall, I found that a number of
> sites and applications were trying to pass arbitrary traffic through HTTPS by
> just believing that it would not be examined by an application proxy more than
> checking the headers. Our particular firewall (Symantec SEF) actually had an
> HTTPS proxy and complained that the handshake was not correct and refused it.

I would have thought stunnel would make light work of SEF.
How does the ssl proxying work ? Isn't the whole point of ssl that the
session is encrypted end to end. Does SEF do some kind of CA trickery ?

On this point of ssl tunneled connections how do the list members deal
with it ? Just about any home user can get a piece of web estate and a domain
name these days so how do you stop users using ssl tunnels to access resources
denied by your policy ?

Some ideas I have heard are traffic analysis, HIDS (which could flag
the presence of
stunnel, a connection to a listening port on localhost or even detect
the protocol before
it enters the tunnel) and even plain old enumerating goodness (ie you
can go to urls' we want you to and everything else is denied) The
problem with enumerating goodness
is it creates a lot of work for the admin.

So what do you do to stop mischievous users ?
--
James
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Expired cirtificate errors FireFox and IE (Vista 32 bit)
    ... Those would be https web sites (that use SSL to encrypt the connection) ... Have you yet rebooted Windows? ... Even if WU doesn't say you need to reboot after applying some updates, ...
    (microsoft.public.windows.vista.general)
  • RE: ISA 2006 and SSL
    ... same user can access the site in question by creating an SSL-Tunnel and is ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ...
    (microsoft.public.isa)
  • Re: RWW with no https
    ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot Access Includes Above Current Directory if using SSL
    ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
    (php.general)
  • Cannot Access Includes Above Current Directory if using SSL
    ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
    (php.general)