Re: [fw-wiz] Firewall best practices



That is exactly what they do, at least the ones I'm familiar with. The firewall is acting as the server (it's a proxy, anyway): The CSR is generated there, and the cert is installed there. This then allows the firewall to scan the data in the packets as well as header information for RFC compliance, etc. Some firewalls even allow for the re-encryption of the HTTPS traffic back to the web server. We don't need that functionality, and simply send the packets on to the servers as plain text HTTP. If we need to know whether the traffic arrived at the firewall encrypted, then I configure the firewall to use a different port for the traffic to the back end web server.

--------------------
Matthew Harrell
Plex Systems
(248) 391-8000
mhar@xxxxxxxx
________________________________________
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of John Morrison [john.morrison101@xxxxxxxxxxxxxx]
Sent: Tuesday, April 27, 2010 5:45 AM
To: Firewall Wizards Security Mailing List
Cc: mjr@xxxxxxxxx; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

On 23 April 2010 20:18, <david@xxxxxxx> wrote:
On Fri, 23 Apr 2010, Martin Barry wrote:

$quoted_author = "Marcus J. Ranum" ;

That's why firewalls need to go back to doing what they
originally did, and parsing/analyzying the traffic that
flows through them, rather than "stateful packet
inspection" (which, as far as I can tell, means that
there's a state-table entry saying "I saw SYN!")

Marcus, are you referring to DPI or proxies or both or something else
entirely?


If the firewall doesn't understand the data it's passing,
it's not a firewall, it's a hub.

If an application emulates HTTPS traffic and is proxy aware, how do you
tell
the difference?

There are firewalls on the market that can decrypt HTTPS traffic (and I
believe be configured to block any traffic that they can't decrypt)

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Firewall best practices
    ... only the holder of the private key can decrypt the data encrypted with ... My view is that the firewall can ... only decrypt and inspect https traffic if it is acting as the server ...
    (Firewall-Wizards)
  • Re: OT: Question on HTTP and HTTPS
    ... the broker's private key is used to decrypt your data. ... your browser shipped a public key to the broker which is ... All financial institutions use https but many places that require you ...
    (misc.invest.stocks)
  • Re: the flip to HTTPS
    ... Google wants it universal to make life awkward for the snoops. ... HTTPS: ... Some sites share the session keys with a content delivery network, or caching proxies. ... Distributing a certificate's private key, or using multiple certificates for multiple servers, can also be made to work. ...
    (comp.lang.java.security)
  • Re: [fw-wiz] Firewall best practices
    ... My understanding of https (and other PKI-based encryption) is that ... only the holder of the private key can decrypt the data encrypted with ... only decrypt and inspect https traffic if it is acting as the server ... destined for another device - the real server. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall best practices
    ... My understanding of https (and other PKI-based encryption) is that ... only the holder of the private key can decrypt the data encrypted with ... only decrypt and inspect https traffic if it is acting as the server ... destined for another device - the real server. ...
    (Firewall-Wizards)