Re: [fw-wiz] The Outgoing Traffic Problem --
- From: damnliberals@xxxxxxxxx
- Date: Wed, 19 Jul 2006 03:36:46 +0300
On 7/12/06, Marcus J. Ranum <mjr@xxxxxxxxx> wrote:
<..>
As far as I can see, the endgame is going to be one of two<..>
things.
- Organizations are going to try to add signature-style
controls to SSL transactions and are going to rely on "man
in the middle" style interception tricks and (call 'em what
you want) signatures to detect malicious traffic
- Organizations are going to have to positively identify
sites with which it is necessary/appropriate to do SSL
transactions
I don't see a lot of future in EITHER of those options. The first
one falls apart really fast if anyone ever fixes SSL's certificate
trust model (not highly likely) but since it's signature-based
it'll fail when the hackers add superencryption to their command
streams. The second option would have worked if it had been
One branch of the military that I'm working with across the pond, has
recently moved to option 1, specifically using bluecoat SSL proxies to
scan SSL-encrypted traffic. They are also significantly reducing the
(already limited) sites that can be accessed.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] The Outgoing Traffic Problem --
- From: Marcus J. Ranum
- [fw-wiz] The Outgoing Traffic Problem --
- Prev by Date: [fw-wiz] SNMP RW ASA 7.2.1
- Next by Date: Re: [fw-wiz] The Outgoing Traffic Problem
- Previous by thread: Re: [fw-wiz] The Outgoing Traffic Problem --
- Next by thread: [fw-wiz] PIX monitoring and fine tunning question
- Index(es):
Relevant Pages
|
|
